GDPR - Governance - Risk - Compliance
Compliance & Data Protection as a Service
Privacy Management Programmes to Support your Organisation
Compliance & Data Protection as a Service
Privacy Management Programmes to Support your Organisation
About Us
Who We Are & How We Got Here
Reducing Risk, Adding Value & Building Trust
Privacy Law You Can Understand
The GRC Director Ltd was founded by Stephen Murray. Bringing over 20 years experience in senior management positions within SME's, experienced in compliance, risk management and governance with a specialism in Privacy and Data Protection law. Certified Information Privacy Professional (Europe) & Certified Information Privacy Manager with the International Association of Privacy Professionals.
Privacy Law You Can Understand
Reducing Risk, Adding Value & Building Trust
Privacy Law You Can Understand
We know that privacy law can be complex and difficult to understand. We will help by demystifying and simplifying this for you. The first step is for us to work with you to discover the current compliance landscape. Through our understanding of the law and regulations applicable to your organisation, we will craft a path to deliver confidence in your compliance.
Reducing Risk, Adding Value & Building Trust
Reducing Risk, Adding Value & Building Trust
Reducing Risk, Adding Value & Building Trust
Reducing, risk, demonstrating good governance and minimising threats to reputational damage are prerequisites to protecting the brand and interests of your organisation.
Good governance is not only good for business it will improve saleability and value and demonstrate you can be trusted by your customers and partners.
Accreditations
What We Can Do For Your Organisation
Data Protection Officer As A Service
Whilst not all organisations are required to appoint and register a DPO, they must nominate somebody to be responsible for compliance with UK GDPR. Outsourcing your DPO requirement not only demonstrates a serious commitment to compliance but can be a much more affordable and productive solution. Under Articles 37 to 39 of UK GDPR the DPO is required to be independent and have expertise in data protection law. Using the GRC as your DPO ensures activities are:
- free from internal influence reducing the risk of conflicts of interest
- reduces the burden of compliance on senior managers
- provides confidence that you have an accredited and certified professional in post; and
- reassurance that your DPO is obligated to keep bang up to date with changes to the law and best practice in privacy management with the International Association of Privacy Professionals (IAPP)
Our model means we can tailor a flexible solution to suit the requirements of your individual organsation.
Data Protection Audits
Data protection audits are designed to give you an independent assurance that you're meeting the requirements of the law, where you may be falling short and importantly recommendations to remediate or improve. If audits are incorporated as part of your privacy management programme, they can become far less onerous. We can supply a one off audit or incorporate into the DPO as a Service contract
DPO Support Helpline
The helpline is included as standard part of our DPO as a Service. It can also be provided as a stand-a-lone service. A small monthly retainer provides comfort to senior managers responsible for data protection within an organisation providing access to timely advice and support when you need it most.
UK Representative for GDPR Compliance
Article 27 of UK GDPR requires controllers and processors not established in the UK to designate a representative based in the UK to handle liaison with the ICO and data subjects. We can be retained as that representative to ensure you meet this requirement without adding significant costs to your business.
Training and Awareness
Ensuring staff involved in the processing of personal data receive continuing privacy education (CPE) and development is an important requirement of UK GDPR. Staff are often both your greatest asset and greatest risk in data protection. We can provide a range of training services to suit your organisations bespoke requirements.
General Policies and Governance
We don't just support privacy compliance. We can help organisations with risk assessment and develop good governance procedures and policy implementation. These will help you meet requirements such as anti corruption legislation; the Bribery Act, the Criminal Finance Act and supply chain matters such as modern slavery legislation. Having a demonstrable clean bill of health in terms of compliance can be especially valuable when preparing your business for acquisition.
Our Partners
We have developed strong relationships with commercial lawyers, HR specialists and FCA compliance consultants who can be brought in to provide a 360 degree solution should the scope of work require it.
Recent Breaches and Fines
AFK Letters Co Ltd
Date: 24 April 2025
Type: Monetary penalties
It was found that between January and September 2023, AFK made 95,277 spam calls resulting in several complaints being made to the ICO and TPS. AFK did not provide evidence that anyone whose number had been called had consented to receiving calls from the company.
The monetary penalty notice is for £90,000
DPP Law Ltd
Date: 15 April 2025
Type: Monetary penalties
The Information Commissioner has fined law firm DPP Law Ltd £60,000 for its infringements of Articles 5(1)(f), 32(1), 32(2) and 33(1) of the UK GDPR between 25 May 2018 and 17 July 2022.
The monetary penalty notice is for £60,000
Advanced Computer Software Group Limited
Date: 27 March 2025
Type: Monetary penalties
The Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.
Advanced provides IT and software services to organisations, including the NHS and other healthcare providers, and processes people’s personal information on behalf of these organisations.
