The Privacy Practice provides bespoke consultancy service in Privacy and Data Protection.

It offers Data Protection Officer services, both external or to support in-house DPOs. In addition Strategic Privacy Positioning, Integrated Privacy Systems and Data Breach Management are provided. The services include: reviews and reports on extant privacy policies, Data Protection processes, training and compliance systems and the creation of bespoke business orientated Integrated Privacy Systems (IPS).

Data Protection Services

Accountability Principle

The Accountability principle is at the heart of the Privacy Practice External DPO services. When the ICO investigates an organisation their first requirement is to challenge compliance through the review of copies of the Accountability documentation and any demonstration of how the policies and procedures contained within them have been implemented. The DPO service therefore emphasises the review, analysis and support of such documentation, and supports the effective operationalisation of them.

Ad-hoc Advice

Ad-hoc advice to the business is central to the support provided by the external DPO service. This may be used in an operational manner supporting the business implement Privacy by Design or Default or supporting a DPIA on a new product or service. However, it can also be the mechanism to provide strategic advice or support on the development of new thinking as the regulatory picture becomes clearer.

Regulatory Review and Update

In a fast-changing privacy world it is important that a business is both up to date with the existing regulatory regime and aware of the challenges that are around the corner. Regulation and consumers are moving fast in countries across the world, an independent DPO is part of the response to that environment.

Policy Writing/DPIA Support

Specific policies could be written or rewritten as the environment or the business changes. A regular programme supporting the review of existing policies and procedures can be created. DPIAs can be conducted independently by the Privacy Practice or an in-house DPIA can be supported or reviewed.


Training can be created for all staff, or key groups of staff, for example developers. If training is already undertaken validation of the materials can be conducted.

Formal Reports to Board

A key reporting requirement of the GDPR is the provision of information from the DPO to the highest levels of management in an organisation. An annual report would be created using accountability documentation to ensure the Board of the business has an accurate and up to date picture of Data Protection compliance across the organisation.

Data Breach Management

Data Breach Recovery

  • Providing advice during, and in the immediate aftermath, of a data breach. The coordination of compliance, corporate HQ, press and PR, IT, information security and affected operational units. Advice is also provided on appropriate interactions with the Information Commissioner’s Office.

Data Breach – Prevention and Preparation

  • Reviewing the preparedness of the company’s systems designed to cope with a data breach. Particular emphasis is placed on the preparation undertaken by the likely key players inside the company and the coordination amongst them. A range of scenario rehearsals can be created from a “close-to-real-time” test of systems, through to a simple hypothetical test.

Integrated Privacy Systems

Creation of Compliance systems

  • The Privacy Practice advocates the creation of Integrated Privacy Systems that embed Privacy and Data Protection compliance into the operations of a business. Such a compliant system can be designed “from the bottom up” or as an addition to existing mechanisms. Traditional compliance models can also be created to a client’s requirements.

Training – Audit, Programme design and delivery

  • Training audits: a review of the company’s training needs and/or its present training programme, in order to ensure maximum likelihood of compliance with the Data Protection Act and best practice.
  • Training programmes designed for your circumstances: number of staff, type of data processed, the nature of your industry sector.
  • We can arrange the creation of bespoke online training or deliver face to face training.

Privacy impact assessments

  • The creation of bespoke Privacy Impact Assessments (PIAs) appropriate for your business sector and needs.
  • The operalisation of PIAs. As well as designing your PIAs we will help you embed them in your business to ensure they are effective.

DP audit

  • Bespoke audits are created according to the client’s specific needs, taking into account such factors as size, industry and nature of personal data held.
  • Systems audits: created to review the efficiency and effectiveness of a company’s present DP compliance systems.

Strategic Privacy Positioning

As Privacy and Data Protection become more significant to regulators, boards and the public at large, it is becoming increasingly important for companies to integrate privacy into their strategic thinking. We help companies take the costs of Data Compliance and see how their strategy can make Privacy a profit centre.