Embedded in your operations. Accountable for your compliance.
No juniors, no handovers, and the same two practitioners on your work from scoping to sign-off.
Founder & Principal Consultant
Thirty years advising regulated organisations, including investment banking, telecoms, and critical national infrastructure. BCS Practitioner Certificate in Data Protection. IAPP member.
Learn more about Andy
Marketing Analytics & Compliance
Ten years leading GDPR-compliant marketing analytics for regulated businesses. BCS Practitioner Certificate in Data Protection. MA in Teaching.
Learn more about Ola
Engagements run in three stages:
Diagnose · Build · Transfer.
A DPO embedded in your operations, named to the ICO.
Your data protection obligations require an accountable practitioner. A fractional Data Protection Officer fills that role, embedded in your operations and named to the ICO where required. No escalation to a partner you'll never speak to. The practitioner who advises you is the practitioner of record.
Learn more
Governance for the AI systems your organisation uses.
AI systems that process personal data carry regulatory obligations. We work with you to build your governance frameworks, complete impact assessments, and document the decisions before a gap becomes an incident. Covering UK GDPR through to emerging AI regulation.
Learn moreMost fractional DPO engagements run as continuous custody, with the provider retained indefinitely. Penby is built around a finite build phase that ends with operational ownership inside your team.
The practitioner who scopes your engagement is the practitioner who signs off your DPIA. Nothing is relayed, re-briefed, or learned twice.
Guides
Guides
Guides
An initial, no-commitment discussion of your obligations, your current exposure, and how Penby could support you.
Arrange a call