— Compare
Three tiers
Hours used flexibly across DPO duties. Overflow billed at a published hourly rate, agreed at engagement.
Each tier is a committed number of hours per month at a fixed monthly retainer fee. Hours are used flexibly across DPO duties — governance, advisory, DSAR support, breach response, documentation. The right tier is determined by the scale of your data footprint and the regulatory exposure of your sector. The compliance health check is the quickest way to know which.
The retainer is structured the way professional services should be: a committed monthly fee for a defined number of hours, with overflow at a published hourly rate. You know what you are buying and you know what the worst case looks like financially.
Each tier has a stated number of hours per month — used flexibly across DPO duties as your situation requires. Quiet months give you headroom; busy months use the budget you have already paid for.
If a month exceeds your committed hours — typically because of a breach, a complex DSAR, or an unexpected DPIA — the overflow is billed at a published hourly rate, agreed in writing at engagement. No surprises.
Some elements are part of the retainer relationship itself, not the hours commitment: named DPO designation, ICO registration as your DPO contact, and breach triage within four working hours. These do not draw down your monthly hours.
You can move up or down a tier with one month's notice. Most clients start at the tier suggested by their Health Check; some scale up after the first quarter once we both understand the actual workload.
Choose the tier that fits the time your organisation realistically needs each month. The Health Check report includes a recommendation; most clients land within one tier of that recommendation after their first quarter.
Retainer fees are calibrated to the scale and complexity of each engagement — and to the right outcome being a long, productive relationship rather than a transaction. The fixed monthly fee, the hourly rate for overflow, and the indicative hours commitment are all confirmed in writing as part of the services agreement before the engagement begins.
The tier indication and a tailored fee proposal follow the initial conversation — typically within one working day of the intake form being completed.
Every engagement follows the same path. The structure ensures that what is in scope, what is committed, and what costs what is agreed in writing before any meaningful effort is committed.
A thirty-minute call after you complete the intake form. We discuss your organisation, current arrangements, and whether the consultancy is the right fit. No charge, no obligation either way.
The eleven-area assessment, returned as a written report with a prioritised action plan and a tier recommendation. Fixed fee at £1,500, fully credited against any retainer that follows.
Based on the Health Check findings, a written proposal — recommended tier, monthly retainer fee, hourly overflow rate, and a description of how the hours are likely to be used in the first quarter.
Services agreement signed. The retainer commences from the first of the following month. The agreed cadence of governance, documentation, and review begins immediately.
Discrete project engagements — available to retainer clients (drawing on hours or quoted as additional work) and as standalone commissions for organisations not yet on a retainer.
DPIA screening, full assessments, and ICO consultation advice for high-risk processing — including AI, cloud migration, and new technology adoption. Delivered to ICO methodology with stakeholder engagement.
Due diligence assessments, Article 28 data processing agreements, sub-processor management, and international transfer assessments. Built to satisfy enterprise procurement scrutiny.
Transfer Risk Assessments, UK IDTA and UK Addendum implementation, supplementary measures, and transfer mapping across your supplier estate. Banking-grade methodology applied at SME scale.
Point-in-time assessment against the ICO's Accountability Framework producing findings, risk ratings, and a prioritised remediation plan. The starting point for most engagements.
Read more →For organisations that need a specific piece of work delivered well rather than an ongoing relationship. Each is a fixed-fee engagement with a defined scope and a written deliverable.
The eleven-area assessment, returned as a written report with prioritised action plan. The fastest way to know where you stand. Fully credited against any retainer that follows — effectively free for clients who go on to retain.
A complete Data Protection Impact Assessment for a defined processing activity, delivered against ICO methodology with stakeholder engagement.
A complete Records of Processing Activities document for an organisation without one — discovery, drafting, validation, and embedding.
A standalone review of how subject access requests are received, handled, and responded to. Written report, recommendations, draft templates.
Transfer Impact Assessment, SCC review, and supporting documentation for organisations with non-UK processors or controllers.
A 90-minute facilitated session for the senior team or the whole organisation. Sector-tailored, with materials retained for ongoing reference.
72-hour SLA breach response — triage, assessment against the notification threshold, ICO liaison, root-cause analysis, and remediation. Available as a standalone retainer for organisations not on a full DPO retainer.
Privacy notices, data protection policies, retention schedules, DPAs — written for the people who actually use them, mapped to ICO Accountability Framework requirements.
Retainer fees are calibrated to the scale and complexity of your organisation. Standalone product fees are fixed against a defined scope. Out-of-scope work is always quoted separately before any commitment is made.
No hourly billing without an agreed rate. No scope creep. No surprise invoices. You will know what an engagement costs before you commit to it.
Get a tailored proposal →Tell me about your organisation through the intake form. Within one working day I will respond — typically with an introductory call slot and an indicative tier recommendation.