A two-person practice, engaged directly
Experience across investment banking, telecoms, critical national infrastructure, and regulated digital marketing.
Credentials
Founder & Principal Consultant
Andy Williamson MBCS
Three decades in environments where getting data wrong has serious consequences. Risk management systems for Commerzbank and Dresdner Bank. Billing infrastructure for Vodafone Germany and Orange. Database systems for London Transport and National Rail. Investment banking, telecoms, and critical national infrastructure. All heavily regulated. All demanding that data handling and system compliance be correct first time.
Andy holds the BCS Practitioner Certificate in Data Protection, the primary UK-recognised qualification for Data Protection Officers, and is an IAPP member. He is currently studying for the AIGP (Artificial Intelligence Governance Professional) certification.
The thread runs further back than most expect. Seven years in the British Army, vetted to Positive Vetting level and trusted to work in environments processing classified NATO data. That early grounding in information security and handling sensitive material carried through into investment banking, telecoms infrastructure, financial services, and ultimately into dedicated data protection practice. He understands how organisations actually handle sensitive data, not just what the regulations require.
What the credentials mean
Issued by the British Computer Society, the chartered institute for IT professionals in the UK. This is the standard professional qualification for practising Data Protection Officers, covering UK GDPR, the Data Protection Act 2018, and practical DPO responsibilities.
The International Association of Privacy Professionals is the world's largest privacy community. Membership signals active engagement with global privacy developments, standards, and professional practice.
Marketing Analytics & GDPR-Compliant Tracking
Ola Degteva MBCS
Over ten years in digital marketing, with a specialism in GDPR-compliant tracking architecture and consent management. Ola holds the BCS Practitioner Certificate in Data Protection and the IDM Award in GDPR. She works across the consent technology stack – Cookiebot, OneTrust, TrustArc, Usercentrics – building privacy-first tracking infrastructure that remains measurable within regulatory constraints.
Her work spans enterprise clients across the UK, France, and Germany: Google Consent Mode V2 deployment, cross-domain tracking configuration, and the technical integration work that keeps marketing operations legally compliant. Before Penby, she spent five years in expatriate financial services and led her agency team to Google Partner status.
Ola brings nine years of teaching experience alongside her compliance work. That background shows in how she translates complex regulatory requirements for non-specialist audiences. She runs training sessions for agency staff and client teams on consent management and data protection obligations, and produces the SOP documentation that makes compliance repeatable. She understands what marketing teams actually do with data. Her governance advice is grounded in that operational reality.
Credentials
The Penby approach
Penby is two practitioners by design. A small practice produces closer engagement, faster decisions, and clearer accountability than a rotating team can. The person scoping your engagement is the person writing your documentation and presenting to your board.
Penby uses AI to extend what two practitioners can do. It processes complex regulatory frameworks, maps data flows, and prepares documentation with a thoroughness that would otherwise require a much larger team. Human judgement remains with the practitioners. The result is governance work at the standard the largest firms deliver, from a practice built on senior expertise rather than scale.
Every engagement begins with how your organisation actually handles data: the systems, the people, and the risks specific to your operations. Penby builds the governance around that reality and stays to maintain it as your organisation and the regulatory landscape evolve.
Begin with a conversation
An initial discussion of your obligations, your current exposure, and how Penby could support you. Without commitment.
Arrange a call