UK GDPR / data protection compliance review

If you want an expert review of your current data protection compliance, we are well-placed to help.

We offer a multi-step process, with different options for each of the steps, on a fixed-fee basis. This means that you can pick the approach, and the outputs, which best suits your needs and your budget.

Our data protection compliance approach

Our data protection compliance reviews are structured in line with a normal phased project management approach:

  • initial scoping work
  • collecting information
  • analysing that information and reporting
  • remediation: out of scope for the compliance review

We can also help fix problems or deal with recommendations which arise from the review.


We break the work down into separate review step, with options for completing each step, depending on your own appetite to be involved, and your budget.

These steps are indicative rather than fixed - we can change things to suit your needs.

Phase 1: Initial scoping

The initial scoping activity would consist of working with you, with the objectives of:

  • identifying "in-scope" areas for the review
  • preparing, in conjunction with you, a suitable questionnaire, to gather information from each of the identified areas

The price for this will depend on your preferred level of engagement.

For example, if you wishe to be relatively hands-off, you might provide only an organisational chart and leave the remainder of the scoping to, else you might wish to bring your internal knowledge and experience to play in determining which parts of the organisation pose the highest risk (from a prioritisation point of view) and which – if any – can be safely left out of the activity.

Our estimated price range is £1,200 + VAT (greater involvement by you) - £1,800 + VAT (lesser involvement by you).

Phase 2: Collecting information

This phase entails using the questionnaire developed in Phase 1 to collect information from the organisation units identified as “in-scope” in Phase 1.

We can offer a range of support, depending on your preferred level of engagement.

Option 1: Fully delivered by you; zero touch / ad hoc support by

You sort out completion of the questionnaires, unsupported, and provide the completed responses to

For this, as we would not be involved, there would be no charge.

If you have questions or needs ad hoc support, we schedule time to do that. We can either agree a price depending on the scope of work needed, or else work on a timed basis for quick or smaller questions.

Option 2: Led by you; light touch by

You are responsible for completing the questionnaires, and we will join a call with each in-scope business area, to answer questions or help steer the conversation towards the information needed.

You retain responsibility for providing the completed questionnaires to

If each meeting was scheduled for 60 minutes, our price is £300 + VAT per meeting. For 90 minutes, £450 + VAT.

Option 3:

In this option, takes the lead.

You schedule the meetings (one per questionnaire) and ensure attendance by the right people in the business, and runs the meetings, asks the questions and provides clarifications as needed, and takes responsibility for completing the questionnaires.

Support from you would be welcome, to help introduce the purpose of the activity, and this is likely to improve the quality of the output, but it is not essential.

If each meeting was scheduled for 60 minutes, our price is £600 + VAT per meeting. For 90 minutes, £900 + VAT.

Phase 3: Analysing and reporting

This phase relies on the questionnaires completed in Phase 2, and can contain a range of activities / outputs. You might want both options, for a broader review.

Option 1: Questionnaire review would review each questionnaire, and assess the answers against the UK GDPR.

The output would be:

  • a risk-report for each in-scope area, based on the answers received
  • recommendations for improvement / remedial activity
  • an overall indication of level of compliance / risk rating
  • an executive summary. (We can work with you to identify the type of information which you like to see in executive summaries.)

Price: £600 + VAT per questionnaire.

(This does not include carrying out the recommendations / remediation, since what is needed will depend on what (if any) gaps are found, and your appetite for fixing those gaps.)

Option 2: Polices and procedures review

We review your data protection-related policies and procedures, and offer recommendations for improvement.

We can also review the broad consistency of your Article 30 record against the requirements of the UK GDPR, and potentially against the responses to the questionnaires. We cannot offer an audit to confirm that your Article 30 record is correct and complete.

Please see the section below, on supplementary work, for examples of the review activities which could fall within this phase.

We can offer a fixed price, once we see what materials are available for review, and what you would like to be in-scope.

Phase 4: Remediation

At this stage, we cannot offer a scope of work, or pricing, for remediation or giving effect to recommendations, as this would depend on what (if anything) comes up in the earlier phases.

Additional services / reviews

We have identified a number of activities which complement the specific work identified in the Phases above, which might be of interest.

Most of these activities could be carried out on a fixed-fee basis, following initial scoping activity.

Privacy notice review

We recommend that this is carried out as part of the broader privacy review.

The work would be carried out once all questionnaires have been completed, and would entail a review of your current privacy notice against the requirements of the UK GDPR, the questionnaires, and your current Article 30 record.

The output would be indications of gaps in the privacy notices. Remedial work could include fixing those gaps.

Review of marketing practices

This review would look at you marketing process / approach, and use of cookies. The scope would depend on what marketing you do, and may include both email and social media marketing (including online targeted advertising).

The UK’s Information Commissioner’s Office routinely fines organises for non-compliance with marketing rules, particularly email, and non-compliance in this area presents a greater risk of a sanction than most other parts of the data protection framework.

To date, the ICO has shown little appetite for enforcing the rules on cookies, but there is a gradual increase in the number of time-consuming complaints and demands for compensation from individuals claiming to have suffered harm as a result of non-compliance.

Review of data protection approach to procurement

If you use third parties to process personal data, this review would examine your approach to data protection in its procurement activities, looking at prioritisation (to focus legal, information security, or procurement resource on the right projects/vendors), and standard terms.

It would likely include: * a review of you vendor due diligence process, as it relates to data protection * a review of "standard" data protection terms to assess against the requirements of the UK GDPR.

Depending on your use of overseas providers: * a review of the approach taken to international transfers (i.e. transfers to recipients in countries outside the UK or the EU) / your international transfer risk assessment process, and standard terms

(This does not necessarily need to include review of any specific vendors, contracts / relationships, or international transfers, but we can help with this if beneficial.)

Breach identification and reporting review

This review would focus on your process for:

  • identifying potential personal data breaches
  • determining which breaches require notification to the ICO, or communication to the data subjects
  • recording personal data breaches

In addition, we can offer a review of historic breaches and reports, to give a view on whether they were handled consistently with the UK GDPR, and give advice on what could be done differently in future.

Data protection training review

If you carry out staff training, this work would cover: * a review of your approach to staff training for data protection * we can also review specific training materials and indicate areas for improvement

We have helped organisations with both general training, for all staff, and dedicated training for specific higher-risk teams or to protect against higher-risk threats.

If you don't have training, we can help you develop and deliver this. We can be involved in a relatively light-touch way (helping you to identify training needs, and basic content), right through to developing and delivering the content, such that you just need to keep records of who attended.

Data protection impact assessment process

If you have a process for determining if data protection impact assessments are necessary, this activity would comprise a review of:

  • your current approach to data protection impact assessments
  • your current data protection impact assessment document/tool

(This does not necessarily need to include carrying out new data protection impact assessments, or benchmarking of existing DPIAs against the framework, but it could do if those would be useful.)

Law enforcement assistance review

If you receive requests from law enforcement for access to communications data or other requests, we can provide a review of your policy framework, and operational processes relating to this.

This is a specialist area of work, and we bring the skills, expertise, and experience to ensure that the outputs are reliable and our recommendations pragmatic.