← All servicesCompliance & trust

Data Security & GDPR.

Who it's for

Charities handling sensitive beneficiary data — safeguarding cases, health, immigration status, minors — with no in-house DPO.

The problem we solve

You're one subject access request away from a real problem. Trustees are asking about ISO 27001 and Cyber Essentials, and Google isn't a policy pack.

What you get

  • DPIA and record of processing activities (ROPA)
  • Privacy notice, retention schedule and breach playbook
  • Access controls and MFA rollout plan
  • 90-minute staff training (recorded)
  • Cyber Essentials readiness review
  • Trustee board briefing document

How it works

  1. 1

    Assess

    Half-day discovery covering data flows, systems, third parties and current controls.

  2. 2

    Author

    Policies drafted against ISO 27001 controls — plain English, not lawyer-speak.

  3. 3

    Enable

    We train your team, brief your board, and leave you audit-ready.

Common questions

Everything trustees usually ask.

Do you provide ongoing DPO cover?

Yes — a fractional DPO retainer is available from £250/month.

Are you a lawyer?

No, we're not a law firm — we build the operational side of GDPR. For legal opinions we partner with charity-sector counsel.

Cyber Essentials certification?

We prepare you for it and refer to an accredited certifying body.

What if we already have policies?

Great — we review, harmonise, and fill the gaps rather than starting over.

Ready when you are

Prove your impact. Win more funding.

Start with a free 3-minute Impact Check and see where the quick wins are — no email needed for your headline score.