GDPR Compliance Advisory UK —
Data Protection Done Right

Any website that collects personal data — through contact forms, cookies, analytics or email signups — must have a privacy notice. GDPR requires individuals to be informed about how their data is used at the point of collection. A missing privacy notice is one of the most common ICO investigation triggers.

Many businesses use consent as the lawful basis for all data processing — without realising that legitimate interests, contract or legal obligation are more appropriate (and more practical) for many processing activities. Consent must be freely given, specific, informed and unambiguous — and can be withdrawn at any time, stopping all processing relying on it.

A DSAR gives an individual the right to receive a copy of all personal data held about them — the business must respond within 1 month (extendable to 3 months for complex requests). Missing this deadline is an automatic ICO compliance issue. We establish DSAR procedures for every client so responses are timely and complete.

Personal data breaches that are likely to result in a risk to the rights and freedoms of individuals must be reported to the ICO within 72 hours of becoming aware. Many businesses delay reporting while assessing the impact — but the 72-hour clock starts immediately on becoming aware that a breach has occurred.

Yes — UK GDPR applies to virtually all UK businesses that process personal data, regardless of size or turnover. The only exception is purely personal/household use of data. Processing employee payroll data, storing customer contact details or using Google Analytics on your website all constitute personal data processing that is subject to UK GDPR.

Most organisations that process personal data for purposes other than purely personal use must pay the ICO’s annual data protection fee and register on the ICO’s register of controllers. The fee is £40/year for small organisations, £60 for medium and £2,900 for larger organisations. Some limited exemptions exist. We check ICO registration requirements for every client and manage registration on their behalf.

Every personal data processing activity must have a lawful basis under UK GDPR Article 6. The six lawful bases are: consent (freely given, specific and informed), performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a public task, and legitimate interests (where the legitimate interests of the controller override the individual’s rights). We assess the correct lawful basis for every data processing activity as part of our GDPR gap assessment.

A DSAR gives any individual the right to request a copy of all personal data an organisation holds about them, along with information about how it is used, who it is shared with and how long it is retained. The organisation must respond within 1 month (extendable to 3 months for complex or numerous requests). The response must include all personal data — from emails, CRM systems, payroll, HR files and any other records.

Immediately assess the breach — what data was affected, how many individuals, what is the risk of harm. If the breach is likely to result in a risk to individuals’ rights and freedoms (financial loss, discrimination, reputational damage, physical harm), it must be reported to the ICO within 72 hours using the ICO’s online breach notification form. If high-risk, affected individuals must also be notified without undue delay. We advise on breach assessment and manage ICO notification within the 72-hour window.