We deliver GDPR:

with tailored and pragmatic hands-on support, services and solutions

to help you maintain a GDPR compliant

Minimum Viable Position (MVP)


  • Analysis and documentation of business processes and data flows to enable compliance and performance improvement
  • Supporting business owners in determining Lawful Bases for processing personal data, including support in the execution of Legitimate Interest Assessments
  • Creation and maintenance of Records-of-Processing-Activities to align with ICO guidance (Article 30)
  • Planning, prioritisation and execution of Risk and Privacy Impact Assessments (DPIA – Article 35) to align with PIA tooling (for example, as recommended by the French Supervisory Authority, CNIL)
  • Analysis and documentation of Data Retention policies to adhere to minimisation principle
  • Review of cross-border data transfers to ensure adequate data protection
  • Alignment with IT service management, security, and quality management best practices and standards (e.g. ITIL, CMMI, ISO2700x, ISO900x)
  • Supporting your legal representative, DPO and business units in reviewing and maintaining Data Processing Agreements with 3rd party providers to achieve GDPR alignment
  • Review and updates to Privacy Statements, Data Protection, Cookie Policies, and roles and responsibilities to reflect GDPR requirements
  • Execution and support of Data Subject Access Requests to enable timely responses
  • Documentation and supervision of Data Breach Management activities to support tight response timelines
  • Programme and Project Management (Agile and Waterfall) aligned with PMI® standards to enable changes to processes and technologies
  • Integration of Privacy-by-Design principles into existing processes, policies and procedures
  • Management of stakeholders in a multi-vendor delivery environment and review and improvement of existing governance structures
  • Delivery of training modules to achieve ongoing awareness
  • Management Of Change and guidance to organisational readiness aligned with Prosci ADKAR® Model to achieve lasting business change
  • Alignment of IT services to the client’s business strategy
  • Delivery and Management of Integrated Business and IT Change

Personable and approachable, we seamlessly integrate into your organisation.

Discover how ACTINUM Limited can help your organisation.

Click here to contact us for a FREE 30 minutes no-obligation call to discuss your specific requirements.


Achieve GDPR Compliance

A Systematic Approach to GDPR Compliance

The General Data Protection Regulation (GDPR) was introduced in April 2016 and became enforceable on 25 May 2018. It applies to the processing of personal data of data subjects (natural persons) within the EU by data controllers and processors, regardless where in the world the processing takes place. The GDPR is here to stay for years to come and compliance is not optional.

Acknowledge these facts and make a firm commitment to make it work for your organization and you will reap benefits across the entire enterprise.

GDPR compliance is not achieved through a “once-and-done” project, but requires an ongoing commitment to accountability, maintenance and support by everyone for an organisation to stay compliant.

ACTINUM Limited recommends to follow the proven systematic steps outlined below to become and stay GDPR compliant. You can count on ACTINUM Limited to help you all the way with our comprehensive service offering.

Establish Clear Accountability for GDPR Compliance in the Boardroom

  • Get the Boardroom “on board” through regular updates and coaching.
  • Gain firm commitment from the Boardroom, document it and communicate it – Only a real desire and visible and verifiable support for accountability at the highest level will ensure lasting organisational change and ongoing compliance.
  • Assign a GDPR sponsor from within the Boardroom team (e.g. a Director for a Limited, identified at Companies House).
  • Check that your organisation is registered with the ICO, as required. Take the ICO’s registration self-assessment.
  • Determine if you need, or voluntarily wish to appoint a Data Protection Officer (DPO) who will report to the highest level of management.
  • Review your corporate risk management processes and risk register and incorporate Data Protection into it.

Define the scope of your GDPR compliance programme

  • Appoint a change / project manager with a background in data protection / GDPR who reports either to the DPO or to the boardroom sponsor.
  • Determine which parts of your business are in scope of your GDPR compliance programme (e.g. sub-units, territories, etc), and define separate project stages / waves to reduce complexity if needed.
  • Identify existing policies, procedures and processes.
  • Build-in data protection by design from the beginning of every change you plan to apply.
  • Nymity Research™ (now TrustArc) has identified 39 Articles under the GDPR that require evidence of a technical or organisational measure to demonstrate compliance and has mapped these to the Nymity Privacy Management Accountability Framework™. The result is the identification of 55 “primary” technical and organisational measures that, if implemented, may produce documentation that will help demonstrate ongoing compliance with your GDPR compliance obligations (some activities may not apply to your organisation).

Conduct a structured gap analysis

  • Document your current position. Start Top-Down.
  • Determine what gaps there are vis-a-vis GDPR requirements.
  • Identify and prioritise any required remediation actions.

