Category Archives: GDPR

Compliance Support Services Explained

Once your organisation has accomplished authorisation, you’re dedicated to satisfy a variety of on-going FCA compliance responsibilities. Companies either pick our consultancy services to help resolve specific issues or to handle the effect and impact of new policy or we tailor a retainer agreement to satisfy their particular continuous requirements.

Retainer agreement
Our extremely skilled group of compliance specialists have market and regulatory backgrounds supplying an unique mix of skillsets and giving you the confidence that your continuous regulatory responsibilities will be satisfied to a high expert requirement.

With retainer service contracts separately tailored to your organisation we provide an agreed service delivery and schedule. Having operated in your sector, our professionals understand your compliance obstacles and opportunities. They share their backgrounds and understanding to solve issues; so you reap the benefits of a unique sum total of competence.
Supplying you with budget certainty and on-demand access to an extremely trustworthy compliance partner and a topic expert panel, usually, our retainer contracts include:
  • Compliance management; setting up and your Compliance Monitoring Programme, including automating it if required.
  • Compliance audits; independent bench-mark reviews and health-checks to make certain your systems, controls, policies and regulatory procedures are kept up to date
  • Documents/Governance; such as policies and written processes or procedures
  • Financial promotions including initial reviews and ongoing assessments or critiques, including video and social media marketing
  • Training; e.g., informing personnel on anti-money laundering or assisting senior management create a suitable governance framework
  • Regulatory reporting; consisting of GABRIEL returns and evaluation of prudential requirements
  • For Payment Services companies based on PSD2, we provide distinct service plans particularly created satisfy the increased regulatory needs and responsibilities.
  • And Capital Market companies gain from a specific methodology which permits us to craft a bespoke, flexible assistance package
  • Companies fall into the Asset Management, Broker Dealers & Traders, Corporate Finance, Crowdfunding, FinTech, Infrastructure, Investment Management, P2P Lending, Private Equity, Venture Capital and Wealth Management can all benefit from individual; and tailored packages.

Contact us today on 0207 097 1434 or email

    Compliance Support, Compliance Support Services, Compliance Support Specialist, Compliance Support Team, Compliance Support Tools, Ifa Compliance Support Services, Regulatory Compliance Support, Regulatory Compliance Support Services

    FCA Compliance Monitoring Plan

    Your FCA Compliance Monitoring Plan

    This Annual Compliance Monitoring Plan is related to the risk register, which highlights the key  risks to the business.

    In this  document, you not only illustrate that your senior management team is aware of the operational risks faced by the business, you demonstrate that the key compliance risks have also been identified. Following that you show that suitable controls put in place to mitigate these risks, and routine checks performed on these controls to ensure they are operating as expected and any potential issues are being flagged.

    This plan should also include any remedial actions that may have been taken, or link to external reports or projects when testing has identified that gaps may exist.

    Get our explainer brochure

    Download the brochure here by completing the form below;

      This is a compliance ‘living’ document that staff should be continually updating.

      Buy Yours Here


      Only £300+ VAT

      Get Compliant Today!

      EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide

      All organisations – wherever they are in the world – that process the personal data of EU residents must comply with the GDPR (General Data Protection Regulation).

      Failure to comply could cost firms up to €20 million or 4% of annual global turnover in fines, whichever is greater.


      £275M Fines For Two International Business By ICO

      The UK Information Commissioner’s Office (“ICO”), has flexed its muscles and announced its intention to issue fines rising above ₤ 275 million against two international businesses for losing the personal data they hold guarded from cyber-attacks under the European General Data Protection Regulation (“GDPR”).

      On 8 July 2019, the ICO made known its intention to fine British Airways (“BA”) ₤ 183.39 million under the GDPR for a personal data breach it suffered in August 2018. The breach, called a “sophisticated, malicious criminal attack”, was initially disclosed by BA on 6 September 2018. Details of around 500,000 BA customers were endangered during the breach, which consisted of the diversion of user traffic from the BA website to a fraudulent website. The personal information compromised featured names, email addresses and payment card details used during the booking process. The ICO indicated that BA worked together with the ICO investigation and has made security improvements following the incident.

