White Background with PADLOCKS.png


The first step is to conduct a GDPR audit, or GAP analysis - if you have not commissioned one previously.
The purpose of this is to understand the culture of data privacy within your organisation and how personal data flows around it – how it comes in, how and where it moves internally and how and why it leaves the organisation – when sent to your customers, clients, or suppliers.

During our time on site, we will identify how compliant the organisation is in relation to the previous Data Protection Act 1998 and what changes you must implement to meet the requirements of the GDPR.

Although the principles of the GDPR are very similar to the previous Data Protection Act 1998, the legislation now means companies must demonstrate their compliance upon demand from clients, customers and the Supervisory Authorities (Information Commissioners’ Office).
While there are other features, it is this demonstrable element of compliance that is the biggest task as it requires the creation of policies and procedures that accurately reflect the processes you have in-house.

The report we deliver off the back of the audit will highlight all areas of concern – in traffic light format to ensure the priority areas are identified and addressed swiftly. 

Our professional team provide on-going support at a level to suit your budget to ensure all areas of concern are rectified with maximum efficiency – but without cutting corners. We pride ourselves on the quality of our work – and implementing a programme of data privacy is not a tick-box exercise. It must be embraced from the Board Room and filtered down.



Off-site Pre-Assessment
We ask you to complete a pre-assessment document – helps us to learn the basics of the business.

On-site Audit
1. We conduct an informal “introduction to GDPR” training session for all staff – lasts 45 minutes.

2. We hold one-on-one meetings with department heads to discuss the personal data used in their department.

3. We can cover up to five departments in one day.

4. Walk-about with a senior staff member – helps us to understand the privacy culture “on the office floor”.

Off-site Reporting
1. We complete a detailed report of our departmental interviews – in traffic light format.
Red = critical, amber = requires attention, green = no concern.

2. An Executive Report is prepared for the Directors – summarising our findings and making recommendations as to the next steps.

3. “Readiness” report is completed using specialist privacy software – gives an overall percentage of compliance based on the policies and documentation that is required.


How to get our professional compliance team to you – for less than you think!
Our daily rates exclude VAT and are based on spending 1 day at your office with up to 5 departments.


Basic Audit
This is ideal for businesses with a single office and up to 5 departments.
One consultant in your office for 1-day with 1-day reporting (off-site).
£750 per day, plus agreed travel costs.
Total cost: £1,500 + travel


Intermediate Audit
This is our most popular option and ideal for businesses with 1 office and 5+ departments.
One consultant in your office for 2 days, with 2 days reporting per office visited (off-site).
£750 per day, plus agreed travel costs.
Total cost: £3,000 + travel


Advanced Audit
This is ideal for larger businesses with multiple sites and 5+ departments in each.
Our 3-person Privacy Team will visit all sites to conduct the audit, then work off-site to complete the report.
£750 per day, per consultant, plus agreed travel costs
Total cost dependent upon number of offices visited and total number of days worked. 
Please contact us to discuss.


Artboard 1.png

We offer a highly professional, multi-skilled privacy service
Each member of our team has been selected based on their area of expertise and specialism in privacy.

Artboard 2.png

We tailor our service offering to your need
With clients ranging from local SME’s to large corporates (both UK & overseas), we have a level of engagement for all.

Artboard 3.png

We’re passionate about privacy and the protection of personal data
You could say we love our jobs..!

Artboard 4.png

We work for you
We do everything in our power to get you and you company GDPR compliant as fast as possible.

Artboard 5.png

We never settle for 2nd place
We lead the way on fast effective compliance with e-privacy and GDPR compliance as efficiently as possible – without cutting corners.

Artboard 6.png

We’re one of the UK’s leading privacy consulting teams
Providing guidance to more than 150 firms.


Don’t see the answer to your question, click here to ask one of our specialist team.


