As a business it’s important that you protect and respect the personal data that you collect, and most importantly it must be handled in line with the current legislation. Customer trust is at the forefront of many businesses and showing them that you value their data and will do your upmost to protect it is key to maintaining that trust.

We provide organisations will a variety of consultancy services from one bespoke privacy notice, to a full GDPR implementation package. Our varied client base includes micro businesses to worldwide organisations turning over billions.

full DPO nfographic

why DPAS

experience icon


We have delivered many GDPR compliance projects, some of our clients include ambulance service, large retailer, cinema chain, local authorities, schools and more.

support icon


We have qualified lawyers, GDPR practitioners, information security experts, qualified trainers and business analysts ready to deliver your project.

client icon


By outsourcing this service ensures that you are confident that no stone will be left unturned. Our team of lawyers, business analysts and project managers are always here to help.

working internationally icon


You will have a dedicated project manager updating you every step of the way and providing you with weekly reports on the progress of the project.

Every organisation’s remediation package will be different and based upon its needs, priorities, and information governance maturity levels. 

We often suggest a governance model which enables clearer areas of responsibility, accountability and engagement across all levels of the business. 

Using this model, we can provide a full suite of policies, plans and templates, including (but not limited to): 

  • Internal and External privacy notices;

This means that you can meet your transparency obligations under Articles 5, 12, 13, and 14 of GDPR. Typically, we encourage organisations (size dependant) to have between 2 and 3 privacy notices. These are for external users (i.e. customers, clients, service users), internal users (i.e. staff, contractors, temps etc.) and job applicants. 

  • Data Incident and Breach Management Policies and Procedures

This means that any breaches or potential incidents involving personal data are escalated quickly, efficiently and with the correct information. From there the right people can action the policy so as to meet the statutory reporting timeframes, stop the breach, and address it so as to minimise potential harm to data subjects.

  • Marketing and Electronic Communication Policy

In a world where people are bombarded by electronic messaging (from digital marketing to emails in the office) there are a number of regulatory requirements. These requirements can in places be contradictory and outdated due to technological developments. DPAS will work with you to make sure you have a policy which means you only market where it is lawful to do so, and with the correct permissions in place.

  • Subject Access Requests and Individual Rights letters, templates, guidance and policy

GDPR introduces tighter timeframes and stringent validation criteria when responding to Subject Access Requests or other requests such as erasure and portability. It can be time consuming and confusing, with a number of exceptions being available. This policy when implemented successfully addresses these concerns.

  • Data Protection Impact Assessment Policy and Template

Data Protection Impact Assessments are statutorily required to be undertaken where processing is likely to result in a high risk to individuals (and other areas). This is a simple solution to an important area of compliance.

  • Retention Policy and Schedules

In an era of business where organisations are constantly bombarded by data, it is important to have clear retention policies and schedules so that you do not keep data longer than necessary. This policy helps to provide structure and encourages a way of thinking whereby data is not just seen as an asset, but also as a liability.

  • CCTV Audit and Gap Analysis

If you are using CCTV across your organisation, you must adhere to the Surveillance Camera Commissioner’s Code of Practice and the GDPR. We can perform an audit of your CCTV processing, provide risk assessment, gap analysis and reports. We can map data flows for you and create bespoke policies relating to CCTV for your organisation.

  • Data Mapping

We can create your record of processing activities in line with Article 30 of the GDPR, and also complete a data map so you are sure where the data flows in and out of the business.

  • DPIA Preparation

We can carry out Data Protection Impact Assessments (DPIA) for new systems that you may be thinking of precuring. We will do a thorough DPIA, risk assessment and report and provide you with DPO advice.

  • It is possible to ‘pick and mix’ our remediation packages, based on where there are gaps in compliance.
  • Our policies are constantly being updated and revised based on the latest guidance and regulatory changes.
  • Our packages are tried and tested in a number of organisations and are proven to be successful.
  • We have a range of template policies which we can tailor to your organisation, ensuring that we keep consultancy time to a minimum
  • Our suite of policies use clear and concise language so as to be understandable and easily followed by all staff.  

1.How do you begin the project?

Initially we would come onsite and meet with your team to ensure that we can scope the requirements of your organisation. We will then send and agree a scope of work, and project deliverables, timescales and fixed price.

2.Will you do an audit?

We may need to do an audit so we are clear on where the gaps in compliance are, where the risks are and which areas, we should prioritise due to the current risk rating.

3. Can we pick and choose what we want?  

Of course, we can deliver just a privacy notice for you, or we can do the whole project. We will scope your requirements and agree a project plan. 

4.How do you price your projects?

Unlike a lot of consultancies, DPAS offers our customers a fixed cost for a project. That way, the organisation can budget for what is required. If it takes us longer, it doesn’t cost you anymore.