Data Protection & GDPR Services

Respecting and protecting your data

As a business, you will handle data in one form or another, whether on paper or digitally. Personal information is a valuable asset that deserves respect and careful management. GDPR provides the framework to do just that—a set of guiding principles designed to ensure fair, secure and respectful treatment of your staff and customer data.

Customers and employees expect trust and security when sharing data with you. GDPR mandates that companies safely handle, store and process data, sharing it only with explicit consent. GDPR is straightforward, but achieving and maintaining compliance requires specialist expertise.

GDPR compliance support for every step of your journey

At PMA, we understand that data protection is more than a one-off task—it’s a continuous commitment. We will offer practical, hands-on support to help you understand and implement GDPR requirements tailored to your unique needs.

This isn’t about ticking boxes. It’s about establishing and maintaining a culture of accountability and data respect.

Whether you’re just beginning to consider GDPR requirements, actively working towards compliance, or aiming to maintain it, we can assist you. Compliance is a journey. We recognise the challenges involved when people, processes and data come together.

How PMA supports your GDPR compliance

PMA collaborates with businesses of all sizes on comprehensive data protection practices. Serving as your main point of contact for GDPR activities, as your DPO or working alongside your Data Protection Officer (DPO) to provide extra support, such as bespoke or team training.

From engaging with legal teams to liaising with the Information Commissioner’s Office (ICO), we ensure GDPR is consistently and effectively embedded throughout your business. Let PMA be your partner in building a trustworthy, compliant and respectful approach to data protection.

Let's talk

Tailored GDPR support for your business

Your data protection journey will start from a unique place. That’s why PMA offers a range of GDPR support levels designed to meet your specific needs. We begin by assessing your current situation, identifying compliance gaps and creating a clear action plan.

Whether you’re just getting started or need ongoing support, we help you find the right way forward to ensure effective, sustainable compliance.

Choose the GDPR support that fits your business.

You can mix and match from any level, but let us guide you to a more secure and compliant future.

GDPR Level 1
Working towards full compliance

 

  • Data mapping of sources within a business
  • Assessment of compliance with ICO self-assessment guidance
  • Gap analysis produced with a detailed action plan
  • Provide advice on the impact of PECR and website Cookies
  • Deliver documentation to support policies and business processes
  • Training

GDPR Level 2
Post-GDPR compliance

 

  • Review the current level of compliance with GDPR
  • Test internal processes, e.g. SAR, data breaches, privacy policies and Cookies
  • Provide a rating, gap analysis and an action plan
  • Provide advice on the impact of regulation changes

GDPR Level 3
Provision of a DPO service (inside the EU)

 

  • Check the level of compliance within the business
  • Liaise with ICO on queries and complaints received
  • Answer data protection queries
  • Build and run SAR (subject access request) processes
  • Provide bespoke training

GDPR Level 4
Working with an internal DPO

 

  • Support delivery of training to staff
  • Identify non-compliant areas
  • Work with the ICO to answer any queries

GDPR Level 5
Ad hoc data protection support and guidance

 

  • Access to up to date information on the regulations within the UK, EU and Rest of the World
  • Advice and guidance provided via telephone/Zoom/email
  • Support for Data Protection Impact Assessments (DPIA)
  • Bespoke team training delivered online or face-to-face

If you have a specific need, we offer several additional services that will benefit you.

 

  • Write Policy documents in several different languages
  • Guidance on lawful reasons for data processing
  • Deliver bespoke training by teams e.g. marketing, call centres, directors
  • Write Privacy Statements
  • Provide advice on PECR and Cookies
  • Write Consent statements for marketing purposes
  • Regular updates and information on data protection developments
  • Recommend security IT and encryption tools
  • Advice and guidance on entering markets outside of the EU

The goal is to manage your data within the GDPR framework.

Your staff must understand what is expected of them and your customers should feel they are being treated fairly.


Get in touch with Simon today to find out more.

Email

Frequently asked questions…

Who does GDPR apply to?

GDPR applies to any business or organisation that processes the personal data of individuals within the EU, regardless of the organisation’s location. This includes companies, government bodies and non-profits. It also applies to data processors and controllers. The reality is that most businesses are affected.

What is the difference between a Data Controller and a Data Processor?

A Data Controller determines the purposes and means of processing personal data, while a Data Processor processes data according to the controller’s written instructions. Both have specific obligations under GDPR to ensure data is handled securely and compliant with the law.

What rights do individuals have under GDPR?

Individuals have several rights under GDPR, including the right to access, the right to be informed, the right to rectification, the right to erasure (also known as the “right to be forgotten”), the right to restrict processing, the right to data portability, the right to object and rights concerning automated decision-making and profiling.

If not handled correctly or if you don’t have the right processes in place, this can be a time-consuming job should a customer or member of staff request any of the above.

What qualifies as personal data under GDPR?

Personal data includes any information that can identify an individual, such as names, email addresses, phone numbers, IP addresses and even more specific information like location data, biometric data and online identifiers.

What is a Data Protection Officer (DPO), and do we need one?

A Data Protection Officer is responsible for overseeing data protection strategy and implementation to ensure organisational compliance. Under GDPR, organisations must appoint a DPO if they are a public authority, engage in large-scale processing of sensitive data or systematically monitor individuals extensively.

How do I know if I need a DPO?

If you process a lot of data, you will need a DPO. Many businesses feel it is necessary to remain compliant and deal effectively with any issues. This role doesn’t have to be full-time –  it can be done virtually or on a part-time basis

What does ‘explicit consent’ mean under GDPR?

Explicit consent means individuals must provide a clear, informed agreement for their personal data to be processed. Consent must be freely given, specific, informed and unambiguous, and there must be an option to withdraw it at any time.

How can businesses ensure compliance with GDPR?

Compliance requires a systematic approach, including conducting data audits, implementing data protection policies, securing personal data, training staff, appointing a DPO if necessary and ensuring that data processing agreements are in place with third parties.

What is a data breach?

This term is used when you lose your data. It can happen because of human error or by malicious intent. You need to ensure you are at least prepared for this event. This will involve a plan for managing a data breach within your business, including liaison with the ICO and other stakeholders impacted by the data breach.

How should businesses handle a data breach?

In the event of a data breach, organisations must notify, if required, the relevant supervisory authority within 72 hours if the breach poses a risk to individuals’ rights and freedoms. They must also inform the affected individuals immediately if the breach is likely to result in high risks to their rights and freedoms.

Why do you need training for GDPR?

The ICO recognises training as an important element of accountability and compliance with GDPR. Experience has shown the human element of any organisation is the weakest link in losing data or clicking on a phishing email link. The ICO recommends that training be done at least twice a year.

It’s important to provide bespoke training modules to your teams. We answer the question most employees have – “what do I need to do differently in my role under GDPR?”. These sessions can be delivered face-to-face or over Zoom.

You may have specific questions relating to your own experiences or a general query relating to data protection,


Get in touch with Simon today for the answer.

Email

Want to explore more?

If you have a question or want to find out more about how we can help,
it would be great to hear from you.

Contact us