0203 3013384
CONTACT

GDPR & data protection consultancy

BOOK A CALL
_0000_2560px-Macmillan_Cancer_Support_logo.svg
_0012_rhodes
_0018_Boxpark_LOGO
_0010_reigate_and_banstead_borough_council
_0013_SWAST
_0015_RDUH
_0014_Bristol-Airport-logo
_0003_Exeter Chiefs
_0001_Maidstone Borough Council
_0002_Birmingham Airport

DATA PROTECTION SUPPORT

COST EFFECTIVE AND RESPONSIVE

GDPR & DATA PROTECTION CONSULTANCY

At DPAS, our consultancy services go beyond basic compliance, offering a strategic and practical approach to embedding data protection requirements across your organisation. Whether you need expert input on a single policy or require full UK or EU GDPR implementation support, our team is here to help, no matter the size or complexity of the task.

Our experienced GDPR consultants work closely with you to integrate compliance into your everyday operations. This includes creating and maintaining your Record of Processing Activities or Information Asset Registers, drafting tailored policies, supporting data sharing frameworks, managing supplier risk, support with implementing AI, guidance on CCTV compliance, and advising on specific projects. No matter the size of your project, we can support your organisation. Our support is always pragmatic, proportionate, and aligned with the needs of your business.

At DPAS, we take a client focused approach with our bespoke data protection consultancy. We tailor our services to your sector, risk profile, and business operations. Our ethos is to engage, educate, and empower, and that’s reflected in the trusted relationships we’ve built with over 250 organisations across the UK.

Whether you require one-off advice or longer-term project support, we offer clear, actionable advice and frameworks to help your organisation meet its obligations, reduce risk, and strengthen its compliance position. Book a meeting with a consultant today to discuss your needs.

Ready to learn more?

book a meeting

BOOK A MEETING
MAKE AN ENQUIRY
What's Included
CASE STUDIES
FAQs
Meet the Team
Book a meeting

DATA PROTECTION CONSULTANCY SERVICES

What can we help with?

As part of your Article 30 UK GDPR obligations, maintaining a comprehensive Record of Processing Activities (ROPA) is essential. Our consultancy team will help you build, review, and maintain your ROPA, ensuring it reflects the way personal data is collected, used, stored, and shared across your organisation. We provide templates, facilitate workshops, and guide you in creating a living document that supports ongoing compliance and risk management.

An effective Information Asset Register (IAR) allows you to track all personal data assets within your organisation. We support clients by mapping data flows, identifying data owners, categorising risk levels, and ensuring alignment with your ROPA and IT asset inventories. Our data protection consultants will help you establish a structured and sustainable IAR that provides oversight, accountability, and supports data governance best practices.

If your organisation carries out high-risk data processing activities—such as implementing new technologies or large-scale surveillance—then Data Protection Impact Assessments (DPIAs) are critical. Our consultancy service offers end-to-end support with DPIAs, including risk identification, analysis, mitigation planning, and documentation. We can also train your team to manage DPIAs internally while ensuring a compliant and defensible process.

Navigating international data transfers can be complex, particularly in a post-Brexit regulatory environment. Our consultancy services help you assess and document your global data flows, select appropriate safeguards (such as Standard Contractual Clauses), and conduct Transfer Risk Assessments (TRAs) as required. We ensure your international transfers are lawful, transparent, and secure—reducing the risk of enforcement action and reputational damage.

Clear and comprehensive data protection policies are the backbone of a compliant organisation. We create, review, and update your suite of policies, including Data Protection, Retention, Subject Access, Data Breach Response, and more. Our consultants tailor all documents to your sector and operations, ensuring your staff understand their responsibilities and that your organisation meets regulatory expectations.

We draft and review Data Sharing Agreements and Data Processing Agreements (DPAs) to ensure your contracts with third parties and data processors meet legal requirements under the UK GDPR. Our consultancy includes advising on controller/processor roles, ensuring appropriate technical and organisational measures are in place, and helping you respond to due diligence requests from partners or clients.

Embedding privacy from the outset of any project is not only best practice—it’s a legal obligation under the GDPR. Our consultants help your organisation apply privacy by design and default principles by engaging with your teams early in project lifecycles. We review system architectures, business processes, and new initiatives to ensure personal data is minimised, secured, and handled lawfully at every stage.

