Skip to content
Penby

Practitioner-led data protection and AI governance

Embedded in your operations. Accountable for your compliance.

Talk to us
Who you'll work with

Andy and Ola

Penby is the two of us. No juniors, no handovers, and the same two practitioners on your work from scoping to sign-off.

Andy Williamson, Founder of Penby

Andy Williamson MBCS

Founder & Principal Consultant

Thirty years advising regulated organisations, including investment banking, telecoms, and critical national infrastructure. BCS Practitioner Certificate in Data Protection. IAPP member.

Learn more about Andy
Ola Degteva, Marketing Analyst and Compliance Specialist

Ola Degteva MBCS

Marketing Analytics & Compliance

Ten years leading GDPR-compliant marketing analytics for regulated businesses. BCS Practitioner Certificate in Data Protection. MA in Teaching.

Learn more about Ola
What we do

Fractional DPO and AI governance

Editorial ink and wash illustration of a Georgian doorway — featured image for Fractional DPO services

Fractional DPO

Your data protection obligations require an accountable practitioner. A fractional Data Protection Officer fills that role, embedded in your operations and named to the ICO where required.

Learn more about fractional DPO Editorial ink and wash illustration of a modern glass building reflecting an older stone courthouse — featured image for AI Governance Consulting services

AI Governance Consulting

AI systems that process personal data carry regulatory obligations. Penby builds the governance frameworks, runs the impact assessments, and documents the decisions, before a gap becomes an incident.

Learn more about AI governance
Why Penby

Protection that builds trust

Beyond the fine

Data protection failures cost more than penalties. They cost contracts, partnerships, and trust. Penby is engaged to prevent that.

Continuity of counsel

The practitioner who scopes your engagement is the practitioner who signs off your DPIA. Nothing is relayed, re-briefed, or learned twice.

Before the incident, not after

Most organisations address data protection only after something goes wrong. Penby builds the governance that prevents it, covering UK GDPR through to emerging AI regulation.

Insights

Writing from the practice

View all

Begin with a conversation

An initial discussion of your obligations, your current exposure, and how Penby could support you. Without commitment.

Arrange a call