Vienna, 23.06.26 15:56
Press ⮠ [Enter] to search
Help
0xF1E500
Cursor

Get ahead of risk – Governance & Decision support

The exposure most founders ignore until it bites: governance gaps, compliance obligations, privacy and accessibility risk. Left unmanaged, it can turn into regulatory inquiries, legal fees and avoidable fines. Alfred helps you see it coming.

Get ahead of the risk before it finds you

Most founders assume this is someone else's problem. In practice, the risks that bite — a regulator's inquiry, a data complaint, a contract you should never have signed — almost always announced themselves early. The cost is rarely the surprise; it is the lack of a warning.

And the direct cost is seldom the worst of it. There is the trust you lose with customers, the reputation that takes years to rebuild, and, where personal data is involved, the prospect of an authority asking questions you are not ready to answer.

The good news: with a little attention and a structured way of looking at exposure, most of this risk can be seen coming and quietly managed. That is precisely what I am here to do.

Where founders are most exposed today

Data & privacy exposure (GDPR)

GDPR has been in force since 2018, and enforcement has only sharpened since. Here is the exposure I flag first, in plain terms:

Your privacy policy

You need a complete, readable account of how you handle personal data — and a generic template will not hold up. It has to reflect what you actually do. Are you running Google Analytics, growth tooling, a Facebook pixel, or a newsletter tool like Mailchimp? Anything that collects or passes on data belongs in there. A gap here is one of the easiest things for a regulator to spot.

A lawful basis for processing

You cannot simply collect data because it is useful — there has to be a lawful basis behind it. In most cases that basis is the user's consent, and consent has to be informed, freely given, and withdrawable at any time. If you cannot say which basis applies to each thing you collect, that is a gap worth closing now.

Cookies & tracking

If you run tracking tools, you need the active consent of your visitors — and that goes well beyond a token cookie banner. What is actually required is a proper consent-management setup, one that makes declining as effortless as accepting. Anything less invites exactly the kind of complaint you do not want landing on your desk.

Access & deletion requests

If you process personal data, you have to be able to disclose it on request and delete it when asked. It sounds obvious — but in practice it depends on clear internal processes, and most founders only discover the gap when the first request actually arrives.

Accessibility exposure — the BFSG, in force since 2025

For many founders this is still unfamiliar territory: the European accessibility law (BFSG) has applied in full since June 2025. Websites and online shops are now expected to be usable by people with disabilities, and depending on your situation that is a legal obligation, not a nicety. It is the kind of risk that sits quietly until someone raises it.

Here is what it tends to mean in practice:

Visual accessibility

People with impaired vision rely on screen readers to make sense of a site. For that to work you need clean HTML with proper headings and lists, alt text on every image, sufficient contrast between text and background (at least 4.5:1), and information that is never conveyed by colour alone.

Motor accessibility

Every function of a site has to be operable by keyboard alone, without a mouse. That means visible focus states — so you can tell which element is currently active — and the ability to move out of any interactive element you have entered.

Hearing accessibility

Videos should carry subtitles, and podcasts are best accompanied by a transcript.

Cognitive accessibility

Clear, plain language, consistent navigation, and the absence of distracting animation all help people with learning or concentration difficulties take in your content fully.

Oversight and consequences: compliance with the BFSG is checked by the authorities, and breaches can carry significant fines. Beyond that, an inaccessible site can invite discrimination claims — a reputational risk that reaches well past the financial penalty. This is exactly the kind of exposure I would rather you saw coming than discovered the hard way.

How Alfred helps you stay ahead of risk

  1. 1. Phase

    Map the exposure

    I take a clear-eyed look at where you stand and ask the questions a board would:
    – Is there a privacy policy, and is it current?
    – Is there a legal notice, and is it complete?
    – Are you running tracking tools, and are they compatible with privacy law?
    – How is consent actually being managed?
    – Is the site accessible?
    – Where else might risk be hiding?
  2. 2. Phase

    Set the strategy

    Working from your situation and your business, I help you shape a position on data and governance:
    – What data are you collecting?
    – Do you have a lawful basis for it?
    – Which tools are you using, and do they hold up under GDPR?
    – How does consent actually work in practice?
    – How will you handle access & deletion requests when they come?
  3. 3. Phase

    Decide and act

    I help you weigh the calls and act on the ones that close exposure:
    – A privacy policy you can actually stand behind
    – A complete, correct legal notice
    – The right consent-management tool (e.g. Cookiebot, OneTrust)
    – Tracking tools configured the way they should be
  4. 4. Phase

    Keep watch

    And I keep an eye on the accessibility exposure the BFSG creates, so it stays on your radar:
    – A sound HTML structure
    – Alt text on every image
    – Colour contrast checked & corrected
    – Keyboard navigation tested & fixed
    – Videos with subtitles
    – Accessible forms (labels, error messages, and the like)

Ready to get ahead of the risk?

Unmanaged exposure is a quiet liability — for your company and for the people who trust it. Let me help you see it coming and bring it down to size.

Get started

FAQs

Common questions about getting ahead of risk.

As a small company, is GDPR exposure really my concern?

Yes. GDPR applies to any company that processes the personal data of people in the EU, regardless of size. If you run a site with a contact form, a newsletter, or Google Analytics, you are already processing personal data and the obligations are yours. Missing privacy policies, weak cookie consent, or no record of processing are among the most common exposures I flag — precisely because they are easy to overlook and easy for someone else to spot.

What is the BFSG, and who does it affect?

The accessibility act (BFSG) translates the EU directive on accessible digital products and services into national law. From 28 June 2025, certain companies — among them online shops, banking, telecoms, and digital services — are required to make their websites and apps accessible. Part of what I do is help you understand whether, and to what degree, this exposure actually lands on you, so it does not catch you out later.

What does accessibility actually mean for my website?

An accessible website is one that people with impairments — visual, motor, or cognitive — can use in full. In concrete terms that means sufficient colour contrast, keyboard operability, alt text on images, a clear heading structure, and compatibility with screen readers. The standard to aim for is WCAG 2.1, Level AA. I will tell you plainly how far your current site is from it.

Can a non-compliant website actually land me in trouble?

Yes — the risk is real. Warnings and claims over missing or incomplete privacy policies, faulty cookie handling, or the absence of a data-processing agreement with tools like Google Analytics are well documented across the region. My job is to help you see the most common exposures coming and close them, without the cost of a full legal opinion. For deep legal counsel I will always tell you to bring in a privacy lawyer as well — knowing where my judgment ends is part of it.
Cases

What is Alfred?

Alfred is an AI board member: boardroom-grade strategic counsel for founders, on call 24/7. Calm, candid judgment on the decisions that move your company forward.

Who is Alfred for?

Arbeiterkammer
Familypark
UNICEF
TU Wien
Aperol
Campari
Kinderhilfswerk
e-dialog
Waldquelle
Land NÖ

Send us a message

Message*
!

Thanks for reaching out — Alfred and the team will be in touch shortly.