      The penalty is reported to amount to about 1.5% of the global annual turnover of BA in 2017 and is the highest fine issued until now by a European Union data protection supervisory authority for a personal data breach under the GDPR.
      On 9 July 2019, the ICO declared its intention to fine Marriott International, Inc. (“Marriott”) ₤ 99.2 million under the GDPR for a personal data breach that occurred in relation to the Starwood guest reservation database system. The breach is believed to have started when Starwood hotels systems were affected by a cyber-attack in 2014. The breach was discovered and notified to the ICO in November 2018, two years after Starwood’s acquisition by Marriott. Personal data contained in over 330 million guest records were exposed due to the occurrence. About 30 million records of individuals from over 30 countries in the European Economic Area (EEA). Roughly 7 million records related to individuals located in the UK. The ICO determined that Marriott should have taken extra steps to review and secure the IT infrastructure used by Starwood. The ICO noted that Marriott had worked together with the investigation conducted by the ICO and had improved its security practices since the incident.
      The GDPR established two tiers of penalties that could be issued by European data protection supervisory authorities; the standard maximum and the higher maximum. The standard maximum allows for a fine equivalent to the greater of 10 million Euros or 2% of total annual worldwide turnover in the preceding fiscal year of the relevant undertaking for a violation of certain provisions, whereas the higher maximum permits the greater of 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year of the relevant undertaking for a violation of more serious provisions, including data protection principles or data subjects’ rights.
      The penalties issued to BA and Marriott fall beneath both of these thresholds, which may reflect BA and Marriott’s cooperation with the ICO investigation and also those organisations have made enhancements to its security practices since the incidents were found. Both organisations have 28 days to make further representations to the ICO about the calculation of the fine before the ICO makes its final decision. The ICO has said that it will carefully consider any representations made by them and the other European data protection authorities before it takes its final determination.
      In both cases, the focus of the ICO’s statements of intent seems to be on the security failures that led to the breach occurring, instead of necessarily going on the types and sensitivity of personal data impacted. The ICO also concentrated on the responsibility to conduct an appropriate due diligence process into the IT security and data protection practices of a future target of any M&A activity where that target is subject to the GDPR. No matter how breaches happen, it is clear that the ICO is taking security breaches very seriously and these events should provide a strong reminder to companies to get their house in order to follow the security and other obligations under the GDPR, which involves businesses both in Europe and away from Europe. Being the first two fines it has issued under GDPR for a personal data breach, the ICO in particular may possibly be approaching these episodes as an opportunity to “set out its stall” regarding future enforcement action, with its eye on setting the standard of compliance in the UK in a post-Brexit environment.

      If you need your systems and controls checked with  view to GDPR and FCA Compliance, Contact us now!

      0207 097 1434

      [ninja_form id=1]

      Active Search Results

      Claims Management Companies CMCs Compliance Procedures Manual and Financial Crime Policy

      compliance consultants London

      Having worked with a number of Claims Management Companies CMCs in recent days, we are happy to provide the following service to those who have not yet put their Compliance Procedures Manual (around 100 pages) and Financial Crime Policy in place.

      Contact us for details and timescales, but we will make them personalised to your firms.

      Cost £225

      Please complete your details below.

      [ninja_form id=1]


      Small Businesses & the GDPR – Do They Have To Bother?

      We Have Heard Of Many Stories On Social Media That Small Businesses Don’t Have To Bother With GDPR

      Most Of This “Barrack Room” Advice Is Wrong!

      So we have put together some FAQ’s 

      What is the GDPR?
      The General Data Protection Regulation is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It comes into effect on 25 May 2018.

      My firm employs fewer than 250 people. Am I exempt from the GDPR?
      You’ll have to comply with the GDPR regardless of your size, if you process personal data. If you employee staff, provide a service to the public or sell goods, you will likely fall under the UK Data Protection Act 2018 – our embodyment of the GDPR.

      What information does the GDPR apply to?
      The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. You can find more detail in the key definitions section of our Guide to the GDPR.

      Does the GDPR only apply to EU organisations?
      The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

      Size is a factor in a range of areas including the requirement to maintain records of processing.

