Skip to content
Penby

Fractional DPO

A fractional DPO engagement that builds operational data protection inside your organisation and hands it over when your team can run it. The DPO mandate itself continues with Penby on the advisory retainer.

Most fractional DPO engagements run continuously, with the provider retained indefinitely while the organisation watches from outside. The Penby engagement is built around two structurally distinct halves. The build phase produces the operational data protection programme (records of processing, security, breach detection and initial response, training, subject-rights workflows), transferred to your team to run at the end of the build. The DPO mandate is retained: Penby continues as the experienced hand on call for regulatory change, breach response, DPIA support, ICO interaction, complex SARs.

Responsibilities

What a fractional DPO does

Regulatory liaison with the Information Commissioner's Office, including incident notification, ICO enquiries, and supervisory authority correspondence on your behalf.

Data Protection Impact Assessments for new systems, processes, and high-risk processing activities.

Reviewing your Record of Processing Activities and ensuring lawful bases are documented and defensible.

Breach management: from initial detection through ICO notification within 72 hours to remediation and post-incident review.

Staff awareness training built around how your team actually handles personal data.

Governance advice on new projects, systems, and partnerships at design time.

Process

How the engagement works

Diagnose

Penby begins with a practitioner-led review of how your organisation handles personal data: the processing activities, existing policies, system configuration, and the operational risks specific to your sector. The output is a written gap report, named and scoped upfront, that your team takes away. The diagnostic stands whether or not the engagement continues into the build.

Build

Penby works alongside your team to build the operational data protection programme inside your organisation: records of processing, security, breach detection and initial response, training, and subject-rights workflows. Documentation lives in your systems, not in a Penby deliverable folder. Your people learn the operational mechanics by doing the work, with Penby as the practitioner alongside them.

Transfer

Operational ownership of the data protection programme transfers to your team. Sign-off measures whether the people who will run the programme day to day can run it without Penby in the room; documentation completeness is not the sign-off criterion. The build phase ends when the takeover team is operationally capable.

The Transfer stage hands over the operational programme. The DPO role itself is structurally distinct, and what happens to it depends on how your organisation is set up. Under GDPR Article 38, the DPO must be independent of the build side and of any role that determines what personal data the organisation processes and how. That rule typically excludes the people most often suggested for the role internally (Heads of Compliance, Legal, Risk, HR, Information Security), because they cannot independently audit the data processes they own.

In the typical engagement, Penby continues as the appointed DPO on the advisory retainer while your team owns the operational programme. Internal appointment is possible where the independence test is satisfied; the result depends on the assessment of the specific role.

Practitioners

Named practitioners

Penby is two named practitioners: Andy and Ola. The practitioner who scopes your engagement is the practitioner who reviews your DPIAs, fields ICO enquiries, and sits across the table from your board. Nothing is relayed across a rotating team.

Andy is your DPO. He spent three decades in regulated environments (investment banking, telecoms, critical national infrastructure), working as a consultant: diagnose the problem, build the solution, transfer administration to the in-house team. GDPR Article 38 takes most technically-deep professionals out of the DPO role because they hold a build-side mandate; the rule keeps the DPO independent of the work being audited. Andy stepped back from systems architecture to take the DPO seat. The role shifted from implementer to auditor, and the technical depth came with him. That depth is what makes the embedded engagement model deliverable: your organisation can take operational ownership of the data protection programme because its DPO understands what its technical team actually does. Andy holds the BCS Practitioner Certificate in Data Protection and is an IAPP member. He is studying for the AIGP. Read Andy's full biography on About →

Ola is the second named practitioner. She spent over ten years in digital marketing with a specialism in GDPR-compliant tracking architecture, building lead-generation funnels, configuring consent platforms, verifying cookie behaviour with browser inspectors, and proving compliance through analytics. Underneath the marketing-operations career runs an instructional-design specialism: a degree in language teaching, eight years teaching, and a Master's in English Language Teaching focused on course design for distinct study groups. She has spent a decade applying instructional design on training programmes for marketing-agency teams and clients including Lincolnshire Council, Lavazza, and Energy Cell. The combination is what makes the Transfer stage effective in practice. When operational ownership of your data protection programme passes to your team, the people who will run it day to day get training designed around what they already know and the work they actually do. Ola holds the BCS Practitioner Certificate in Data Protection and the DMA GDPR Qualification, and is an MBCS member. Read Ola's full biography on About →

Two operational commitments follow. We act as your named DPO on your ICO notification register; we are your contact point for ICO communications. Our advisory retainer carries a four-hour response SLA, honoured by us directly.

Most DPOs come from the legal or governance side of the discipline; few have built and operated the systems they now govern. The dual MBCS and BCS Practitioner Certificates across two practitioners, alongside Andy's Article 38 pivot from build-side to DPO and Ola's instructional-design specialism, is structurally uncommon. The four-hour SLA and audience-specific takeover-team training are committable because two-person scale makes them committable.

Engagement

Engagement shapes

Engagements take one of three operational shapes.

Build-and-transfer engagement

The Diagnose · Build · Transfer arc, run as a single engagement. Scoped upfront against the diagnostic gap report, with defined exit criteria measured by your team's operational capability at handover. The shape is finite; the build phase ends.

Advisory retainer

Penby retained as your DPO after the build phase ends. The four-hour response SLA covers regulatory change, breach response, DPIA support, ICO interaction, complex SARs. The shape is open-ended; the scope is defined.

Defined-scope project

A single deliverable, scoped upfront. Typical examples: a DPIA on a new system, an AI governance gap audit, a board-level briefing, an instructional-design takeover-team training programme. The shape ends at delivery; the scope is the deliverable.

Structure

Why the engagement is structured this way

The dominant commercial model in DPO services rewards continuous custody. The provider runs the governance from outside, the organisation pays the retainer indefinitely, and the engagement has no structural endpoint. When that engagement ends, whether by provider exit, contract lapse, or the relationship running its course, the organisation is left without internal workflow, without documentation it can defend without the provider, and without practitioner judgement in the team. The engagement has produced a cost, not a capability.

The pattern is not provider incompetence. Continuous-retainer commercial economics produce the outcome predictably: the model rewards holding the client's operational capability rather than transferring it. Providers operating that model are operating their commercial structure rationally. The outcome for the client is what the model produces.

Penby is structurally outside that model by construction. The build phase ends. Operational ownership of the data protection programme transfers to your team. The advisory retainer carries the separate DPO mandate. The commercial structure rewards moving capability rather than holding it.

Eligibility

Who this is for

This engagement suits organisations where data protection responsibilities have outgrown internal capacity. That includes public sector bodies with a statutory obligation under UK GDPR Article 37 to appoint a DPO, and SMEs whose risk profile justifies senior oversight but does not yet warrant a full-time appointment.

Also see: AI Governance →
Related reading

From the practice

Begin with a conversation

An initial, no-commitment discussion of your obligations, your current exposure, and how Penby could support you.

Arrange a call