UK GDPR framework + ongoing fractional DPO for a medtech European subsidiary

Background

The European subsidiary of a US-headquartered medtech needed a UK GDPR framework that worked end-to-end. Several pieces needed addressing in parallel: the designated Data Protection Officer needed training and support to fulfil the role; key policies and agreements (Data Processing Agreements and International Data Transfer Agreements) needed updating or putting in place from scratch; the Records of Processing Activities (RoPA) and Data Protection Impact Assessment (DPIA) processes needed to be formalised; data retention and security practices needed bringing in line with regulatory principles; and public-facing privacy notices and consent mechanisms needed to be aligned with UK GDPR transparency and consent requirements.

Underlying all of that was the cross-border dimension: data flowed between the UK subsidiary and the US-headquartered parent, so a defensible international transfer position — an International Data Transfer Agreement (IDTA) and a Transfer Risk Assessment (TRA) — needed to be in place. The brief was not just to remediate the gaps but to lay the foundation for a sustainable, risk-based approach to data protection that could keep operating after the initial programme — supporting operational efficiency, accountability and stakeholder confidence.

The LS Law Approach

Three workstreams in parallel — programme, capability, ongoing operation. We structured the engagement so the framework was built, the in-house capability was equipped to carry it, and the ongoing operation was covered — all three in parallel rather than sequentially, so the client did not have to wait for the project to finish before having an operational DPO function in place.

The framework programme. Eight discrete deliverables built and embedded: the DPIA (with prep, interviews, materials review, gap analysis and report); IDTA and TRA templates for UK–US data flows; reviewed and amended privacy notices; a data retention schedule; review and update of the legacy DPA; a cookie tracking audit and consent advice; and a guidance note on consent for B2B and B2C marketing.

DPO capability. Tailored Data Privacy training for the designated DPO — including DPO obligations under UK GDPR, prep time and materials — so the in-house DPO had what they needed to fulfil the role properly going forward, rather than having the role exist on paper while the work was done elsewhere.

Ongoing fractional DPO. A 12-month external DPO retainer running alongside and after the project — ICO registration, day-to-day email and phone support, and an annual compliance review. The framework keeps operating after the project closes; the in-house team is not left holding it without backup.

Eight project deliverables, plus an ongoing fractional DPO service. Each deliverable was scoped to be sufficient on its own and to fit into the wider framework, so the client received a coherent end-to-end position rather than eight unconnected outputs. Data Protection Impact Assessment (DPIA) — tailored DPIA: prep, stakeholder interviews, materials review, gap analysis and a written report; Article 35 GDPR aligned. (Plus seven further deliverables across IDTA / TRA, privacy notices, retention schedule, legacy DPA, cookie audit and consent guidance — each lifted directly from the engagement scope and built to a UK GDPR–aligned standard.)

Senior-led, joined-up, end to end. Project lead: Rob Bateman, Senior Data Privacy Officer — led the project end to end, the eight programme workstreams, the DPO training and the day-to-day client interaction during delivery. Oversight: Nick Tyler, Chief Data Protection Officer, LS Law — provided senior oversight across the programme, ensuring the framework, the cross-border transfer position and the DPO support were joined up rather than parallel. Client relationship: Wendy Lloyd-Goodwin, General Counsel & Founder, LS Law — client relationship manager throughout, available on any queries, with regular check-ins through delivery and into the ongoing fractional DPO retainer.

The Outcome

Every gap closed — and a framework that keeps operating. By the end of the programme, the client had a working UK GDPR framework: DPIA process in place, IDTA and TRA in place for UK–US transfers, privacy notices and consent mechanisms aligned, retention schedule embedded, legacy DPA brought current, cookies handled, marketing consent positioned, and a trained in-house DPO equipped to carry the role. Underneath, the fractional DPO retainer is keeping the framework current month-to-month and surfacing anything that needs attention before it becomes an issue.

From gaps across the UK GDPR estate to a working, risk-based framework with ongoing DPO oversight. A complete UK GDPR remediation programme delivered in eight workstreams, paired with an ongoing fractional DPO service that keeps the framework operating after the project closes — including ICO registration, day-to-day support and an annual compliance review.

8 project deliverables. 12 months ongoing fractional DPO retainer. UK–US cross-border transfer position. 100% of identified gaps closed.