As organisations increasingly adopt Artificial Intelligence (AI) tools and systems, ensuring compliance with UK GDPR and emerging AI regulations is vital. Our data protection consultancy provides expert guidance on the safe and lawful deployment of AI technologies. We support you with AI-specific Data Protection Impact Assessments (DPIAs), risk assessments, supplier due diligence, and internal policy development. We also help establish AI governance frameworks, ensuring transparency, accountability, and fairness in AI-driven decision-making. Whether you’re developing in-house solutions or working with third-party vendors, our consultants ensure your AI initiatives align with both current data protection laws and ethical best practice.

Effective records management is fundamental to GDPR compliance and good information governance. We support organisations in creating and implementing retention schedules that define how long different types of personal and business data should be kept, and when and how they should be securely disposed of. Our data protection consultants assess your current data lifecycle practices, align them with legal and regulatory requirements, and help embed retention rules into everyday processes and systems. Whether you’re starting from scratch or need to update an outdated policy, we ensure your records management supports accountability, reduces storage risk, and meets sector-specific obligations.

Using CCTV involves processing personal data and must comply with the UK GDPR and the Protection of Freedoms Act. As part of our data protection consultancy services, we support organisations in implementing lawful, transparent, and proportionate CCTV frameworks. This includes drafting or reviewing CCTV policies, signage, privacy notices, and access request procedures. We also conduct assessments to ensure camera placement is justified, data retention is appropriate, and footage is handled securely. Whether you’re introducing new surveillance systems or reviewing existing setups, our consultants help ensure your use of CCTV meets legal requirements and stands up to scrutiny from regulators or data subjects.

Your website and marketing communications are often the first place data protection failures can be spotted, by customers or regulators. As part of our data protection consultancy service, we provide thorough reviews of your website and marketing practices to ensure full UK GDPR and PECR compliance. This includes reviewing cookie consent banners and cookie policies, privacy notices, contact forms, newsletter sign-ups, and tracking tools like Google Analytics. We also assess your email marketing, SMS campaigns, and data capture processes to ensure lawful bases are applied correctly and customer preferences are respected. Our team helps you reduce risk, build customer trust, and stay compliant in your digital presence.

With the introduction of the UK’s Data Protection and Digital Information Act (DUA Act), organisations need to reassess their existing data protection frameworks to ensure ongoing compliance. As part of our consultancy offering, we review your current policies, procedures, contracts, and documentation in light of the latest legislative changes. Our consultants provide tailored advice on what the DUA Act means for your organisation and help you update relevant materials, from lawful basis assessments and DPIAs to privacy notices and retention schedules. We ensure you’re prepared, up to date, and compliant with evolving UK data protection laws.

"FANTASTIC SERVICE, DELIVERED BY A GREAT TEAM WHICH HAS MADE A HIGHLY COMPLEX PROJECT EASY TO DIGEST"

We decided to use DPAS because we felt they were a good fit for the BOXPARK brand, being a boutique data protection advisory company. Since the commencement of the project, we have received fantastic service delivered by a great team - making a highly complex project easy to digest. They hit every deadline and continue to provide us easy-to-understand data protection advice and support.
Matthew CarterBOXPARK
Matthew Carter
"I WAS EXTREMELY RELIEVED TO FIND THE FRIENDLY TEAM AND EXCELLENT SERVICE AT DPAS"

They went out of their way to support me in a short timeframe, not only to fulfil my data privacy criteria - which included more complex special category data processing - but also with trusted legal support, which - being all under one DPAS roof - was easier to access and significantly more time and cost effective.
Kate Shepperd-CohenMENSTRUAL SUPPORT SERVICE
Kate Shepperd-Cohen
"THOROUGH, EFFICIENT, AND REMARKABLY UNOBTRUSIVE FROM AN OPERATIONS PERSPECTIVE"

We enlisted DPAS to help with our journey to GDPR compliance, as we didn't have the resources and skills within our team. DPAS' approach was thorough, efficient and remarkably unobtrusive from an operations perspective. Post completion of the project, we had a clearer idea of the risks and issues that attend GDPR compliance directly, and could tidy up in-house data processing to ensure we are more efficient as a business.
Giles Squirrel TEIGNMOUTH MARITIME SERVICES
Giles Squirrel
"DPAS REALLY HELPED TO TAKE THE PRESSURE OFF BY HELPING WITH COMPLEX SARS, AND DPIAS"

