A named Data Protection Officer for organisations subject to UK GDPR — registered with the Information Commissioner's Office, accountable to your board, and retained on a monthly basis at a fraction of the cost of an internal hire.
Konve acts as the named Data Protection Officer for your organisation, taking statutory responsibility under Article 37 of the UK GDPR and operating as the registered contact point for the Information Commissioner's Office.
We are not a software platform. We are not a template provider. We are a named, qualified function of your organisation, accountable to your board for the standard of your data protection programme. Where formal designation under Article 37 is required, we register with the ICO as your DPO and are listed on your privacy notices as the contact for data subject rights. Where formal designation is not required, we perform the equivalent function on a retained basis with the same standard of accountability.
The named DPO role and ICO registration where statutorily required. A scheduled monthly governance review covering processing activities, incidents, and regulatory developments. Maintenance and quarterly review of your Record of Processing Activities. Review and approval of Data Protection Impact Assessments produced by your team, and the drafting of new DPIAs up to a defined volume. Vendor due diligence on processors before contracts are signed. Response support for data subject access requests, with legal review and sign-off provided by us. Incident triage in the event of a suspected personal data breach, including the seventy-two-hour notification decision. An annual data protection audit produced as a written report to your board. A defined block of advisory hours each month for ad hoc questions, with additional hours available at agreed rates.
Operational implementation of technical controls — that work belongs to Konve IT or your existing IT function, scoped separately. Defending regulatory enforcement action, which requires solicitor representation and is referred out to qualified counsel. Bespoke training programme delivery beyond a standard annual awareness session. The role is strategic and supervisory, not operational, and our scope is defined to make that distinction clear.
Konve Advisory is built on a small senior team supported by a purpose-built layer of supervised AI agents. The drafting of routine documentation, the monitoring of regulatory developments, the maintenance of structured registers, and the first-pass review of recurring submissions are handled by agents under our supervision. The judgement, the accountability, and the named role remain with the qualified practitioner. This is how a small practice delivers the standard of attention a much larger firm would charge several times the price for.
A fractional DPO is not the right answer for every organisation. It is the right answer for those who carry the obligation, lack the in-house capacity, and need someone qualified and accountable rather than someone notional.
Your organisation is a public authority, processes special category data at scale, or systematically monitors data subjects on a large scale. You must designate a DPO under UK GDPR. Hiring internally at the seniority required is expensive. Designating an unqualified internal person is non-compliant and exposes the board. A fractional DPO discharges the statutory requirement without the cost of an internal hire.
A customer's procurement team has asked who your DPO is. An investor's diligence has flagged the absence of one. A board member has raised the question in a risk review. You are not legally obliged to designate a DPO, but operating without a recognised one is now a commercial liability. A fractional DPO answers the question with substance, not theatre.
Your finance director, your operations manager, or your IT lead has been asked to "also be the DPO" without the time, the qualifications, or the independence the role requires. The result is unanswered DPIAs, an out-of-date ROPA, and a board that cannot honestly answer audit questions. Replacing the nominal role with a properly qualified fractional function fixes the structural problem.
A recent ISO 27001 audit, customer security questionnaire, or pre-acquisition due diligence has flagged your data protection governance as a gap. The remediation deadline is short and the standard required is high. A fractional DPO closes the gap with documented, defensible work in a timeframe that internal recruitment cannot match.
Every Konve DPO engagement follows the same operational rhythm. The first month establishes the baseline. The next two consolidate the documentation. The middle of the year is steady-state delivery. The twelfth month produces the audit and the plan for the year ahead.
We map your data landscape, review your existing documentation, conduct stakeholder interviews with finance, IT, HR, and operations, and produce a written gap report against your obligations. Where statutory designation applies, we register with the ICO as your Data Protection Officer. By the end of month one, you have a documented baseline and a prioritised remediation plan signed off by your board.
We build or refresh your Record of Processing Activities, draft or revise the data protection policies your operating model requires, design your DPIA workflow, and put your supplier and processor registers into a maintainable state. Quarterly governance review begins at the end of month three. By this point your data protection programme is documented to a defensible standard.
