Skip to content
penby.

What we do

Your agency does marketing.
Your DPO does compliance.
We do both.

Most businesses treat data protection and marketing performance as competing priorities. We build the systems where they work together — because we've spent over a decade doing exactly that.

01

Your marketing works, but your consent mechanisms don't.

You're generating leads and running campaigns. But your tracking is leaking personal data, your consent management is a checkbox exercise, and the gap between what your privacy policy says and what your marketing technology actually does is wider than anyone wants to admit. One ICO enquiry and the whole thing unravels.

What we fix

  • Consent architectures that satisfy both regulators and campaign performance
  • Google Consent Mode V2 implementation — properly, not the default-settings version your CMP vendor deployed
  • Tracking infrastructure that collects what you need without collecting what you shouldn't
  • Legitimate interest assessments for marketing activities that actually stand up to scrutiny
  • Privacy policies that reflect what your marketing technology genuinely does

Why us

We've spent seven years implementing compliant tracking architectures across enterprise accounts in UK and European markets. We led The Energy Cell's Consent Mode V2 rollout across their entire client base, achieving Google Partner status through technical leadership in this exact space. We know what the regulators expect because we read the enforcement actions. We know what actually works because we run the campaigns.

Typically for Marketing teams at regulated firms Agencies needing compliance support Businesses running Google Ads in UK/EU

02

You know you need data protection sorted. You don't know where to start.

GDPR has been in force for eight years and your compliance still lives in a spreadsheet someone created in 2018. Your processor agreements are unsigned or outdated. Your data mapping is incomplete. You collect personal data across half a dozen platforms and nobody can tell you exactly what goes where. It's not malicious — it's just that nobody with the right expertise has ever sat down and built the architecture properly.

What we build

  • Data protection strategies grounded in how your business actually operates, not a template
  • Data Protection Impact Assessments for marketing campaigns, lead generation, and customer communications
  • Processor and controller agreements that reflect your real data flows
  • International data transfer mechanisms for businesses operating across UK and EU
  • Records of processing activities that are maintained, not forgotten

Why us

Andy is ICO registered, a member of the IAPP and BCS, and holds the AI Governance Professional credential — backed by two decades of building compliant systems in financial services and international advisory. This is not theoretical knowledge. It comes from operating in regulated environments where data protection failures have real consequences — from FCA-regulated financial promotions to cross-border advisory services spanning Cyprus, Ireland, Germany, and the UK.

Typically for SMEs without a dedicated DPO Financial services firms Businesses processing EU/UK personal data

03

Your marketing data is unreliable and you're making decisions in the dark.

Your GA4 is double-counting conversions. Your attribution model credits the last click because nobody configured anything better. Your Google Ads reports don't match your CRM. Your agency sends a monthly report that looks impressive but you can't verify a single number in it. The technology is there — it's just not implemented properly, and nobody on your team or at your agency has the technical depth to diagnose what's wrong.

What we implement

  • GA4 architectures that actually measure what matters — configured properly, not default-installed
  • Conversion tracking that reconciles across Google Ads, GA4, and your CRM
  • Google Tag Manager configurations built for maintainability, not just expedience
  • Multi-channel attribution frameworks that go beyond last-click guesswork
  • Executive dashboards in Looker Studio that your leadership team will actually read

Why us

Ola holds all ten current Google Ads certifications and manages analytics infrastructure across a diverse enterprise client portfolio. She was instrumental in achieving Google Partner status for The Energy Cell through technical excellence — not spend thresholds. The work includes diagnosing and resolving conversion tracking failures for a European commercial equipment supplier that delivered a 21% increase in qualified lead capture. When we say we can fix your measurement, we mean we've already fixed harder problems than yours.

Typically for Businesses with unreliable analytics Marketing teams auditing agency performance E-commerce and B2B lead generation

04

You need content, but your agency can't write for a regulated industry.