Q. What does GDPR stand for? +

A. General Data Protection Regulation

Q. When did it come into force? +

A. It came into force across the EU 25th May, 2018

Q. Does it affect me? +

A. It affects any business, or organisation that processes and holds personal data of individuals residing in the EU.
No matter what your size, if you have a website, clients, suppliers, or employees, then you will hold personal data… so the GDPR applies to you.

Q. What is personal data? +

A. Personal data is any information that relates to an identifiable living person. Names, email addresses, telephone numbers and even cookies from websites fall into this category.

Q. What is sensitive data? +

A. Sensitive data, or “special category” data refers to data that uniquely identifies a person – this could include genetic and biometric data (ie, fingerprints), sexual health data, race and ethnicity information.

Q. What about Brexit? +

A. The UK refers to the Data Protection Act 2018 and the GDPR together. While the GDPR is the main document for reference, there are certain instances where the DPA2018 takes precedence – such as matters of national security. When the UK leaves the EU, the DPA2018 will become our sole data protection framework – and is the law, not a choice.

Further details: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/12/data-protection-and-brexit-ico-advice-for-organisations/

Q. Do I have to register with the Information Commissioners’ Office (ICO)? +

A. While there a are few exemptions, most businesses that process personal data must register with the ICO. Failure to do so can lead to a fine.

Q. What are penalties for failing to comply with GDPR? +

A. Fines are now tiered, depending on the severity of your failure to comply. The maximum fine is 4% of global turnover, or €20m, whichever is greatest. Less severe violations can receive a fine of 2% of global turnover, or €10m.

Q. Do I need to appoint a Data Protection Officer (DPO)? +

A. If you are a public authority, or your main business focus involves the large-scale processing of data, or special categories of data, then you may be required by law to appoint a DPO.

Q. Do I have to report ALL data breaches? +

A. No – but you must keep an internal record of all data breaches. If the breach is unlikely to result in a serious risk to the rights and freedoms of the individuals, then the breach should be reported to the ICO within 72 hours of being discovered – and the individuals affected without undue delay.

Q. What is a data breach? +

A. A data breach is any unauthorised or illegal destruction, loss, alteration, or access to personal data. That may include sending an email to the wrong person, or losing your laptop, mobile phone or USB stick!


The GDPR – General Data Protection Regulation came into force across Europe on the 25th May, 2018. It replaced the previous Data Protection Directive which was implemented across Europe, however not legally binding in that EU Member States could develop their own version – we had the Data Protection Act, 1998.  The GDPR is a Regulation and requires all EU Member States to implement it in its current form.  To coincide with the GDPR coming into law, the UK passed the Data Protection Act 2018 – and this operates alongside the GDPR.  When the UK leaves Europe, the Data Protection Act 2018 will be referred to – there is no escaping it. 

The GDPR applies to every organisation in the UK that handles, or processes personal data – there are very few exceptions.  

Which Part of Your Business is Most at Risk? GDPR should be a business-wide concern, as all departments will be processing data to some degree and data will flow around the business in an operational manner. However, the departments accessing the greatest concentration of personal data tend to be Human Resources, IT and Sales & Marketing.

logo (21).png


We offer professional guidance in the following areas:

1.      Identifying risk areas from your GDPR audit (if not completed by us)

2.      Identifying risk areas from your IT & Cyber Security audit (if not completed by us)

3.      Identifying risk areas in supplier contracts and data processing agreements (additional due diligence may be required – suppliers are rarely as compliant as they claim)

4.      Assistance with your Records of Processing (Article 30, GDPR)

5.      Reviewing existing policies and guidance in the creation of required policies

6.      Establishing information governance procedures

7.      Devising & implementing staff training schedules

8.      DPO-as-a-Service

9.      EU representation service (Article 27, GDPR)

10.    Stress-Test: random spot-checks on high-risk areas of the business

11. Mystery shopper – we can put any area of the business to test. It’s better that we identify any failings and work with you to remedy them, rather than you being reported to the ICO for non-compliance.

For an immediate response on how we can help you - contact us now

Name *

Your data will only be used to make contact with you for the purpose of responding to your enquiry.