      How do we know if we’re a processor or controller?
      A controller determines the purposes and means of processing personal data. A controller stores data (contact details, bank payment details, etc)

      A processor is responsible for processing personal data on behalf of a controller. (Aweber, Infusionsoft, Mailchimp, Sage, Quickbooks, other apps)

      If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

      However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

      Ask us for details if you are unsure.

      Do I need to appoint a data protection officer (DPO)?
      Under the GDPR, you must appoint a DPO in certain circumstances.

      Ask us for details if you are unsure.

      Can I have specific guidance for my sector?
      Guidance focuses on the general application of the GDPR.

      What are the rules under the GDPR for subject access requests?
      The right of access under the GDPR contains important differences around fees, time limits, refusals, electronic format, refining requests and method of access.

      Can you help me decide what to include in my privacy notice?
      The GDPR sets out the information that you should supply and when individuals should be informed. We can provide you with a Privacy Notice for both customers and employees.

      The information you supply about the processing of personal data must be:

      • concise, transparent, intelligible and easily accessible;
      • written in clear and plain language, particularly if addressed to a child; and
      • free of charge.

      What are your criteria for issuing monetary penalties?
      Heavy fines for serious breaches reflect just how important personal data is in a 21st century world.

      DO NOT BE INTIMIDATED BY THREATS, BUT BE AWARE THAT: There are certain criteria that need to be assessed before imposing a fine, many of which are similar to those the ICO would consider when determining whether to impose a penalty under the previous DPA, such as: the number of people affected, any damage to the data subjects, the negligent or intentional nature of the infringement and action taken by the data controller to mitigate the damage.

      However, the GDPR has introduced some new criteria, such as:

      • The controller’s adherence to codes of conduct and approved certification mechanisms
      • The extent to which the data controller notified the supervisory authority of the infringement and co-operated with it.

      As well as fines the ICO will have other tools to help them change the behaviour of organisations such as warnings, reprimands or corrective orders. They have and more likely always will exercise their powers proportionately and judiciously.

      Do I always need consent?
      In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate. Article 6 explains what is needed. Ask us for details if you are unsure.

      You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.

      It’s your responsibility to identify a lawful basis for processing under the GDPR. Ask us for details if you are unsure.

      Is parental consent always required when collecting or processing children’s personal data?
      The GDPR contains new provisions intended to enhance the protection of children’s personal data, in particular, privacy notices and parental consent for online services offered to children.

      Article 8 imposes conditions on children’s consent, but it does not require parental consent in every case. Other lawful bases may still be available. Article 8 only applies when the controller is:

      • offering information society services (ISS) directly to children; and
      • wishes to rely on consent as its basis for processing.

      So if an ISS is actually intended for parents to use, or if the controller is relying on a different lawful basis such as legitimate interests, then Article 8 won’t apply.

      When does the right to data portability apply?
      The right to data portability only applies:

      • to personal data an individual has provided to a controller;
      • where the processing is based on the individual’s consent or for the performance of a contract; and
      • when processing is carried out by automated means.

      What is large-scale processing?
      The GDPR does not define what constitutes large-scale processing. However, processing may be on a large scale where it involves a wide range or large volume of personal data, where it takes place over a large geographical area, where a large number of people are affected, or it is extensive or has long-lasting effects. In many cases it is unlikely that small organisations will be processing on a large scale processing.

      I want to know more about the rules on security under the GDPR
      The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.

      Does my organisation need to register under the GDPR?
      If you needed to register under the Data Protection Act 1998, then you will probably need to register, and pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.

      The new Regulations will came into force on 25 May 2018. This doesn’t mean that everyone has to re-register and pay the new fee on that date. Data controllers who have a current registration (or notification) under the 1998 Act, do not have to re-register or pay the new fee until that registration has expired. Ask us for details if you are unsure.

      Contact us on 0207 097 1434 or email


      You May Also Be Interested In this Post – 

      Small Business GDPR Audit



      Small Business GDPR Audit

      GDPR Presents a rare opportunity for small businesses

      On the 25th May 2018 the EU General Data Protection Regulation becomes law as part of the UK’s Data Protection Act 2018. There are many requirements and you can get an overview here.