On top of an already demanding workload, we had a new system integration, a merger to form a new Trust, and the impact of COVID to deal with. DPAS really helped to take the pressure off by assisting with complex SARs, and DPIAs. With no idea how many SARs you may receive, having the ability to flex by using additional resources can be quite useful. Knowing I can rely on Charlotte's support with DPIAs and data sharing agreements really takes the pressure off. It's really helpful having someone that can take the time out to review requests.
Rhiannon PlattROYAL DEVON UNIVERSITY HEALTHCARE
Rhiannon Platt
"LEGAL SUPPORT, WITH AN ETHICAL AND PRAGMATIC TWIST"

Bristol Airport have worked closely with DPAS for several years, and they have been instrumental in providing their services, helping us to deliver transformative projects across our airport.
Kate Maddock-Jones BRISTOL AIRPORT
Kate Maddock-Jones
"EVERY ONE OF THE TEAM IS KNOWLEDGEABLE AND EXTREMELY COMPETENT"

DPAS have been hugely helpful in recent years, in ensuring that SWAST are doing our best and continuing to comply with information governance best practice and compliance. From our experience, every one of the team is knowledgeable and extremely competent. We have benefited from a range of services from DPAS and specifically with them acting as our Data Protection Officer. They have offered training and advice, and added to our Information Governance capacity, which was welcome and much needed.
Tim BishopSWAST
Tim Bishop
"DPAS IMPRESSED US WITH THE BREADTH AND DEPTH OF THE SERVICES THEY OFFERED"

We were looking for an independent review and audit of our data processing activities and policies across the Rhodes Trust and our partner programmes. When we went to the market, DPAS impressed us with the breadth and depth of the services they offered. We are a relatively complex organisation, but the DPAS team quickly understood how our work fits together, and throughout the audit process, I’ve appreciated the expertise of each member of the team that we’ve worked with. Their advice throughout has been reassuringly thorough, pragmatic, and tailored to our needs.
Matthew TreavisRHODES TRUST
Matthew Treavis
"WE ARE VERY HAPPY WITH THE HIGH STANDARDS OF SERVICE RECEIVED "

The University of Exeter Students’ Guild were keen to ensure we were delivering our GDPR commitment on time and on track. We therefore needed a qualified Data Protection Officer to monitor our progress, provide assurance that we were on the road to compliance, and maintain the role going forward. We sourced DPAS as they were local and have 20 years of data protection experience. We are very happy with the high standards of service received, and the training provided was not only delivered professionally, but completely tailored to our business type. I highly recommend Data Privacy Advisory if you have GDPR worries or you are considering having a Data Protection Officer look after your organisation.
Mark JohnsonUNIVERSITY OF EXETER STUDENTS GUILD
Mark Johnson
"A GREAT, RELIABLE SERVICE WHEN WE NEED IT MOST "

DPAS provides us with excellent, responsive advice when we need to supplement our in-house resource – a great, reliable service when we need it most.
Carys JonesRBBC
Carys Jones
"I WOULDN'T HESITATE USING THE TEAM AT DPAS AGAIN "

When faced with a complex Subject Access Request, we went out to the market to look for a provider that had the knowledge and experience to complete the data conversion and redaction on our behalf. We were impressed with the team at DPAS from the offset and entrusted them to deliver the required redacted documents within the legal timeframes. We found the team responsive and also accommodating when we needed tweaks to how the final information was presented – I wouldn’t hesitate using the team at DPAS again.
Tariq OzaibiHead of Supporter Care & Compliance
Tariq Ozaibi

CASE STUDIES

Data Protection consultancy services

Due to the busy nature of Prestige Nursing and Care, internal resources were limited.

Engaging with DPAS allowed Prestige Nursing and Care to be confident that there was no stone left unturned, in order to develop a comprehensive plan going forward.

"

DPAS have always been extremely responsive and helpful

DPAS have been instrumental in supporting Prestige Nursing & Care as we embark on our franchising journey, to ensure that our franchise agreements are aligned with the relevant data protection legislation

Head of Risk Management

Prestige Nursing & Care

South Western Ambulance Services Foundation Trust (SWAST) approached DPAS several years ago, seeking outsourced Data Protection Officer (DPO) support.

They required expert guidance on key projects, assistance with complex data protection enquiries, and additional support for their in-house team. Since then, DPAS has been providing remote DPO services, ensuring SWAST remains fully compliant with data protection law.