The fine relates to a ransomware incident in August 2022. Hackers accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication (MFA). The cyber attack was widely reported at the time, with reports of disruption to critical services such as NHS 111, and other healthcare staff unable to access patient records.
The monetary penalty notice is for £3.07m
Breathe Services Ltd
Date: 12 December 2024
Type: Monetary penalties
Breathe Services Ltd (BSL), a debt advice company based in Bolton, first came to the attention of the ICO as part of a wider investigation into complaints received about unsolicited phone calls to potentially vulnerable individuals.
In a failed attempt to hide their real identity, BSL was found to have spoofed its outbound phone number by presenting over 1,000 different telephone numbers on calls. In March 2023 the ICO carried out a search at BSL’s office in Bolton, seizing evidence including documents and electronic devices.
Our extensive investigation revealed that between March - July 2022 and October - December 2022, BSL bombarded people with 4,376,037 unsolicited direct marketing calls to numbers that had been registered to the Telephone Preference Service (TPS). This resulted in 58 complaints to the TPS and a further 193 complaints to the ICO.
The monetary penalty notice is for £170,000
Money Bubble Ltd MPN
Date: 12 December 2024
Type: Monetary penalties
sector: General Business
It was found that between October – November 2022, the company made 168,852 spam calls resulting in several further complaints being made to the ICO and TPS. MBL did not provide evidence that anyone whose number had been called had consented to receiving calls from the company. The ICO has issued a £120,000 fine.
The monetary penalty notice is for £120,000
National Debt Advice Limited
Date: 14 October 2024
Type: Monetary penalties
sector: Finance Insurance and Credit
National Debt Advice sent 129,902 unsolicited direct marketing text messages to individuals in breach of regulation 22 of PECR resulting in over 4,000 complaints to the 7726 spam reporting service. The company was fined £30,000 and issued with an enforcement notice.
The monetary penalty notice is for £30,000
Police Service of Northern Ireland
Date: 3 October 2024
Type: Monetary penalties
The Police Service of Northern Ireland has been fined £750,000 for infringing Articles 5(1)(f), 32(1) and (2) of the UK GDPR between 25 May 2018 and 14 June 2024.
The monetary penalty notice is for £750,000
The Central Young Men’s Christian Association
Date: 30 April 2024
Type: Monetary penalties
Sector: Charitable and voluntary
The Central YMCA sent an email to individuals participating in a programme for people living with HIV using “CC” rather than “BCC”, revealing the email addresses to all recipients. 166 individuals could be identified or potentially identified from their email address. As a result, it could be inferred that these individuals were likely to be living with HIV. The Central YMCA have been fined £7,500 and issued a reprimand.
The monetary penalty notice is for £7,500
Ministry of Defence
Date: 26 February 2024
Type: Monetary penalties
Sector: Central Government
The MOD sent emails inadvertently using the “To” field rather than the “BCC” field. 265 unique email addresses were disclosed in breach of GDPR Article 5(1)(f). The MOD were fined £350,000.
The monetary penalty notice is for £350,000
Crown Glazing Ltd
Date: 8 June 2023
Type: Monetary penalties
Sector: Utilities
The case was part of Operation Tinago which was formed to assess and analyse complaint trends in relation to the energy and home improvements sector. The organisation made 503,445 unsolicited calls to TPS registered numbers between 4 January to 11 November 2021. The calls were about energy products to reduce household bills and resulted in a total of 37 complaints.
The monetary penalty notice is for £130,000
TikTok Information Technologies UK Limited and TikTok Inc (TikTok)
Date: 15 May 2023
Type: Monetary penalties
Sector: Online technologies and telecoms
The Information Commissioner’s Office (ICO) issued a £12,700,000 fine to TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for a number of breaches of data protection law, including failing to use children’s personal data lawfully.
The monetary penalty notice is for £12,700,000.
Halfords Limited
Date: 6 September 2022
Type: Monetary penalties
Sector: Retail and manufacture
The monetary penalty has been issued because on 28 July 2020, a confirmed total of 498,179 unsolicited direct marketing messages were received by subscribers, having been sent by Halfords. These messages contained direct marketing material for which subscribers had not provided valid consent, furthermore the Commissioner is satisfied that Halfords cannot rely on the soft opt-in exemption. The Commissioner received a total of three complaints regarding this campaign.
The monetary penalty notice is for £30,000.
Latest News
The GRC Director Ltd
The GRC Director Ltd is a company registered in England and Wales. Company Registration no.12955086. Registered address: 2 Bayfield Close, Holmfirth, HD9 2QX
VOIP: 01484 883 626 Mobile: 07762 292 979
This website uses cookies
We use cookies to analyse website traffic and optimise your website experience. To see what cookies we use and why see our Cookie Notice.