Data Protection & Privacy
Data protection and privacy risk affects every organisation, from charities and SMEs to large, complex bodies. Organisations are expected to handle personal data lawfully, securely, and transparently, while being able to demonstrate compliance with the UK GDPR, Data Protection Act 2018, Data (Use and Access) Act 2025, PECR, and regulator expectations. Failures can lead to regulatory action, loss of trust, financial penalties, and lasting reputational damage.
Durrant Riley Advisory provides bespoke data protection and privacy support, combining strategic oversight, practical implementation, and independent assurance. Every engagement is tailored to your organisation, how you use personal data, and your risk profile.
Some organisations come to us for Board level privacy assurance and governance; others for hands-on support implementing controls, managing data risks, or responding to incidents and regulatory engagement. Many use a combination of services over time as their data use, technology, and risk exposure evolve.
Strategic Service
Data Protection & Privacy Strategy, Governance & Assurance
This service provides confidence that personal data is managed properly.
We help Boards and senior leaders understand how personal data is used across the organisation, where the highest privacy risks sit, and whether governance and controls are effective and defensible. The focus is on proportionate compliance that supports service delivery rather than obstructing it.
Why this is good for you
- Clear visibility of privacy risks and obligations
- Board-level assurance over a high-risk regulatory area
- Stronger accountability and decision-making
- Greater confidence during ICO engagement, audits, or inspections
Best for: Boards and leadership teams seeking assurance that data protection arrangements are robust, proportionate, and regulator-ready.
Foundations: Privacy Frameworks, Policies & Records
This service establishes clear, practical privacy foundations.
We support the development or review of data protection frameworks, policies, and core documentation, ensuring they reflect how your organisation actually handles personal data. This includes clarifying roles, responsibilities, and escalation routes.
Why this is good for you
- Data protection obligations are clearly understood
- Policies and notices are usable and accurate
- Records of processing reflect reality
- Compliance becomes easier to maintain
Best for: Organisations with fragmented privacy arrangements, outdated documentation, or unclear ownership.anges in activities or operating models.gements, or move away from reactive compliance.
Active Privacy: Risk Management, Controls & Monitoring
This service focuses on managing privacy risk in practice.
We support the identification and management of data protection risks through activities such as DPIAs, control testing, training, and ongoing monitoring. This helps ensure privacy is embedded into projects, systems, and everyday operations.
Why this is good for you
- Privacy risks are identified early
- Controls are applied consistently
- Staff understand their responsibilities
- Evidence of ongoing compliance is available
Best for: Organisations processing higher-risk personal data, introducing new systems, or working with multiple processors and partners.onal risk or regulatory scrutiny.ners, public or grant funding, or higher inherent bribery, fraud, or corruption risk.
Incidents, Breaches & Regulatory Support
This service supports you when something goes wrong.
We provide calm, proportionate support in response to data breaches, complaints, or regulatory engagement. This includes breach assessment, reporting support, remediation planning, and engagement with the ICO where required.
Why this is good for you
- Incidents are handled quickly and defensibly
- Regulatory engagement is managed with confidence
- Harm to individuals and reputation is reduced
- Lessons are identified and applied
Best for: Organisations responding to data incidents, complaints, or heightened regulatory scrutiny. facing active concerns, historic issues, whistleblowing allegations, or situations requiring independent handling and clear documentation.