The engagement settles into a defined operational rhythm. Monthly governance reviews. Quarterly ROPA refreshes. DPIA reviews and vendor due diligence as your business creates them. Subject access request support as they arrive. Incident triage availability throughout. Two formal quarterly check-ins with your senior team to discuss programme posture, emerging risks, and regulatory developments affecting your sector.
We produce the annual data protection audit as a written board-grade report covering the year's processing activities, incidents, regulatory developments, and the programme's overall posture against your obligations. Alongside the audit, we deliver the forward plan for the next twelve months — prioritised actions, resource implications, and the commitments your board needs to make. The engagement renews, on revised terms if appropriate, into the next year.
These are the questions our introductory calls start with. We have answered them here so the call can move directly to your specific situation.
Article 37 of the UK GDPR requires designation in three specific circumstances — public authorities, organisations whose core activities involve regular and systematic monitoring of data subjects on a large scale, and organisations whose core activities involve large-scale processing of special category or criminal conviction data. Outside those circumstances, designation is not legally mandatory but is often advisable as a matter of good governance. We will tell you honestly which category your organisation falls into. If you are not required to designate, we will say so, even if it costs us the engagement.
Pricing depends on your size, the complexity of your processing, the sectors you operate in, and whether statutory designation applies. We do not publish list prices because the engagements are not standardised commodities. As a guide, our retainers sit substantially below the cost of a permanent DPO hire at equivalent seniority, and substantially above the cost of a templated software-and-template offering. We are priced for organisations that need qualified accountability rather than the cheapest route to a tick-box. The introductory call produces a written proposal with the specific monthly fee for your circumstances.
Our AI agents operate within Konve's own controlled environment, on infrastructure we own and govern, with explicit data handling policies and contractual restrictions on how the underlying models may use input data. No client data is used to train external models. Confidentiality and professional secrecy obligations apply to AI-handled material exactly as they apply to material handled directly by the qualified practitioner. We can provide our AI handling policy and the contractual position of our underlying providers in writing on request. As your DPO, we are accountable for our own data protection arrangements, and we hold ourselves to the standard we hold our clients to.
Personal data breaches do not respect office hours, and the seventy-two-hour notification window under Article 33 starts from the moment your organisation becomes aware. Our retainer includes business-hours availability for incident triage as standard. Out-of-hours incident response is available on call, charged at an agreed event-based rate published in your engagement letter. We are reachable via a dedicated incident channel — not via the general enquiries inbox — so that when a breach occurs you are not waiting for a reply during the most time-critical hours of the response.
Yes. Konve carries professional indemnity insurance appropriate to the work we undertake, and we are happy to provide certificate evidence on request as part of your supplier onboarding. We will also explicitly disclose the limit of indemnity in your engagement letter, so you know what you are contracting with. The named-DPO role carries real responsibilities and we do not take it on without the corresponding cover. A firm offering DPO services without confirmable PI cover is a firm to walk away from.
Our DPO retainer has a twelve-month minimum term. The first year covers the cost of building your data protection programme to a defensible standard, and shorter contracts undermine the work. After the initial twelve months, the engagement continues on a rolling basis with a ninety-day notice period from either side. Ninety days reflects the seriousness of the role — your organisation needs time to transition to a successor, and we need time to handover responsibly. We do not lock clients into multi-year contracts, and we do not exit without ensuring continuity of the function for your obligations.
The DPO retainer is one of four services within Konve Advisory. Many clients who engage us as DPO subsequently extend the relationship into Konve IT for technical implementation work, or into our broader Governance and Compliance Advisory for matters beyond the DPO scope. Konve Legal — our forthcoming authorised legal practice — will provide reserved legal services to existing Konve clients once we are qualified. There is no requirement to use multiple Konve services. Each is independently scoped and priced. Where multiple services are engaged, the integration produces measurable savings on coordination and overlap, but each service stands on its own merits.
A thirty-minute introductory call. Conducted by the principal, not a sales representative. No fee. No obligation. The purpose is mutual fit assessment — we want to understand your situation, and you want to understand whether we are the right firm to retain.
You will leave the call with a clear answer to three questions. Whether your organisation is statutorily required to designate a DPO. What a Konve DPO engagement would look like in your specific circumstances. And whether, in our honest assessment, we are the right firm for the work in front of you. If we are not, we will tell you, and where possible direct you to who is.