Designing a GDPR privacy governance programme for a major consumer financial services brand
Our principal consultant served as head of group privacy counsel for one of the UK's largest consumer financial services organisations, designing and implementing a comprehensive GDPR privacy governance programme including a robust DSARData Subject Access Request: an individual request to access personal data held by an organisation, with defined legal response timelines under UK/EU GDPR. framework covering 3.3M+ customers and 4,600+ staff.
Experience of Ita Thomas, CIPP/E, CIPM, LSE AI Ethics · Last reviewed March 2026
SectorConsumer Finance
Scale3.3M+ customers
RoleHead Privacy Counsel
Outcome99%+ GDPR compliance
Context
As one of the UK's largest financial services brands with assets under management exceeding tens of billions, the organisation was committed to building best-practice GDPR privacy governance infrastructure. With a customer base of over 3.3 million and a workforce of 4,600+ staff, the programme required a comprehensive approach to GDPR compliance covering all business lines.
What Was Delivered
Led the comprehensive GDPR compliance framework implementation covering the full 3.3M+ customer base and 4,600+ staff across the organisation.
Designed and implemented an end-to-end DSAR lifecycle framework from intake to fulfilment and closure, structured to handle requests across multiple business lines.
Established clear role ownership, escalation points, and approval checkpoints aligned with Board Risk Committee and Executive Leadership Team expectations.
Provided strategic privacy counsel to the Board Risk Committee and Executive Leadership Team, supporting digital transformation initiatives.
Created response templates and evidence logging workflows to ensure consistency and build a defensible audit trail.
Designed and delivered comprehensive GDPR training programmes that enhanced privacy awareness across 3,000+ employees.
Outcomes
Comprehensive GDPR compliance framework successfully implemented covering 3.3M+ customer base and 4,600+ staff.
DSAR handling framework achieving 99%+ regulatory compliance within statutory timeframes.
Clear process ownership and decision accountability documented at every stage.
GDPR awareness significantly strengthened across the organisation through structured training programmes.
Stronger regulatory readiness and confidence across leadership and operational teams.
Enhanced customer experience through predictable, transparent, and timely rights handling.
Why this matters
Compliance credibility is one of the strongest enterprise trust signals, and one of the easiest to lose. A single data breach or regulatory fine can erode years of customer confidence. For consumer-facing financial services organisations, robust GDPR governance and DSAR handling demonstrate operational maturity to regulators, provide assurance to the board, and deliver better outcomes for customers exercising their rights.
This direct experience leading GDPR programmes for major UK financial services brands informs how PrivacyAlgo approaches every engagement, from board-level advisory to operational implementation.
