Starkhorn, Fractional and Interim CIO and CISO
Fractional & Outsourced DPO · UK GDPR & DUAA 2025

Data protection leadership without the full-time cost.

A board asking data protection questions your team cannot confidently answer. A subject access request you are not sure you can answer in time. A regulator's letter with a deadline. These are not IT problems. They are data protection leadership problems. Starkhorn solves them through a fractional or outsourced Data Protection Officer: experienced, independent leadership on a retained basis, accountable for your compliance and speaking the language your board, auditors, the ICO and insurers actually need.

No software commissions · No referral fees · Framed around UK GDPR, the DUAA 2025 and ICO expectations
The stakes

Data protection is either defensible or quietly exposing you

In most organisations, data protection sits outside the leadership conversation entirely. Records of processing drift out of date. DPIAs get skipped. Subject access requests are handled late, or not recognised at all until the month has run.

The board gets vague answers on data risk, or none at all. Every quarter, the gap between the assurance stakeholders expect and the assurance you can actually evidence widens. Every finding we bring is framed in risk reduced, assurance gained and compliance achieved, not legal jargon.

Leadership at genuine scale

Data and security leadership that has held the line before

Group-scale accountability

Interim Group Technology Director at VetPartners (BC Partners, GBP 1.2bn, 14,000 staff), accountable for technology and security, setting the governance around personal data across a fragmented, multi-country estate.

Combined CIO and CISO

Held the dual CIO and CISO mandate at Jardine Motors Group (GBP 2bn), a high-transaction-volume business, positioning data protection as a board-level priority rather than a back-office task.

Sensitive charity data

Fractional Associate Director of IT at Alzheimer's Society, with prior work at Age UK: protecting sensitive beneficiary and donor data, and giving trustees clear assurance on data risk.

What the retainer owns

Data protection governance that runs every month

A posture assessment designed for boards

In the opening weeks we map where your personal data lives, assess your position against UK GDPR and the DUAA 2025, review your records of processing, DSAR handling and DPIA practice, and deliver a board-ready report with a prioritised roadmap.

Every data risk mapped and challenged

Not a legal audit. A board-level assessment that identifies specific risks, control gaps and compliance shortfalls in plain language your board, auditors, the ICO and insurers can act on.

Rapid path to GDPR and DUAA 2025 readiness

We translate UK GDPR and the Data (Use and Access) Act 2025, including the 19 June 2026 complaints duty, into a clear plan that de-risks the timeline and gets you defensible without wasted effort.

The statutory DPO tasks, owned

Informing and advising you and your staff, monitoring compliance including training and audits, advising on and monitoring DPIAs, and acting as the contact point for the ICO and for individuals: the tasks UK GDPR Article 39 sets for the role.

The cost of no data protection leadership

A single breach or upheld complaint costs more than a year of DPO support

Lost contracts, higher insurance premiums, regulatory penalties, and the time your team loses cleaning up an incident nobody led. In 2024 the ICO handled over 36,000 data protection complaints; individuals increasingly know their rights and exercise them. The organisations that stay compliant bring leadership in before the incident, not after it.

Free, 8 minutes, no obligation

Not sure if you legally need a DPO? Get a verdict.

The Data Rights Readiness Check screens your processing against the DPO triggers, tells you whether a DPIA is required, and scores how well you could handle a subject access request today. Two modules. ICO-aligned. Immediate results.

Outsourced DPO vs full-time DPO

The honest numbers

For most organisations under 2,000 employees, an outsourced DPO delivers the same board-level accountability at a fraction of the full-time cost.

 Outsourced / fractional DPOFull-time DPO
Accountability ownedYes, named and independentYes
CostMonthly retainer, scoped to needSalary + on-costs + benefits
Time to operationalDaysThree to six month hire
Board reportingEvery quarter, in personVaries
CommitmentRolling, scale up or downPermanent headcount, notice periods
The Article 37 test, and the practical signals

When organisations appoint an outsourced DPO

Any one of these is a signal. Two or more means the exposure is already significant.

  • You are a public authority or body, or carry out a public task.
  • Your core activities involve large-scale, regular and systematic monitoring of individuals.
  • Your core activities involve large-scale processing of special-category or criminal-offence data.
  • Subject access requests are arriving faster than you can answer them within a month.
  • A client, funder or insurer wants evidence of GDPR governance you cannot produce.
  • You are launching new processing (AI, profiling, new systems) with no DPIA discipline.
  • You have had a breach, a near-miss, or an ICO complaint.
  • Nobody senior owns data protection, so it is everybody's job and therefore no one's.
Common questions

Fractional and outsourced DPO FAQs

Do I legally need a Data Protection Officer?

Under UK GDPR Article 37 you must appoint a DPO if you are a public authority, if your core activities involve large-scale regular and systematic monitoring, or large-scale processing of special-category or criminal-offence data. If none apply, the ICO still expects a clearly accountable person. Our free Data Rights Readiness Check gives you a straight verdict.

Can the DPO be outsourced?

Yes. UK GDPR Article 37(6) expressly allows the role to be fulfilled by an external provider on a contract. What matters is expert knowledge of data protection law and practices, independence, and no conflict of interest, all of which an outsourced DPO provides without a permanent hire.

If we appoint an outsourced DPO, who is accountable when something goes wrong?

You are. Under UK GDPR Article 24 the accountability for compliance stays with you as the controller, and the ICO is explicit that the DPO is not personally liable for your compliance. An outsourced DPO gives you expert, independent leadership and a defensible programme; it does not transfer your legal accountability or make one person the scapegoat.

What did the Data (Use and Access) Act 2025 change?

It confirmed a reasonable-and-proportionate search standard for DSARs, put the stop-the-clock for clarification on a statutory footing, and, from 19 June 2026, requires a compliant complaints-handling process. We keep you ahead of these changes.

How is this different from a consultant or a law firm?

A consultant delivers a report and leaves; a law firm answers a specific legal question by the hour. This is ongoing, accountable data protection leadership with nothing to sell you but the outcome, no software commissions and no referral fees.

You already know something isn't right. The only question is what you do next.

Find out where you stand

The Data Rights Readiness Check scores your DSAR readiness, screens for a DPIA, and tells you whether you legally need a DPO, with a prioritised action plan.

Start the check →

Book a conversation

Twenty minutes with the person who has held combined technology and security accountability at group scale. No obligation.

Book a conversation →