      UPDATE: The UK Data Protection Act 2018 received Royal Ascent on 23rd May 2018.

      Part of the requirements is that you conduct an audit of all the data entry points that you have and identify a number of elements to it, including the legal bases, customer classification and a number of other things.

      As a small business, a lot of the legislation may not apply, but you have to identify your data sources (do an audit), Adhere to your Data Protection Policy (containing all the new rules that pertain to your business) and send a “Privacy Notice” to your customers that you now have and ensure you have an appropriate and adequate process in place to deliver the new “Privacy Notice” whenever you take any contact details or other personal data from employees (inc sub-contractors or casual staff).

      If you are a small business of under 5 people, don’t send out newsletters or do email marketing, we will conduct an audit for you, provide you with a copy of your audit (for your records) and include a tailored “Data Protection Policy” and a bespoke “Privacy Notice“, that you can use as a stand-alone hand-out, on your website or via a download link, or to incorporate it into your terms of business.


      As a Small Business, do I Need To Worry?”

      Quick check: Focus on your data collection. Does your business hold HR records, customer lists and contact details, employee records, for example? Most do.

      This is confirmed by the, who state; “You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR”.

      Manual vs. auto-filing

      Whether it’s you keeping a spreadsheet of customer contact details, or an automated digital capture system, the GDPR will apply.

      What Is Personal Data?

      The GDPR applies to ‘personal data’ (see Article 6) meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

      This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

      The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

      How Does This Affect Me?

      The GDPR applies to ‘controllers’ and ‘processors’. 

      A controller determines the purposes and means of processing personal data.

      A processor is responsible for processing personal data on behalf of a controller.

      If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

      However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

      Don’t Just Take Our Word For It 

      These sites for small business and the GDPR will help explain things a little more for you. The Federation of Small Businesses and the ICO are at the bottom


      Prices start from £250 for very small businesses (one man bands/retail etc).

      Typically under 20 employees, £350.

      20 to 50 employees £650 and

      50-249 employees, £1,200.

      Larger businesses please apply with details of the number of staff and marketing activity.

      gdpr for small business dpa 2018

      Or contact us via email at


      GDPR DPIA? How to Conduct a Data Protection Impact Assessment

      gdpr,uk,data protection,implementation

      Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a business.

      Under the GDPR You must do a DPIA for certain types of processing, or any other processing that is likely to result in a high risk to individuals. You can use our screening checklists to help you decide when to do a DPIA.

      It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

      We can assist you and conduct a DPIA for you.

      Your DPIA must:

      • describe the nature, scope, context and purposes of the processing; 
      • assess necessity, proportionality and compliance measures; 
      • identify and assess risks to individuals; and
      • identify any additional measures to mitigate those risks.

      To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

      You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts like Compliance Consultant on 0203 813 7939. Any data processors you employ may also need to assist you.

      Get Our Free GDPR Document

      GDPR Starts 28th May 2018 – Are You Ready?

      The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU)

      GDPR, created by the EU Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU.

      Does it affect my business? In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.

      Fines can be up to €20 Million or 4% of global turnover – whichever is higher.

      Compliance Consultant has decades of experience in dealing with UK and EU regulation and legislation, and are ideally placed to help you manage your responsibilities. We can conduct audits, provide training, create documents and show you how and where to record your specific risks and mitigation measures to ensure the expected standard of data protection required.

      What constitutes personal data?
      Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

      These Changes Will Provide A Huge Challenge To Many Businesses, Especially Those Who Have Not Considered Data Protection Was An Issue. It’s Not Just Us – Read This Article In The Sun “What is GDPR, what does it stand for, when is the 2018 deadline and how can you check if a business is compliant?

      Download our free guide and checklist to make sure you are fully prepared


      GDPR Checklist Consent Page

      By completing this form you are confirming that you are over the age of 18 and that you agree to providing consent for us to send marketing material to you occasionally regarding items that we think you will be interested in. Sometimes our data may be sent outside the EU for processing (i.e., through internet servers) but the highest levels of data security are extended to any third-party we employ for this. We will not spam your details nor sell them to any other business. Your data confidentiality is our highest concern.


      Current Activity
      Another Happy Client
      Another Happy Client