Create a data inventory and document how data flows through your processes and systems

  • What categories of data do you hold? Any special category data?
  • Where does the data come from, where is it sent to?
  • What are the lawful bases for the processing? Why?
  • Conduct Legitimate Interest Assessments (LIA) where required, balancing your interests with the rights and freedoms of the individual data subjects.
  • If you send your data outside the UK / EU / EEA boundaries perform a Transfer Impact Assessment (TIA).
  • Review and determine data retention periods.
  • Identify, appraise and prioritise risks in your data processing activities.
  • Determine if Data Protection Impact Assessments (DPIAs) are required.

Update and develop policies, procedures and processes

  • Update externally facing privacy statements and cookie notices and banners, as well as internal data protection and security policies.
  • Determine how you identify and process the rights of a data subject (DSARs).
  • Determine how you manage Data Breaches and execute within 72 hours. Test the effectiveness of your response processes annually like a fire-drill.
  • Document ROPA – record of processing activities wrt personal data.
  • List, review and update your contracts (e.g. with processors, employees, vendors, etc).
  • Determine how you identify if a DPIA is required, and how to execute it.
  • Review your existing data transfers outside the EEA for compliance.
  • Define current consent mechanisms and ensure GDPR compliance (you may need to update your website).
  • If your organisation sends electronic marketing messages, consider the Privacy and Electronic Communications Regulations (PECR) as well as GDPR.
  • Clean-up your data bases and purge data where indicated.

Ensure data security through organisational and technical measures

  • Update / document your information security policy.
  • Determine who has access to which systems, what data, and why.
  • Implement controls, e.g. Cyber Essentials.
  • Work with your IT provider(s) (in-house and/or outsourced) to implement encryption and/or pseudonymization of personal data.
  • Determine how you identify and process data breaches.

Management of Change  / Communications

  • Review and update job specs where indicated.
  • Create / update your organisational training plan wrt GDPR.
  • Train your staff regularly in the principles of GDPR and their roles and responsibilities in adhering to your (updated) policies and procedures.

Ongoing Compliance Monitoring and Maintenance

  • Schedule regular audits of data processing activities and security controls.
  • Keep your records, policies, procedures, and contracts up-to-date.
  • Undertake DPIAs where required.
  • Monitor and actively manage Data Subject Rights (DSARs), execute within 30 days.
  • Monitor and manage Data Breaches, execute within 72 hours.
  • Regularly report to the Boardroom the status of your organisation’s GDPR compliance and risks.

Our Services

You can rely on ACTINUM Limited to guide you through your compliance programme using the systematic approach outlined above. Our advice and deliverables are aligned with guidance provided by the ICO.

The change management approach we employ is underpinned by the Prosci® ADKAR® model, and we are using project and programme management standards aligned with PMI®.

We are approaching our work with an Agile mind-set and recommend short and targeted iterations (preferably days not weeks). This leaves you firmly in control of your budget and spend according to your business priorities and within your affordability parameters. After each iteration you decide what to do next.

We recommend that each iteration will be delivered to a pre-agreed Fixed-Fee-Fixed-Scope scenario, which provides you with targeted and pragmatic solutions, along with recommendations for next steps, for as long as needed.

As part of our services, we work with you to update and/or create policies and process documentation that is tailored to your specific needs, because no one-size fits all.

The services that ACTINUM Limited delivers are mostly technology agnostic. However, you can gain additional benefits from the fact that we are an associate of OneTrust, a global leader for GDPR and Privacy Management Software.

Where appropriate, ACTINUM Limited uses OneTrust software during our service delivery at our discretion, but we are not a SaaS reseller. However, on your instruction, we are happy to facilitate a short trial period during which we support you in assessing the suitability of the OneTrust GDPR Platform for your specific circumstances and requirements (“try before you buy”).


ACTINUM Limited are not lawyers and the advice we provide is general business advice only. Although we are very proud of our deep knowledge of EU data protection and privacy laws and practices, the advice we provide  is not formal legal advice. You are strongly advised to engage with your lawyer and seek independent legal advice if you are in any doubt.

ACTINUM Limited takes all reasonable care to ensure that our services and advice are fair and accurate but we cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this web-site, however such loss or damage is caused.


ACTINUM Limited helps organisations accelerate their transformation and change journey to do more with data, effectively and securely, and support compliance with regulations (e.g. GDPR).

Highly experienced in Data, Privacy and Business Change Project / Programme Management, expertly delivering complex business and IT transformation projects and programmes that enable clients to achieve business value faster – typically delivering positive ROI within <1 year.

