Get ahead of risk – Governance & Decision support
The exposure most founders ignore until it bites: governance gaps, compliance obligations, privacy and accessibility risk. Left unmanaged, it can turn into regulatory inquiries, legal fees and avoidable fines. Alfred helps you see it coming.
Get ahead of the risk before it finds you
Most founders assume this is someone else's problem. In practice, the risks that bite — a regulator's inquiry, a data complaint, a contract you should never have signed — almost always announced themselves early. The cost is rarely the surprise; it is the lack of a warning.
And the direct cost is seldom the worst of it. There is the trust you lose with customers, the reputation that takes years to rebuild, and, where personal data is involved, the prospect of an authority asking questions you are not ready to answer.
The good news: with a little attention and a structured way of looking at exposure, most of this risk can be seen coming and quietly managed. That is precisely what I am here to do.
Where founders are most exposed today
Data & privacy exposure (GDPR)
GDPR has been in force since 2018, and enforcement has only sharpened since. Here is the exposure I flag first, in plain terms:
Your privacy policy
You need a complete, readable account of how you handle personal data — and a generic template will not hold up. It has to reflect what you actually do. Are you running Google Analytics, growth tooling, a Facebook pixel, or a newsletter tool like Mailchimp? Anything that collects or passes on data belongs in there. A gap here is one of the easiest things for a regulator to spot.
A lawful basis for processing
You cannot simply collect data because it is useful — there has to be a lawful basis behind it. In most cases that basis is the user's consent, and consent has to be informed, freely given, and withdrawable at any time. If you cannot say which basis applies to each thing you collect, that is a gap worth closing now.
Cookies & tracking
If you run tracking tools, you need the active consent of your visitors — and that goes well beyond a token cookie banner. What is actually required is a proper consent-management setup, one that makes declining as effortless as accepting. Anything less invites exactly the kind of complaint you do not want landing on your desk.
Access & deletion requests
If you process personal data, you have to be able to disclose it on request and delete it when asked. It sounds obvious — but in practice it depends on clear internal processes, and most founders only discover the gap when the first request actually arrives.
Accessibility exposure — the BFSG, in force since 2025
For many founders this is still unfamiliar territory: the European accessibility law (BFSG) has applied in full since June 2025. Websites and online shops are now expected to be usable by people with disabilities, and depending on your situation that is a legal obligation, not a nicety. It is the kind of risk that sits quietly until someone raises it.
Here is what it tends to mean in practice:
Visual accessibility
People with impaired vision rely on screen readers to make sense of a site. For that to work you need clean HTML with proper headings and lists, alt text on every image, sufficient contrast between text and background (at least 4.5:1), and information that is never conveyed by colour alone.
Motor accessibility
Every function of a site has to be operable by keyboard alone, without a mouse. That means visible focus states — so you can tell which element is currently active — and the ability to move out of any interactive element you have entered.
Hearing accessibility
Videos should carry subtitles, and podcasts are best accompanied by a transcript.
Cognitive accessibility
Clear, plain language, consistent navigation, and the absence of distracting animation all help people with learning or concentration difficulties take in your content fully.
Oversight and consequences: compliance with the BFSG is checked by the authorities, and breaches can carry significant fines. Beyond that, an inaccessible site can invite discrimination claims — a reputational risk that reaches well past the financial penalty. This is exactly the kind of exposure I would rather you saw coming than discovered the hard way.
How Alfred helps you stay ahead of risk
-
1. Phase
Map the exposure
I take a clear-eyed look at where you stand and ask the questions a board would:– Is there a privacy policy, and is it current?– Is there a legal notice, and is it complete?– Are you running tracking tools, and are they compatible with privacy law?– How is consent actually being managed?– Is the site accessible?– Where else might risk be hiding? -
2. Phase
Set the strategy
Working from your situation and your business, I help you shape a position on data and governance:– What data are you collecting?– Do you have a lawful basis for it?– Which tools are you using, and do they hold up under GDPR?– How does consent actually work in practice?– How will you handle access & deletion requests when they come? -
3. Phase
Decide and act
I help you weigh the calls and act on the ones that close exposure:– A privacy policy you can actually stand behind– A complete, correct legal notice– The right consent-management tool (e.g. Cookiebot, OneTrust)– Tracking tools configured the way they should be -
4. Phase
Keep watch
And I keep an eye on the accessibility exposure the BFSG creates, so it stays on your radar:– A sound HTML structure– Alt text on every image– Colour contrast checked & corrected– Keyboard navigation tested & fixed– Videos with subtitles– Accessible forms (labels, error messages, and the like)
