Specialist UK GDPR compliance for SMEs. Banking-grade data protection experience, applied to your organisation as a named, accountable DPO at human scale.
Eight years at the data protection function of a top-five UK bank. Built around continuity of relationship — the person who writes the services agreement is the person who attends your governance meetings and signs your assessments.
Most UK SMEs know they have obligations under the UK GDPR. Few have the specialist resource to manage them with confidence. The four most common patterns I encounter:
Data protection responsibility falls to whoever has time — often a director already stretched across the business. The ICO expects more.
Subject access requests carry a one-month statutory deadline. Without a process, they become a compliance crisis waiting to happen.
When a breach occurs, you have 72 hours to assess and notify the ICO. Without a plan, panic replaces process.
The DUAA, new complaint handling requirements from June 2026, evolving ICO guidance — keeping up is a full-time job.
I assess your compliance posture against the ICO's Accountability Framework, identify gaps, and map your processing activities. Output: a written baseline against which everything else is measured.
You receive a prioritised plan — policies, procedures, training, breach preparedness — with clear timescales and ownership. The plan is sequenced so quick wins land first and structural work follows.
Your retained DPO manages compliance continuously: DSARs, incidents, advisory, training, governance, and regulatory monitoring. The relationship is embedded, not transactional.
Flexible services that scale with your organisation — from a full retained DPO function to standalone compliance projects.
A named DPO embedded in your governance — available when you need them, at a fraction of the cost of hiring. Three tiers, fixed monthly fees, agreed at engagement.
Read more →A structured assessment against the ICO's Accountability Framework with a prioritised action plan. The fastest way to know where you stand.
Read more →Incident response from detection through ICO notification, data subject communication, and root-cause analysis. Available on retainer or as standalone engagement.
Read more →Support with end-to-end handling of data subject rights requests within the statutory timescale. From triage to response, with full evidential record-keeping.
Read more →UK-specific data protection awareness training — live, recorded, or e-learning — tailored to your sector. Reviewed and signed off personally.
Read more →Privacy notices, data protection policies, DPIAs, DPAs, retention schedules — everything the ICO expects, written for the people who actually use them.
Read more →Eight years of data protection in UK banking — managing high-volume DSARs, dual FCA/ICO reporting, international transfers, and breach response at scale. That depth of experience is what separates this consultancy from generalist providers.
Most SMEs do not need banking-grade compliance machinery. They need access to the judgement that comes from having operated it.
More about Varnham Consulting →Special category data, safeguarding overlays, CQC and ICO dual reporting, complex DSARs across clinical records.
FCA-and-ICO dual reporting, banking-grade DSAR handling, breach response under regulatory scrutiny — direct sector experience.
Article 28 processor compliance, AI and Article 22 obligations, evidence the procurement teams of your enterprise clients require.
The sector with the highest density of UK GDPR failure modes — candidate data, retention windows, lawful bases.
Vulnerable beneficiary data, trustee-led governance, funder data sharing — informed by trustee experience on multiple boards.
Solicitors, accountants, surveyors, IFAs. Conflict-checking, retention against the Limitation Act, dual controller-processor compliance.
Children's data under the ICO's Age Appropriate Design Code, safeguarding records, parental consent, SEN data sharing.
Organisations of 10–250 employees with a meaningful UK GDPR footprint. Engagement is referral-led where the brief is genuinely substantive.
Eleven assessment areas mapped to the ICO's Accountability Framework, returned as a written report with a prioritised action plan. The right starting point for most organisations — and the way most retainers begin.
Take the health check →Most engagements come through referral. If a colleague, adviser, or board peer has suggested you reach out, the easiest first step is a thirty-minute conversation — no charge, no obligation.
Use the intake form to start. A short intake is the entry point — name, email, phone, and the nature of your enquiry. Once you have submitted, you will receive a follow-up email confirming next steps within one working day.
The form takes under two minutes. After you submit, I will respond within one working day with the right next step for your situation.