Key strengths include:

• providing experience and hands-on support to guide clients towards readiness and compliance;

• delivering gap analysis and helping clients define road maps aligned with their business strategy;

• working collaboratively and communicating clearly with stakeholders at all levels to build positive relationships and a shared purpose as one team;

• operating as an effective interface across functions and between business and technical teams and 3rd parties to bring together competing agendas and drive delivery to quality, schedule and budget;

• building, leading and mentoring multi-disciplinary teams to meet demanding deadlines and shifting priorities;

• aligning business change activities with technological projects to achieve lasting change on individual and organisational level which delivers tangible outcomes; and

• managing critical situations, taking ownership of failing projects to remove barriers to progress in challenging and evolving environments.

Carsten Holstein

Director / Founder and Principal Consultant


Getting in touch

Please visit us on LinkedIn:


or by emailing info [at] actinum [dot] co [dot] uk.

Thank you.


Privacy Statement

ACTINUM Limited Privacy Statement

Last update: 2022-01-11 @ 16:59
*) Date and time in the United Kingdom.


  • Introduction
  • Who we are
  • Companies and websites within scope
  • Collection of personal data
  • Lawful bases for the processing of personal data
  • Storage of personal data
  • Security measures
  • Your rights as a data subject
  • Complaints


Thank You for the trust you place in us when sharing your personal data. The security of that data is very important to us. This document explains how we collect, use and protect your personal data.

We also explain what rights you have with regards to your personal data and how you can exercise those rights.

Who we are

ACTINUM Limited is the data controller and determines what data is collected, how this data is going to be used and how this data is protected.

Our registered office address is:

ACTINUM Limited,
c/o Intouch Accounting,
Everdene House,
Deansleigh Road,
United Kingdom

ACTINUM Limited is registered in England & Wales, company number 10589083.
ICO Registration number: ZA316096

If you have questions about how we process personal data, or would like to exercise your data subject rights, please contact us via our contact page or by emailing info [at] actinum [dot] co [dot] uk.

Companies and websites within scope

The following companies and websites are within scope for this privacy statement:

ACTINUM Limited www.actinum.co.uk

Unless specifically stated, we consider our websites to be UK based websites; see section “Storage” for more information on non-EU data processing.

This privacy statement covers personal data that is collected through our websites, by telephone, by email, postal mail, through LiveChat and through any related social media applications.

Collection of personal data

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You have made an enquiry to us.
  • You have signed a contract with us.
  • You have made a complaint to us.
  • You wish to attend, or have attended, an event.
  • You subscribe to our e-newsletter.
  • You have applied for a job or tender with us.
  • You are representing your organisation.

We collect personal data from you for one or more of the following purposes:

  1. To provide you with information that you have requested or which we think may be relevant to a subject in which you have demonstrated an interest;
  2. To initiate and complete commercial transactions with you, or the entity that you represent, for the purchase of products and/or services;
  3. To fulfill a contract that we have entered into with you or with the entity that you represent;
  4. To ensure the security and safe operation of our websites and underlying business infrastructure, and
  5. To manage any communication between you and us.

The table in section “Lawful Bases” provides more detail about the data that we collect for each of these purposes, the lawful basis for doing so, and the period for which we will retain each type of data.

In addition, and in order to ensure that each visitor to any of our websites can use and navigate the site effectively, we may collect the following:

  • Technical information, including the Internet Protocol (IP) address used to connect your device to the Internet;
  • Your login information, browser type and version, time zone setting, browser plug-in types and versions;
  • Operating system and platform;
  • Information about your visit, including the Uniform Resource Locators (URL) clickstream to, through, and from our site.

Our Cookie Policy describes in detail how we use cookies.

In section “Your rights”, we identify your rights in respect of the personal data that we collect and describe how you can exercise those rights.

Lawful bases for the processing of personal data

The table below describes the various forms of personal data we collect and the lawful bases for processing this data. Our business architecture, accounting and systems infrastructure and compliance organisation means that all personal data is processed on common platforms. We have processes in place to make sure that only those people in our organisation who need to access your data can do so. A number of data elements are collected for multiple purposes, as the table below shows. Some data may be shared with third parties and, where this happens, this is also identified.


