GDPR Compliance for UK SMEs
Practical, ICO-aligned, Audit-ready
UK GDPR + Data Protection Act 2018 made operational for small and medium businesses. No enterprise-only templates. We deliver a Record of Processing Activities, lawful-basis register, DSAR workflow, and a breach playbook your team can actually run.
UK GDPR maximum penalty
Source: UK GDPR Article 83(5); Data Protection Act 2018, s.157. The ICO publishes its enforcement approach annually. Most SME enforcement starts with reprimands and improvement notices, not fines — but the cap is real.
What we deliver
Record of Processing (Article 30)
A clean, current RoPA covering every processing activity, lawful basis, retention period, and recipient. Built once, kept fresh through quarterly review prompts your team can complete in under 30 minutes.
DSAR + Rights Workflow
Subject Access Request handling sized for an SME inbox: identity verification, scope confirmation, redaction guidance, 1-month clock tracker. Includes templates for erasure, rectification, and objection requests.
Breach Response Playbook
72-hour ICO notification clock built into a runbook your on-call lead can actually follow at 2am. Severity matrix, communication templates, post-incident report aligned with ICO breach guidance.
Why UK SMEs need a different approach
ICO data-protection fee tier
Most SMEs sit in Tier 1 (£40/year) or Tier 2 (£60/year) under the Data Protection (Charges and Information) Regulations 2018. We confirm your tier, complete registration, and link it to your processing record so the two stay consistent.
DPDIA bill (formerly DPDI)
The Data Protection and Digital Information Bill changes consent, cookies, and senior responsibility rules. We track its passage and flag every change that affects your RoPA, your privacy notice, or your DSAR workflow — before they take effect.
Get a real picture in 15 minutes
We'll review your current state on the call and tell you the three priority fixes. No SaaS platform purchase required to act on what you learn.