Frequently Asked Questions For UK GDPR Compliance
GDPR (General Data Protection Regulation) is a legal framework that sets guidelines for collecting and processing personal data in the UK and EU. If you store or manage any personal information even just names or email addresses, GDPR likely applies to you.
Personal data includes any information that can identify a person directly or indirectly such as names, emails, location data, photos, purchase history, or even IP addresses.
Size doesn’t matter. Whether you are a sole trader working from home or a 50 person agency, the same rules apply. The ICO has fined businesses with just 2 employees in the past.
No, B2B contact details are still personal data. That spreadsheet of client contacts? It is covered by GDPR.
Paper records count too. That filing cabinet full of customer details is subject to GDPR requirements.
Beyond fines (up to 17.5M or 4% of turnover), the bigger cost is reputational. Customers, partners, and regulators lose trust fast when data isnât handled properly.
We recommend reviewing your privacy policy at least once a year or whenever there are significant changes to how you collect, use, or store data like launching new services, tools, or marketing channels.
Password protected devices, two factor authentication, regular software updates, secure cloud storage, and staff training on recognising phishing attempts.
Any incident where personal data is accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed.
This includes:
Sending emails to wrong recipients
Losing laptops or USB drives with personal data
Hacking or cyber attacks
Disposing of documents insecurely
Unauthorized staff accessing customer records
Within 72 hours of becoming aware of the breach, where feasible. If you report after 72 hours, you must explain the delay. If the breach is likely to result in a “high risk” to individuals’ rights and freedoms. You must inform them “without undue delay” and in clear, plain language.
We simplify the entire process. You get clear guidance, templated responses, and ongoing support so you stay compliant without feeling overwhelmed or missing a deadline.
Nope! We also support individuals who want to exercise their rights like requesting their data or filing complaints. Everyone deserves control over their personal information.
Not every business needs a formal DPO but having an expert in your corner can help you avoid compliance risks. Our Virtual DPO service offers flexible access without the full-time cost.
Absolutely. Our subscription model was built for startups and SMEs. Practical, scalable, and affordable. We make data protection as easy as managing your email.
The 7 principles are, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Security, and Accountability.
You need a legal reason to process data (like consent or legitimate interest), be fair about how you use it, and tell people clearly what you are doing. No 20 page privacy policies in legal jargon!
Only use data for the specific reasons you collected it. If you collect emails for newsletters, don’t use them for sales calls. If you have customer addresses for delivery, do not sell them to marketing companies.
Only collect what you actually need. That contact form asking for 15 fields when you only need 3? Trim it down. Default to collecting less, not more.
Do not keep data forever. Set retention schedules such as customer data for 7 years, marketing leads for 2 years and delete old files regularly.
Regular data cleansing (remove bounced emails), easy ways for customers to update details, and don not keep obviously outdated information.
Got Questions? We’re Here to Help.
Whether you’re unsure where to start with GDPR or need help fast, our team is just a message away. Drop us a line — we’ll get back to you promptly.
Call Us
Our Location
- C/O Willow & Bean Co. Ltd, Bartle House, Oxford Court, Manchester, M2 3WQ, UK
Social network
How Can We Support You Today?
Fill in your details and message below. One of our data protection experts will get back to you as soon as possible.
