Privacy & data protection
For organisations that need privacy to work in practice - not just on paper.
Privacy has never been under more scrutiny.
Regulators under GDPR, UK GDPR, the Data (Use and Access) Act 2025, CCPA, CPRA, LGPD, PIPL, PDPA (Singapore), PDPA (Thailand), PIPA (South Korea), PDPA (Malaysia), KVKK (Turkey), and a growing wave of global frameworks are more active than ever. Customers are more aware. And the consequences of getting it wrong - fines, reputational damage, lost commercial relationships - have never been higher.
Our work is founder-led, drawing on board-level privacy and data governance leadership at a FTSE 100 organisation, senior roles within Fortune 500 legal and technology teams, and experience as a fractional CPO across regulated and high-growth environments. We know what good looks like from the inside - which means we build programmes that actually hold up.
Privacy is one of the few areas where getting it wrong is simultaneously a regulatory problem, a reputational problem, and a commercial problem.
Most organisations we work with aren't starting from zero. They have policies, they have a privacy notice, they may have a DPO. What they often don't have is a programme that actually runs in practice - one that could withstand a regulator walking in, a journalist asking questions, or a major customer doing due diligence.
The gap between having privacy documentation and having privacy governance is where most of the real risk sits. That's exactly the gap we close.
How we help
Governance for growth
We build the privacy and data governance foundations your organisation needs to operate responsibly and grow with confidence. That means clear accountability structures, mapped data flows, and governance frameworks that reflect how your business actually works - not just how it looks on paper. Our KYD (Know Your Data) methodology gives you genuine visibility over what data you hold, where it goes, and how it's used - the foundation for everything else.
Embedded and defensible
We turn privacy governance into something that works day to day. Embedding controls into systems, processes, and teams so that when a regulator under GDPR or CCPA asks questions, when an auditor reviews your programme, or when a major customer asks for evidence of your approach, you can answer with confidence. Privacy as an operational reality, not a shelf document.
Staying ready
Privacy obligations don't stand still. GDPR enforcement is intensifying. US state privacy laws are multiplying. Global frameworks are diverging. We provide ongoing assurance, horizon scanning, and programme oversight - so you keep pace as regulation evolves and your data use grows.
What we do
Privacy governance and programme design: Strategy, frameworks, accountability structures, and the policies and standards that make privacy consistent across your organisation - aligned with legal, compliance, technology, and business teams.
Data strategy and governance: Data ownership, lineage, and flow mapping across systems, marketing, and analytics. Our KYD (Know Your Data) methodology provides structured data inventory and classification - giving you the visibility needed to govern effectively and respond confidently to regulatory requests.
Compliance and regulatory readiness: Gap analysis, audit readiness, and independent programme review. Cross-border data transfer compliance. Data subject rights. Horizon scanning across GDPR, UK GDPR, the Data (Use and Access) Act 2025, CCPA, CPRA, LGPD, PIPL, PDPA (Singapore), PDPA (Thailand), PIPA (South Korea), PDPA (Malaysia), KVKK (Turkey), and emerging frameworks.
Operational controls: Purpose limitation, retention and deletion, consent and tracking, incident and breach response, and third-party data governance - the controls that make privacy real rather than theoretical.
Fractional Chief Privacy Officer (CPO)>For organisations that need senior privacy leadership without a full-time hire. This is a board-level engagement - strategic direction, regulatory and auditor engagement, and an independent point of challenge from someone who has held privacy leadership at FTSE 100 level and advised across banking, US technology, FMCG, workforce solutions, and high-growth startups.
This is not an administrative or DPIA service. It's the kind of senior presence that changes how an organisation thinks about privacy - and that can speak with authority to a regulator, an investor, or a board.
Engagements range from a standalone privacy deep dive through to retained monthly support at Foundation, Core, Extended, and Complex levels - with project and incident work available separately.
When we're done, you'll know where your data is, how it's used, and how to defend that position. Your privacy programme will run in practice, not just on paper. And when a regulator, auditor, or major customer asks hard questions - and they will - you'll be ready to answer them with confidence.