"

DPAS have been hugely helpful in recent years

From our experience, every one of the team are knowledgeable and extremely competent. We have benefited from the a range of services from DPAS and specifically acting as our Data Protection Officer, offering training, advice and adding to our Information Governance capacity which was welcome and much needed.

senior information risk owner

SWAST

DPO as a service

frequently asked questions

Our data protection consultancy service includes end-to-end support across all key compliance areas: Records of Processing Activities (ROPA), Information Asset Registers (IAR), Data Protection Impact Assessments (DPIAs), international data transfers, policy development, data sharing agreements, retention schedules, AI governance, CCTV frameworks, and more. We provide tailored advice, documentation, and training to help you meet your obligations under the UK GDPR and Data Protection Act.

Any organisation that processes personal data—particularly those handling large volumes, special category data, or operating across borders—can benefit from a data protection consultant. We work with private companies, public bodies, schools, charities, and healthcare providers to ensure compliance, reduce risk, and improve internal practices around data governance.

Yes. Our consultants have extensive experience across a range of sectors including healthcare (NHS trusts, GP surgeries, ICBs), education (state and independent schools), and non-profits. We tailor our approach to align with your sector’s legal obligations, operational needs, and industry-specific challenges.

Absolutely. We offer dedicated support for organisations implementing Artificial Intelligence (AI) tools or automation systems. This includes AI-specific DPIAs, supplier reviews, internal governance frameworks, and ethical risk assessments. Our goal is to help you deploy AI technologies safely, lawfully, and in line with evolving regulatory expectations.

We assess your cross-border data flows and help you implement appropriate safeguards such as Standard Contractual Clauses (SCCs), Transfer Risk Assessments (TRAs), and other lawful mechanisms. Our consultants ensure your international transfers are documented, justified, and compliant with the UK’s post-Brexit data protection regime.

Yes, training is a core part of our service. We deliver engaging, practical training sessions for staff at all levels—covering topics such as GDPR basics, data breach handling, DPIAs, AI, and information security. Training can be provided in-person, virtually, or through custom eLearning modules.

We work with you to develop retention schedules that meet legal, regulatory, and operational needs. Our consultants assess your current records management practices, recommend improvements, and help embed retention rules into your systems and processes to reduce risk and support accountability.

Yes. We offer full support with CCTV data protection compliance. This includes policy writing, signage templates, lawful basis assessments, access request processes, and data retention guidance. Whether you’re setting up a new system or reviewing existing footage management, we ensure your use of CCTV meets GDPR requirements.

Both. We offer flexible options to suit your needs—from one-off gap analyses or policy reviews, to retained consultancy with regular advisory support. Retained clients benefit from ongoing access to our consultants, up-to-date templates, and rapid response for urgent queries or incidents.

Simply get in touch with us via our contact form or call. We’ll schedule an initial consultation to understand your needs, assess your current compliance posture, and recommend the most suitable service package. Whether you’re just starting your compliance journey or need specialist support, we’re here to help.

Meet Our Team

DPO's & CONSULTANTS

Nigel goodingFounder
Nigel gooding
Founder
Natalie BennettHead of Consultancy
Natalie Bennett
Head of Consultancy
Lauren Durham-HutchinsData protection consultant
Lauren Durham-Hutchins
Data protection consultant
Kristal RocksData protection consultant
Kristal Rocks
Data protection consultant
Alex HaslamData protection consultant
Alex Haslam
Data protection consultant
Jack PenaligonData protection consultant
Jack Penaligon
Data protection consultant

Ready to strengthen your data privacy?

Book a free consultation with our expert team today

BOOK A MEETING

Want to Find out more?

get in touch

Insights, Updates, & Expert Advice

recent blogs from our team

Picture of Mel

6 Tips from an Experienced DPO

The role of the Data Protection Officer is no walk in the park, and comes with a variety of unique challenges.
READ MORE
Picture of Mel

Should you outsource your DPO?

It may be beneficial to outsource this role, rather than appoint a DPO in-house.
READ MORE
Picture of Lauren Durham-Hutchins

Who is responsible for data protection in a company?

There are specific roles within organisations that play pivotal roles in keeping the processing of personal data safe and compliant.
READ MORE
Picture of Lauren Durham-Hutchins

Who are the Caldicott Guardian, SIRO and DPO?

Patient data needs to be handled very carefully, so those in charge of ensuring its safety must take their responsibilities seriously.
READ MORE
Picture of Mel

Outsourcing your Data Protection Officer: Is it the best option?

READ MORE