Most engagements begin with the free compliance snapshot. The assessment runs against the ICO Accountability Framework — around 200 questions across the eleven Framework areas plus AI Governance — and produces a written snapshot you keep, yours regardless of what happens next.
Start the assessment →An assessment running against the ICO's Accountability Framework — around 200 questions across the eleven Framework areas plus AI Governance. Each question covers a specific aspect of UK GDPR readiness: accountability and governance, lawful basis, data subject rights, transparency and consent, security, breach response, transfers, AI governance, and the rest. The assessment takes 45–60 minutes to complete properly.
Your responses generate a written compliance snapshot — typically seven pages — covering where your organisation stands across each area, with each area scored and the highest-priority gaps surfaced. The snapshot is delivered shortly after submission and is yours to keep regardless of what happens next.
The snapshot is generated automatically from your responses, against a framework I designed and validate. The framework is reviewed against current ICO guidance and updated as regulation moves. The framework reflects my professional judgement; the per-prospect snapshot is the structured output of that framework applied to your specific responses.
A 30-minute call with me to walk through the snapshot output. The conversation is genuinely advisory — what the snapshot shows, what matters most for your organisation specifically, and what a sensible next step looks like in your circumstances. Honest advice, even if that advice is that no engagement is currently warranted.
Most calls end in one of three places: the granular gap analysis (most common, where the snapshot has surfaced gaps that warrant substantive remediation), a more limited project engagement (where one specific area needs work but ongoing support is not required), or no engagement at all (where the snapshot has demonstrated that the organisation's posture is already sufficient for its current circumstances).
The call is direct with me — not a sales conversation. No automated follow-up sequence, no marketing list signup, no pressure to engage. If the next step is to step away, that is also a valid outcome.
A detailed gap analysis report against the full ICO Accountability Framework — line by line, prioritised, with practical remediation steps for each gap identified. Where the snapshot scores broadly, the gap analysis goes deep. The report is the substantive paid product that follows the free assessment, and it is the natural lead-in to a retained engagement.
The gap analysis is where my substantive judgement is applied to your organisation specifically. Each gap is examined in the context of your actual data flows, your sector, your size, and your risk profile. Remediation steps are sequenced to reflect what is most important first, and the report is signed in person.
The gap analysis can be the end of the engagement — a complete piece of work delivered as a one-off product, providing your organisation with a clear remediation plan it can execute internally. It can also be the input that scopes a retainer engagement, since the work needed to scope a retainer properly is the same work the gap analysis already does.
£1,500 + VAT is the published price. Fixed fee, fixed deliverable, fixed timeline. More on services →
The snapshot scores your organisation across the eleven areas the ICO uses to assess compliance maturity, plus a twelfth area covering AI governance. Every assessment in the consultancy is structured around the same framework — including this one.
Governance arrangements, board accountability, and senior management responsibility for data protection.
Written policies covering all aspects of personal data processing, with appropriate review cycles.
Staff training programmes appropriate to roles, and ongoing awareness of data protection obligations.
Article 30 records — what you process, why, lawful basis, retention, and recipients.
Identification of high-risk processing, DPIA process, and consultation with the ICO where required.
Documented lawful bases for all processing, with consent records where consent is the basis relied upon.
Process for handling data subject access requests, rectification, erasure, and objection — within statutory timing.
Privacy information provided to data subjects, including the requirements of Articles 13 and 14.
Technical and organisational measures appropriate to the risk — Article 32 obligations.
Detection, containment, notification decisions, and ICO and data subject communication.
Lawful basis for transfers outside the UK, transfer risk assessments, and standard contractual clauses where used.
Identification of AI systems processing personal data, lawful basis and Article 22 considerations, transparency obligations, and emerging requirements under the EU AI Act where applicable.
The assessment takes 45–60 minutes. Your responses are processed against the framework and the snapshot is delivered shortly after submission.
1. You complete the assessment. Around 200 questions across the eleven Framework areas plus AI Governance. Most prospects complete it in 45–60 minutes. Progress is saved as you go; you can complete it across multiple sittings if needed.
2. The snapshot is generated. Your responses are scored against the framework and the snapshot PDF is delivered to your email shortly after submission. Approximately seven pages.
3. I make contact. With an offer of the no-obligation 30-minute call. You decide whether to proceed.
The assessment form opens in a new view. Your responses are stored securely under the consultancy's privacy notice.
If you would rather have a short conversation before committing to the assessment, book a free 10-minute chat with me. No obligation, no preparation required — a quick call to talk through your situation and whether the assessment is the right next step.
Book a free 10-minute chat →