Digital Threat Digest Insights Careers Let's talk

GDPR & DPA consultancy

Helping your organisation adhere to the Data Protection Act 2018 and the GDPR


Compliance with the GDPR isn’t a one-time task; when it comes to data protection, ongoing compliance is just as significant as the initial work you put in.

Not placing an importance on ensuring that data protection processes and policies are followed means that—over time—they become diluted and forgotten. Should there be a breach and your organisation isn’t compliant, fines are likely to be significantly higher, which can impact both bottom line and reputation.

What is GDPR consultancy?

GDPR consultancy is an expert assessment of your organisation’s level of compliance, with advice from experienced information security professionals. We advise on how best to ensure you’re not only meeting the Regulation now but will continue to comply in the future. Ultimately, this service helps your business to remain compliant with the complexities of the Data Protection Act 2018, reducing the chance of a data breach.

Why does my organisation need to comply with the GDPR?

If you collect any personal information you must adhere to GDPR

Research suggests that almost all UK businesses will collect personal information, ranging from personal email addresses to customer medical information.

It is a legal requirement

It is a legal requirement that personal data is stored securely and only used with permission. Failure to do so may result in both the reputational and the financial penalties associated with non-compliance with the Data Protection Act 2018.

You can mitigate the risks of a data breach, and maintain your reputation

It’s not just about keeping your business safe. GDPR compliance also helps you to maintain a strong reputation within your industry by showing an ongoing commitment to protecting the privacy of your clients, customers, employees, and stakeholders.

Let's talk

Does my organisation store and collect personal data?

Personal data can fall into two categories, ‘Personal Data’ and ‘Special Category Data’ (sometimes known as ‘sensitive personal data’):

Personal Data is any information that can be used to directly identify an individual, or information that can be used to identify an individual in combination with other information. Examples include name and surname, personal email address, and National Insurance number.

Special Category Data is considered to be more sensitive and likely to cause harm to the individual, and therefore can only be processed in more limited and tightly controlled circumstances. Examples include information about an individual’s sexuality, their political opinions, race and ethnicity, medical history, and biometrics.

If the data you store sounds like any of these, you must adhere to the Data Protection Act 2018 and the GDPR.


Consultancy options

We understand that every organisation will be at a different stage of compliance with the Data Protection Act 2018/GDPR, so our information assurance team can offer assistance in five key areas

Scope of processing

To ensure that your organisation is operating in compliance with the Data Protection Act 2018 and the GDPR, you must first understand what personal data your business processes. We will help you to establish, document and justify the personal data processing activities that are performed by your organisation.

Our consultants are equipped with a practical understanding of data protection legislation and its application so we can provide reassurance that your processing activities are lawful, justified and appropriately documented.

GDPR gap analysis

A gap analysis will inform where there are shortfalls in compliance and where efforts must be concentrated to meet the requirements of the legislation. This can facilitate effective project planning, resource forecasting and budgeting.

Our consultants’ expertise in data protection legislation allow them to accurately assess your organisation’s current levels of compliance and provide pragmatic recommendations.

As a third-party we can also perform a gap analysis more efficiently and effectively than internal staff, who are likely to hold other responsibilities, and may not be as familiar with the requirements of the Data Protection Act and the GDPR.


When it comes to implementing control measures, our team will work with your organisation to ensure the process is realistic and efficient. Our team will also ensure an independent and unbiased view of the suitability of the controls being implemented. As an example, our consultants can apply their expertise to develop data protection related policies, procedures and privacy notices, build registers of processing activities, and perform Data Protection Impact Assessments (DPIAs).

Continuous support

Because compliance with the DPA is an ongoing process, our consultants can provide continuing support, such as expertise on how to improve security controls and reviewing any business changes and their impact to your compliance obligations.

We can help you devise an effective continuous improvement programme that is appropriate for your organisation. Our experts provide you with specialist knowledge and resource capacity, enabling your workforce to concentrate on core operations.

Virtual Data Protection Officer

If you carry out certain types of data processing or your organisation is a public authority, you must appoint a Data Protection Officer (DPO) under the GDPR/DPA (2018).

Even if your organisation is not legally required to have a DPO because it doesn’t meet the threshold criteria, you must ensure that your organisation has appropriately designated staff to coordinate and manage activities; and sufficient resources to discharge your obligations under the UK GDPR. The voluntary appointment of a DPO will also demonstrate your organisation’s level of compliance, which will give your customers and employees peace of mind.

Get a quote

Why choose PGI?

Our team are passionate about data security and have closely followed the changes that took place as the Data Protection Act was transformed by GDPR. We have successfully supported many businesses to identify weak areas in their data processes and find pragmatic, cost effective solutions to ensure they are adequately minimising the risk of data loss and misuse of information. We believe that compliance and security measures should only be proportionate only to a client’s needs, not a blanket approach.

Speak to an expert

We build long-range digital resilience using tech-assisted human insight.

Find out how we can help you strengthen your digital security

Speak to an expert