You're a financial advisor, wealth manager, or IFA. You know content marketing works — you've seen competitors building authority through regular publishing. But every piece your marketing agency delivers reads like it was written by someone who has never opened an FCA handbook. You can't put your name to it. And you don't have the time to write it yourself, because you're busy advising clients. So nothing gets published, and the competitors who do publish keep pulling ahead.

What we write

  • FCA-compliant financial content that advisors and directors can publish under their own name with confidence
  • Articles, guides, and thought leadership that demonstrate expertise without triggering regulatory risk
  • Content strategies for regulated firms — what to publish, where, how often, and what to avoid
  • Ghostwritten material that sounds like you, not like a compliance department or a copywriter

Why us

Andy has written FCA-compliant financial content for financial advisors and advisory firms for nearly twenty years — first through the international advisory space at Expatra, then through direct consultancy engagements with financial services partners. This is not copywriting with a compliance review bolted on. The compliance is built into the writing itself, because the writer understands both the regulations and the audience. Most marketing agencies cannot do this. Most compliance consultants would not think to offer it.

Typically for Financial advisors and IFAs Wealth management firms Regulated financial services businesses

05

AI is in your marketing stack. Your governance isn't keeping up.

Your team is using AI tools for content generation, campaign optimisation, audience segmentation, and customer interaction. Some of this you approved. Some of it happened without anyone asking. Nobody has assessed what personal data these tools process, where it goes, what the retention policies are, or whether you have a lawful basis for any of it. The regulatory landscape is moving fast — the EU AI Act is in force, the UK's approach is emerging, and your current position is hope that nobody asks.

What we establish

  • AI governance frameworks for marketing operations — proportionate, practical, and aligned with your risk appetite
  • Impact assessments for AI tools processing personal data in marketing contexts
  • Acceptable use policies that your marketing team will actually follow
  • Vendor assessments for AI-powered marketing tools — what they process, where it goes, what your obligations are
  • Readiness assessments for the EU AI Act's requirements as they come into effect

Why us

Andy holds the IAPP's AI Governance Professional (AIGP) credential — one of the first purpose-built qualifications for AI governance. Combined with his data protection credentials (BCS, ICO registration, IAPP membership) and two decades of compliance architecture in regulated environments, Penby is positioned to address AI governance not as an abstract framework exercise but as a practical extension of the data protection and marketing technology work we already do.

Typically for Businesses deploying AI in marketing Regulated firms adopting AI tools Marketing agencies using AI at scale

06

Your lead generation works. Your consent trail doesn't.

You're generating enquiries through content, paid campaigns, and partner referrals. But if someone asked you to prove — right now — that every lead in your CRM consented to be contacted, for the specific purpose you're contacting them about, with a clear record of when and how that consent was obtained, you'd struggle. And in financial services or any regulated sector, that's not a minor administrative issue. It's an existential risk.

What we build

  • Lead generation systems designed around consent from the start — not compliance retrofitted onto an existing funnel
  • Content-led acquisition strategies that build authority and generate enquiries without compromising on data protection
  • Compliant data capture architectures with auditable consent records at every touchpoint
  • Partner and referral frameworks with clear data controller/processor responsibilities
  • Lead nurture workflows that respect consent boundaries and PECR requirements

Why us

We built and operated a lead generation engine at scale for nearly two decades — delivering consistent, high-quality enquiries to financial advisory clients through content marketing rather than paid advertising. At peak, the system served over 150,000 monthly visitors and generated leads that met both FCA compliance and GDPR requirements simultaneously. We've reduced cost-per-lead by 88% for client acquisition campaigns while maintaining full regulatory compliance. This is not a theoretical capability. It is a documented, measurable track record.

Typically for Financial services lead generation B2B businesses in regulated sectors Firms with legacy consent issues

Not sure which of these
is your starting point?

Most of our engagements start with a conversation — not a pitch. Tell us what's broken and we'll tell you honestly whether we can help.

Start a conversation

No forms beyond an email. No sales funnel. Just a conversation.