Our Services

72-hour ICO notification support. We contain, assess, report, and document breaches.

We have the expertise to effectively reduce the impact of a data breach and handle it in line with legal requirements and best practices.

Our 5-step process:

1. Immediate containment - Stop the breach, secure affected systems
2. Impact assessment - Determine scope, affected individuals, data categories
3. ICO notification - Meet the 72-hour deadline for reportable breaches
4. Individual notification - Draft and send notifications where required
5. Documentation & prevention - Complete incident log, implement preventive measures

When we help:

• Ransomware attacks
• Lost devices or documents
• Unauthorised access
• Email misdirection
• Third-party breaches

Available in: All tiers

Complete SAR handling from acknowledgment to redaction, meeting 30-day deadlines.

Handling data subject access requests can take significant time and resources. We bring expertise to manage these requests efficiently, helping your institution to operate smoothly.

What we do:

• Initial review - Validate request, confirm identity, clarify scope
• Data gathering - Coordinate across systems (MIS, CPOMS, email, SharePoint)
• Redaction - Remove third-party data, protect staff/pupil privacy
• Response preparation - Format data, draft cover letter
• Delivery - Secure handover within statutory deadline

SAR allowance by tier:

• Guidance: Guidance only
• Advisory: 5 redactions per year
• Comprehensive: Unlimited redactions

Timeline: 30 calendar days from valid request (with "stop the clock" provisions under DUAA 2025)

We maintain your Record of Processing Activities, ensuring DPA 2018 Article 30 compliance.

Keeping good records is vital and required by the Data Protection Act. We support you in staying compliant with legislation.

What we track:

• Processing purpose and legal basis
• Data categories and sources
• Recipients and transfers
• Retention periods
• Security measures
• Data processor contracts

How it works:

1. Annual review - We audit your systems and processes
2. Documentation - We update your ROPA in real-time
3. Integration - Links to your DPIA library and breach log
4. ICO-ready - Formatted for regulatory requests

Available in: Comprehensive tier

Data Protection Impact Assessments for high-risk processing, ICO-ready documentation.

DPIAs play a crucial role in compliance. Documenting risks and mapping data for new products or services helps to manage everything smoothly.

Our DPIA toolkit:

• DPIA Lite list - Pre-assessed low-risk systems (Guidance tier)
• Ready-made DPIAs - 20+ common systems (CPOMS, SIMS, Google Workspace, etc.) (Advisory & Comprehensive)
• Bespoke DPIAs - Custom assessments for new/complex systems (All tiers)

When you need a DPIA:

• New MIS or safeguarding system
• CCTV installation or expansion
• Biometric data processing
• Large-scale profiling
• Systematic monitoring

Turnaround: 5-10 working days

Freedom of Information guidance, exemption applicability, and public interest tests.

We support you with FOI requests and offer helpful advice on responding. We're committed to making the process smooth and straightforward.

What we provide:

• Request classification - Determine if FOI or EIR applies
• Exemption analysis - Identify applicable exemptions (s40 personal data, s41 confidence, etc.)
• Public Interest Test - Balance disclosure against harm
• Response drafting - Professionally worded responses
• 20-day deadline management - Timeline tracking and reminders

Common scenarios:

• Staff information requests
• Pupil data inquiries
• Budget/spending transparency
• Safeguarding incident details
• Performance data

Available in: All tiers

Your bridge to the Information Commissioner. Breach notifications and audit preparation.

We act as your helpful bridge to the Information Commissioner's Office, whether informing them of a major risk or sharing a concern.

What we handle:

• Breach notifications - 72-hour ICO reporting
• Audit preparation - Document review, gap analysis
• ICO correspondence - Response coordination
• Investigation support - Evidence gathering, witness preparation
• Enforcement action - Mitigation plans, representations

Our role:

• Named DPO on your policies and ICO registration
• First point of contact for ICO inquiries
• Strategic advice on disclosure decisions
• Representation (not legal counsel)

Available in: All tiers

Living documents that evolve with legislation. Annual reviews and automatic updates.

Maintaining a Data Protection Policy isn't just a formal requirement—it's essential for protecting rights. We ensure it stays up to date and effective.

Our Universal Policy System:

• 6 core policies - Data Protection & FOI, Privacy Notices, CCTV, Special Category Data, Retention, Acceptable Use
• Auto-customisation - Policies adapt to your institution type, size, systems
• Dual format - Legal version + plain-language companion (EAA compliant)
• Annual reviews - Legislative updates applied automatically
• Version control - Full audit trail of changes

What you get:

• Guidance: Policy review and guidance on existing policies
• Advisory: Bespoke policies + annual updates
• Comprehensive: Bespoke policies + quarterly reviews

Formats: Word (editable), PDF (distribution), Notion (live collaboration)

Engaging, practical data protection training for school staff. No death by PowerPoint.

Personalised training tailored to your needs. Whether in-person or online, we support you in the way that suits you best.

Training formats:

• Online sessions - 45-60 minute interactive training via video call (Advisory & Comprehensive)
• Face-to-face sessions - 45-60 minute on-site training at your school (Comprehensive only)

Topics covered:

• GDPR basics for education
• SAR and FOI handling
• Breach prevention and response
• Email security and phishing
• SEND and safeguarding data
• Social media and pupils
• Data sharing with external agencies

Frequency: Every 2 years (minimum); annual refreshers available

Baseline audit, gap analysis, and prioritised action plan. Know where you stand.

When you join us, we start with a friendly initial review. We work together to set a clear baseline and help you stay on top of compliance goals.

Our 4-Week Onboarding Process:

Week 1: Discovery 🔍

• Systems audit (MIS, CPOMS, email, cloud storage)
• Policy review
• Process interviews (SLT, DSL, office staff)

Week 2: Assessment 📊

• Compliance gap analysis
• Risk scoring (High/Medium/Low)
• Quick wins identification

Week 3: Action Plan 📋

• Prioritised roadmap
• Responsibility assignment
• Timeline agreement

Week 4: Implementation 🚀

• Portal setup
• Policy deployment
• Team training kickoff

Typical findings:

• Missing DPIA for key systems
• Outdated policies
• Unclear retention schedules
• Staff training gaps
• No breach response plan

Included in: All tiers (conducted within first 30 days)