Services

What I can help you with.

Every engagement is scoped to your specific situation. No generic templates, no checkbox compliance. Below is a breakdown of what I do and how it typically works.

DPO Services

Qualified Data Protection Officer support, on your terms.

As a mandatory DPO under Art. 37(1)(b) GDPR, I understand what the role actually requires. I act as an appointed DPO — full-time, fractional, or interim — from formal appointment and regulatory correspondence through to ongoing programme oversight and staff guidance.

Deliverables

Formal DPO appointment documentation
DPO mandate and terms of reference
Regulatory correspondence (ICO, DPC, other DPAs)
Ongoing compliance oversight and reporting
Staff awareness and guidance

Best suited for

Scale-ups, SaaS companies, and SMEs who need a qualified DPO under Art. 37 or as a strategic governance measure.

DPIA & Transfer Impact Assessments

Risk-based assessments that stand up to regulatory review.

I conduct Article 35 DPIAs and Transfer Impact Assessments grounded in EDPB Recommendations 01/2020 (EU TIA) and ICO guidance (UK TRA). This includes assessing third-country legal frameworks — US (FISA §702, EO 12333, CLOUD Act), India (IT Act §69, DPDPA 2023), and others — with documented supplementary measures where needed.

Deliverables

Full DPIA report (risks, mitigating actions, DPO sign-off)
EU TIA under EDPB 6-step methodology
UK Transfer Risk Assessment (ICO guidance)
Supplementary measures documentation
Legitimate Interest Assessments (LIAs)

Best suited for

Platforms processing sensitive data, large-scale monitoring, or transferring data outside the EEA/UK.

International Data Transfer Documentation

Transfer documentation that covers every route and module.

International transfers require precision — the wrong module, a missing docking clause, or an unaddressed transfer route creates real regulatory exposure. I draft and negotiate the full documentation suite: IGDTA incorporating EU SCCs (Decision 2021/914) across all applicable modules (C2C, C2P, P2SP), UK IDTA, India Accession Agreements, and third-party DPAs.

Deliverables

EU SCCs (Decision 2021/914) — correct module selection
UK IDTA and Addendum
India Accession Agreement (Docking Clause)
Integrated Global Data Transfer Agreement (IGDTA)
Supplementary measures and TOM annexes

Best suited for

Companies with EU→US, UK→US, EU→India, or similar international transfer routes.

AI Privacy Advisory

Privacy expertise applied to AI features and AI training data.

AI features create privacy questions before they create AI Act questions — what data trains the model, what data goes in at inference, what users are told, and whether a DPIA is triggered. I bring established privacy expertise to AI features, with AI Act readiness scoping as an emerging capability that I partner on with dedicated AI compliance specialists for deeper conformity work.

Deliverables

DPIA for AI features (where Art. 35 is triggered)
Data minimisation and lawful basis review for model training data
Transparency and Art. 13/14 notice review for AI features
AI system inventory and risk-classification scoping
Referral and co-working with AI compliance specialists for deeper AI Act obligations

Best suited for

SaaS platforms shipping AI features who need privacy work done now and clarity on what AI Act readiness will require next.

Privacy Operations & DSAR Management

High-volume privacy ops that actually hit SLAs.

Privacy operations break down in practice when intake is unclear, SLAs aren't tracked, and handoffs between teams aren't documented. I design and implement DSAR programmes that scale — from intake triage and identity verification through to response drafting, SLA tracking, and backlog clearance.

Deliverables

DSAR intake and triage process design
SLA/KPI framework and tracking dashboards
Response templates and guidance
SOP documentation
Backlog reduction programme

Best suited for

B2C and B2B platforms experiencing DSAR volume, ICO complaints, or compliance audit pressure.

Privacy by Design & Privacy Engineering

Privacy embedded where it matters — in the product.

Privacy by design isn't a box to tick at the end of a sprint. I work cross-functionally with Product, Engineering, and Support teams to embed privacy controls into the development lifecycle — data flow mapping, data minimisation reviews, and privacy-aware feature design.

Deliverables

Data flow mapping and inventory
Privacy review for new features (pre-build)
Data minimisation and retention recommendations
Privacy notice drafting and review (Art. 13/14)
ROPA development and maintenance

Best suited for

Product and engineering teams building or scaling data-intensive features.

Compliance Artefacts & Policy Review

Documentation that closes gaps, not just fills pages.

Compliance documentation is only useful if it reflects actual practice and covers every legal requirement. I draft, review, and remediate privacy notices, cookie policies, retention schedules, ROPAs, and DPAs — identifying gaps against GDPR, UK GDPR, CCPA, and HIPAA with specific, actionable findings.

Deliverables

Privacy notice review and drafting (Art. 13/14 compliance)
Cookie policy review and remediation
Retention schedule development
ROPA (Record of Processing Activities)
Art. 28 DPA drafting and negotiation

Best suited for

Companies preparing for audits, certification, or responding to regulatory enquiries.

Not sure which service fits?

Book a free 30-min call. We'll talk through your situation and I'll tell you honestly what you need — even if it's not something I offer.

Book Free 30-Min Call

What I can help you with.

DPO Services

DPIA & Transfer Impact Assessments

International Data Transfer Documentation

GDPR Article 42 Certification

AI Privacy Advisory

Privacy Operations & DSAR Management

Privacy by Design & Privacy Engineering

Compliance Artefacts & Policy Review

Not sure which service fits?