We end up doing more business transactions — and because of the ease of it, I’m quite open to moving more of our incoming and outgoing payments to Vivid.
Silvan Jongerius, Managing Partner
Tech GDPR switched to Vivid after growing frustrated with the rates, service quality, and response times of traditional banking. “Everything was slow and expensive,” Jongerius recalls. What started as a place to park savings quickly evolved into something more. “In the beginning, we mostly onboarded with Vivid to do our capital management. But now we end up doing more business transactions — and because of the ease of it, I’m quite open to moving more of our incoming and outgoing payments to Vivid. We’ve been slowly doing that, but that was not my first expectation.”
The compliance illusion: when policies don’t match reality
Data protection is widely discussed but rarely deeply understood. Many companies treat GDPR as a documentation exercise — something that can be resolved by quickly generating policies, sometimes even using AI.
In practice, this approach creates a false sense of security. Policies may exist, but they often don’t reflect how data actually flows through the organisation.
A really important step is to first build an understanding of what data is actually being processed within an organisation, before even thinking about writing policies.
Silvan Jongerius, Managing Partner
“Some companies start by creating their policies using AI — they use ChatGPT and the like to create privacy notices that are not actually reflecting the reality within the company,” Jongerius explains. “They didn’t do the due diligence. They didn’t do the exploration internally to really understand what processes are happening, and those processes are therefore not reflected in policies. That is a major shortcoming.”
Alex Carroll, the firm’s Consulting Manager, sees the gap from the client side every day. “You’d be surprised how many people within a company have a completely different understanding of what their own company does or how their own company uses data,” he says. The disconnect between how a company presents itself externally and how it actually operates internally is, in his experience, the norm rather than the exception.
Beyond the checklist: how Tech GDPR builds compliance that holds up
Tech GDPR takes a different approach. As a boutique consultancy, the company focuses on depth over scale, working closely with clients to map and analyse how data is actually processed in day-to-day operations.
“When we work with a client, we get a really deep look under the hood — we see a lot of their internal workings, we understand exactly how their processes are like,” Jongerius says. “Getting this insight into so many organisations that work with new kinds of technology and do very interesting things is extremely interesting.”
Carroll, who leads a team of privacy and tech consultants and manages key client accounts, frames the work in practical terms: “Compliance is not rocket science. You should never underestimate what could go wrong. You should never overestimate how ready a company is, or how good of an understanding they have of what they need to do. It’s about not taking things for granted, being organised, and not dropping things — that’s essentially what a consultant does.”
Rather than delivering generic frameworks, Tech GDPR translates regulatory requirements into concrete, actionable improvements — helping companies build systems that are both compliant and commercially viable. “Tech GDPR was founded around the concept of helping those companies for whom it was very difficult to comply with the GDPR, and to still find a way to do things in the right way — both while preserving privacy for individuals, but at the same time also creating a workable situation for companies,” says Jongerius.
From CTO to compliance founder: a career pivot driven by curiosity
Jongerius didn’t originally come from the world of data protection. With a background in technology and education management — including fourteen years as managing director of four creative arts and media college locations in the United Kingdom — his entry into privacy was driven by necessity.
While working as a CTO, he was tasked with ensuring GDPR compliance — a responsibility that most in the organisation wanted to avoid. “There was something that no one really wanted to deal with, but for some reason I found it very interesting,” he says. That curiosity led him to co-found Tech GDPR in Berlin in 2018.
My combined experience in entrepreneurship, company leadership, technology, as well as the legal framework of the GDPR — it’s what I believe gives me an edge in founding Tech GDPR.
Silvan Jongerius, Managing Partner
Carroll’s path was similarly unconventional. He came from the world of normative compliance — ISO norms, management systems — before joining Tech GDPR in 2018. “I was pretty new to data protection initially,” he admits. “By having to study it and then translate this into actionable recommendations for clients, I’ve definitely changed my own relationship with platforms and electronic devices.”
When data protection becomes a way of life
Working in data protection doesn’t just influence corporate processes — it changes how individuals interact with technology. Both Jongerius and Carroll describe a professional awareness that has reshaped their personal habits.
“If I don’t understand how a company uses my data, I’m the first one to request more information, to review their privacy notice, to contact the data protection officer,” Jongerius says. On a personal level, he thinks carefully about where he sits in a cafe (“I make sure that my back is against the wall”), who might overhear conversations, and what’s visible on his screen in public spaces.
Carroll has gone further. He has stopped using most social media — “LinkedIn I use because it has professional uses, but Facebook definitely not anymore” — and is actively moving his family away from Meta products. “I’m moving my family away from WhatsApp because now we know conversations and content shared on WhatsApp are used for advertising purposes,” he explains. “I don’t want my family pictures to be interpreted as lifestyle choices and be targeted with advertisement.”
Even something as routine as a cookie banner becomes a professional exercise. “When I visit a website and I get hit by a cookie banner, I do read it partially,” Carroll says. “I don’t read the details because I don’t trust the details — they’re meant to make you think privacy matters to the organisation. But actually, just your data matters.”
His advice for everyone: “Before you go and click and get onboarded on a service, have a look at the website, have a look at the company, have a look at how they communicate. Don’t trust when they say privacy is important to them. You don’t necessarily need to understand the privacy notice completely, but you get a quick sense for if they take it seriously or not.”
Jongerius adds a note on AI tools: “Be careful what you entrust ChatGPT with. It’s not only known for reusing your data to train their models — it may also remember things you talk about for future use. And OpenAI has just signed contracts with the US Department of Defense, so one can also question what may be happening to your data in the scope of that contract.”
Autonomy by design: building a remote-first consultancy
Tech GDPR operates as a remote-first company built around autonomy and trust. The team is structured to work independently, with the freedom to manage their responsibilities without constant oversight.
Jongerius’s leadership style is influenced by a collaborative, Dutch approach to decision-making — involving the team in key decisions and giving direction together. “I’m not the person that is looking over their shoulder every day. I like them to be independent and I’d like to enable them,” he says. “I hope my team would say the same. It’s more a hope than an expectation, I suppose.”
The company’s hiring strategy reflects a deliberate investment in development. “We’re a boutique consultancy, so our strategy is to take people with promising backgrounds who really understand technology, or at least have a very strong interest in it,” Carroll explains. “Consulting in law and cybersecurity is not as technical as most people think it is — it’s really about having a mindset to understand business processes and the risks that come with technology.”
Carroll takes on young professionals with one to three years of experience and brings them up to speed on how companies actually function — from boardroom dynamics to departmental misalignment. “What a consultant does, and what my team is learning to do, is see the connections between the silos,” he says. After a period of earlier turnover, the team has stabilised. “We’ve now had a fairly stable team for a couple of years, and that is a real pleasure,” Jongerius adds.
How Tech GDPR manages finance operations
Operating across Germany and internationally with client-facing operations demands efficient financial processes. Quick payments, easy oversight, and the ability to keep business banking separate from personal devices all matter for a company that thinks about data flows professionally.
Vivid helps Tech GDPR streamline those processes by providing a unified interface for managing company spending and finances. Instead of relying on slow, fragmented legacy banking systems, the team can track transactions, monitor balances, and handle day-to-day operations in one place.
For a company focused on transparency and control in data protection, Vivid’s operational speed and digital-first approach fit naturally: “With the modern kind of way of banking — even though I don’t like all aspects of it — processes are typically quite quick. And that helps when you’re running a business.”
Jongerius’s one reservation is characteristically privacy-minded: “I’d like to keep my personal mobile device out of my business banking equations — not mix things up. And that’s also for privacy reasons.” Even his banking feedback comes through the lens of a data protection professional.