Purpose of collection Information category Data collected Purpose for collection Lawful basis for processing Data shared with? Retention period
1. To provide you with information Subject matter information Name, company name, geographic location, email address, business sector. To provide appropriate online or email information about services that you have requested Contractual Internally only Maximum 7 years from the end-date of the performance of the contract.
To provide further, related, online or email information and ongoing news updates in relation to the identified area of interest. Legitimate interest Internally only 6 months if a marketing email is left unopened, or no response received.
Telephone number Follow-up to ensure requested information meets needs and identify further requirements Legitimate interest Internally only Maximum 7 years from the end of the contract date the information is collected
Personal contact information as provided through website forms or at trade shows or any other means. General mailing list subscription Consent Internally only Until Consent is withdrawn, or maximum 18 months after the date of last interaction, which ever is the earlier.
2. Transaction information Transaction details Name, physical address, email address, telephone number, bank account details, other medium of content delivery To process purchase transactions for services with customers, and to ensure any transaction issues can be dealt with. Contractual Internally and professional advisers Maximum 7 years from the end-date of the performance of the contract.
For accounting and taxation purposes Statutory obligation Internally and professional advisers Maximum 7 years from the date of the performance of the contract.
Documentation should any contractual legal claim arise Legitimate interest Internally and professional advisers Maximum 7 years from the end-date of the performance of the contract.
3. Fulfillment information Fulfillment data Name, dietary requirements Appropriate catering arrangements for training courses Contractual Internally and training venues Maximum 7 years from the date of the performance of the contract.
Name, contact and identification details Access to training courses, attendance registers Contractual Internally and training venues
Name, address(es), email address, contact details Actual delivery of products or services, in physical or digital form, that you may have purchased from us. Contractual Internally and any third party logistics or supplier companies with whom we contract in order to fulfil these requirements.
4. Security Security information Technical information and any other information that may be required for this purpose To protect our websites and infrastructure from cyber attack or other threats and to report and deal with any illegal acts. Legitimate interest Internally, forensic and other organisations with whom we might contract for this purpose. Relevant statutes of limitation
5. Communications Contact information Names, contact details, identification details To communicate with you about any issue that you raise with us or which follows from an interaction between us. Legitimate interest Internally and, as necessary, with professional advisers. Relevant statutes of limitation.


Storage of personal data

ACTINUM Limited is a UK-domiciled organisation whose primary offices are in the UK.

  • Our websites and web applications are hosted in the EU and are accessed only by our EU-based staff.
  • Our customer relationship management, marketing and accounting systems for our business are either EU-based or hosted by companies who were participating in the (now defunct and yet to be replaced) EU – U.S. Privacy Shield Framework.
  • We use a range of Cloud Service Providers (CSPs) as part of our processing environment. Unless we specifically state otherwise, we are, in respect of all these CSPs, the data controller.
  • Unless we specifically state otherwise all of the CSPs that we use utilise EU-located processing facilities.
  • Our payment processors and banking arrangements are based in the UK.
  • We operate a data retention policy in respect of all data, whether paper-based or digital and those aspects of it which relate to personal data are contained in the table  above.

Security measures

We have appropriate security controls in place to protect personal data. Risk assessment, including assessing risks to the rights and freedoms of data subjects, is at the heart of our information security management approach.

We do not, however, have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist and that you should take appropriate steps to safeguard your own information.

We accept no liability in respect of breaches that occur beyond our sphere of control.

Your rights as a data subject

As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please contact us via our contact page or by emailing info [at] actinum [dot] co [dot] uk.

In order to process your request, we will contact you and ask you to provide two valid forms of identification for verification purposes.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

We will inform you if answering requests is likely to require additional time or incurs unreasonable expense (which you may have to meet). We will explain if there are exceptional circumstances that mean we can refuse to provide the information. We reserve the right to refuse requests that are frivolous or vexatious.

Your rights are as follows:

Your right to be informed
As a data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy statement and any related communications we may send you.

Your right of access
You have the right to ask us for copies of your personal information we hold. This right always applies. We will verify your identity and, if relevant, the authority of any third-party requester. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right at the ICO.

Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right at the ICO.

Your right to erasure (the ‘right to be forgotten’)
You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right at the ICO.

Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right at the ICO.

Your right to object to processing

You have the right to object to our processing of your data where

  • Processing is based on legitimate interest;
  • Processing is for the purpose of direct marketing;
  • Processing is for the purposes of scientific or historic research;
  • Processing involves automated decision-making and profiling.

You can read more about this right at the ICO.

Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right at the ICO.

Please contact us via our contact page or by emailing info [at] actinum [dot] co [dot] uk , if you wish to make a request.


Should you wish to discuss a complaint, please feel free to contact us using the details provided above via our contact page or by emailing info [at] actinum [dot] co [dot] uk. All complaints will be treated in a confidential manner.

Should you feel unsatisfied with our handling of your data, or about any complaint that you have made to us about our handling of your data, you are entitled to escalate your complaint to a supervisory authority within the European Union. For the United Kingdom, this is the Information Commissioner’s Office (ICO), who is also our lead supervisory authority. Its contact information can be found at https://ico.org.uk/global/contact-us/.