Three retainer tiers, distinguished by the hours included each month. The substantive scope is the same across all three: a named DPO on the ICO register, regulatory monitoring, advisory time, and ongoing governance. Beyond the retainer, the £1,500 gap analysis and additional-rate work are available for one-off engagements.
Tiers differ in the hours included each month, not in the substance of the engagement. Every retained client gets the same scope of professional service — and the same person delivering it.
Formal appointment as your organisation's Data Protection Officer, recorded with the Information Commissioner's Office. The person of record under Article 37 UK GDPR — accountable, contactable, and identified to the regulator. Not advisory cover; an actual appointed DPO.
The substantive Article 39 duties carried as standard: informing and advising on obligations, monitoring compliance, providing guidance on DPIAs, cooperating with the ICO, and acting as the contact point for the regulator and for data subjects on request.
Ongoing tracking of UK GDPR developments, ICO guidance, the Data (Use and Access) Act 2025 implementation, and sector-specific regulatory changes. You are told what matters for your organisation as it happens, not when it appears in a quarterly newsletter.
If something goes wrong, I am reachable. Initial assessment, containment guidance, notification decision support, and ICO communication where required. The retainer includes the response capacity itself; substantial breach investigation work is at the additional rate.
Guidance on running data subject access requests correctly, including the structural decisions, redaction approach, and statutory timing. The actual DSAR work remains with your team because it is resource-intensive; the retainer ensures the work is done correctly and to the required standard.
A formal annual review of your data protection posture, signed off in person, ready for board reporting. The standing audit-readiness check that demonstrates compliance maturity to regulators, insurers, professional referrers, and prospective clients.
The meaningful difference between tiers is the hours included each month — and therefore the price. Tier names are calibrated to organisation scale and to how much ongoing data protection work the engagement is expected to involve.
For smaller SMEs with well-bounded data processing. The retainer covers the named DPO appointment and the substantive duties; included hours are sufficient for routine advisory work and standing governance.
For growing SMEs where data work has structural weight. The tier most engagements settle at — sufficient hours for active advisory work, project input on new processing, and material breach response without immediately moving to overflow.
For established SMEs where data protection is a board-level concern. Sufficient hours for substantive ongoing engagement, regular governance presence, and meaningful project input. The tier suited to organisations with FCA-regulated activity, complex international transfers, or sustained regulatory exposure.
Two categories of work sit outside the retainer hours: substantive one-off projects with a defined scope (handled at a fixed price), and additional ad-hoc advisory time where retained hours have been used (handled at the published hourly rate).
A detailed gap analysis report against the ICO Accountability Framework — line by line, prioritised, with practical remediation steps. The substantive paid product that follows the free compliance snapshot. Available as a standalone engagement, or as the natural lead-in to a retainer.
This is the work that needs to happen anyway to scope a retainer properly — delivered as a product in its own right, with a fixed price and a defined deliverable. More on the assessment-to-gap-analysis path →
Where retained hours have been used and additional advisory time is needed in the month, time is billed at the published hourly rate. The same rate underwrites the tier pricing, applied transparently when work runs beyond the included hours.
No surprises, no markup, no premium for being outside the retainer. The hourly rate is what the time is worth, applied transparently.
Specific projects scoped and priced individually: full DPIAs on novel processing arrangements, breach investigation and reporting on substantial incidents, training pack development for staff, custom advisory work beyond routine. Scoped following the free assessment or initial conversation.
Data subject access requests are resource-intensive and remain with your team. The retainer ensures DSARs are run correctly — structural advice, redaction approach, statutory timing, sign-off where DPO sign-off is required. Substantial DSAR engagements are handled at the additional rate or scoped as project work.
Tailored training packs for general staff, line managers, and board members. Built around your organisation's specific data flows and obligations rather than generic GDPR content. Available as a one-off engagement or as a recurring annual programme.
Most engagements begin with the free compliance snapshot, not with the services page. The snapshot is what makes a sensible conversation about retainer or project work possible.
From the gap analysis, organisations that benefit from continuing engagement move to the appropriate retainer tier. The decision rests on the gap analysis output — a deliberate decision, made with clear evidence of what the engagement would cover.
If you are evaluating tier fit or considering a one-off engagement, the intake form is the way in. If you would prefer to start with the free compliance snapshot, the assessment page is the route.
No automated marketing. No follow-up sequence. No surprises.
The snapshot is the entry route for compliance assessment. The intake form is for general queries — referrals, retainer interest, specific questions, anything that doesn't fit the snapshot route.