Shauli Zacks
Published on: September 15, 2025
SafetyDetectives recently interviewed Zoë Hewett, Managing Executive at DQM GRC, a UK-based consultancy with more than 25 years of experience helping organizations manage and protect data. Zoë shared insights into how DQM GRC supports businesses with GDPR compliance, privacy-by-design, and risk management, while also discussing the evolving challenges around AI, global privacy laws, and the future of integrated governance, risk, and compliance solutions.
Tell me about DQM GRC. What are its flagship services and what makes it unique in the areas of governance, risk and compliance space?
DQM GRC has been helping organisations manage and protect data for more than 25 years. We’re a UK-based consultancy with a global reach, supporting clients in industries from finance and publishing to utilities and government. We specialise in GDPR compliance, privacy-by-design, data auditing, data tracking and risk management, offering hands-on support and proprietary tools to help organisations manage data securely and ethically.
What makes us unique is how we approach these challenges. We don’t just advise from a distance; we work side by side with clients to put solutions in place that actually work in practice. And because we’re part of a wider group, our clients also benefit from legal expertise and cyber security services, meaning we can provide an integrated approach across governance, risk and compliance.
At the heart of it all is a belief that data protection builds confidence. When organisations handle data well, they create stronger relationships with customers and partners, and that trust opens the door to innovation and growth.
Can you introduce yourself and talk about your role at DQM GRC?
I’m the managing executive at DQM GRC and I’ve worked in the data world for over 25 years, with the last 8 dedicated to privacy. My career has largely centred on leading complex projects and managing multidisciplinary teams with expertise in areas such as analytics, database building, segmentation and privacy, across industries including telecoms, government and utilities.
When COVID hit, I guided the business through the transition to fully remote working, which has helped shape the way we operate today. I’m really fortunate to manage an incredibly skilled and diverse team of privacy consultants, lawyers, DPOs, DSAR specialists, auditors, researchers and of course our specialist seeding team. Their expertise is what makes our work possible and my role is to bring that talent together so we can deliver meaningful outcomes for clients.
Everything we do is focused on minimising data risks and helping organisations achieve compliance with the relevant legislation. We do this through a trusted partner approach, combining the team’s deep knowledge with a real understanding of our clients’ challenges. So the support we provide isn’t just about compliance, but also about building trust.
What are some of the biggest challenges your clients are facing right now?
One of the biggest challenges is simply knowing where to start. Privacy can feel like a minefield, and day-to-day business can easily distract from tackling it properly. That’s why choosing the right partner can make such a difference. A gap analysis helps organisations understand where they are now in terms of compliance, build a remediation plan and, most importantly, stick to it.
Another common issue is not knowing what you don’t know. Technology is evolving at pace, with AI being the obvious example. Without the right repeatable processes in place, it can be hard for teams to evaluate risks consistently and protect the organisation. This is another area where external support can provide the structure and reassurance clients need.
And then there’s the global picture. Businesses increasingly operate across borders, but privacy laws don’t always align. Clients are looking for ways to bring those different requirements together into something that works for their business while still being straightforward for their customers to understand.
How do you approach helping organisations improve their data protection and compliance posture?
Our starting point is always understanding. We take the time to get under the skin of an organisation – what pressures they face, what resources they have and what their goals are. A gap analysis is usually the first step, because it gives us a clear view of current risks and opportunities. From there, we create a plan together, tailored to their priorities and capacity.
We never take a one-size-fits-all approach. Compliance only works if it’s realistic and sustainable. Our focus is on embedding it into the culture of the organisation so that it becomes second nature rather than an extra burden.
What role do you see emerging technologies like AI playing in governance and compliance?
AI is rapidly becoming part of how organisations manage governance and compliance. It can automate processes, flag risks earlier and make monitoring more efficient. But it also brings a new set of responsibilities around transparency, accountability and fairness. Regulators are already responding with the EU AI Act, GDPR and the UK’s evolving framework setting the direction.
For organisations, this means building strong foundations: documenting how AI systems are developed and deployed, conducting regular audits and risk assessments, and ensuring decisions can be explained clearly to regulators, customers and stakeholders.
The ISO/IEC 42001:2023 standard is a particularly exciting development. It offers a structured way to manage AI risks and align with multiple regulatory frameworks. It makes compliance more coherent, reduces the panic that often comes when new rules arrive and gives teams a practical roadmap to follow.
At DQM GRC, we’re preparing clients for this shift by offering services like AI gap assessments, training and support for DPIAs and fundamental rights assessments, as well as representation under the EU AI Act.
Looking ahead, I think AI will free up privacy and compliance teams to focus less on administration and more on strategy and ethics. The real value of humans in this space will be their judgment and ability to ask the right questions. AI can help with the “how”, but people will remain essential in deciding the “should”.
Looking ahead, what’s your vision for DQM GRC over the next few years?
The last year has been a big one for us. Being acquired by Bloom Equity Partners in 2024 has given us the resources to invest more deeply in our services and expand our capabilities. As part of that journey, we’re rebranding under a single identity – GRC Solutions – which will bring together DQM GRC and the rest of our group.
By the end of this year, DQM GRC will become the Privacy Division within GRC Solutions. That means our clients will still have the specialist expertise they value, but with the added benefit of integrated governance, risk and compliance support across the group.
Our aim is to remain a trusted partner for organisations navigating the complex world of data protection – helping them reduce risk, manage compliance, and build lasting trust with the people whose data they hold.
