UK GDPR, made simple
Plain-English UK GDPR guidance for small businesses — lawful bases, ROPA, retention, DPIAs, and what the ICO actually expects.
UK GDPR (the post-Brexit equivalent of EU GDPR) applies to every UK organisation that processes personal data — including sole traders. The fines are real, but the day-to-day requirements are mostly process and documentation, not technology.
The ICO's risk-based enforcement approach means the most common cause of a fine is not the original incident but the failure to report or document it. Get the paperwork right and most incidents are recoverable.
This pillar collects the lawful bases, ROPA templates, DPIA walkthroughs and breach-notification timelines you actually need as a UK SMB.
Tools that fit this pillar
Free interactive checks you can run right now — no account required.
Policy generator
Generate plain-English security policies (acceptable use, BYOD, incident response) tailored to your business.
Why here: Generate a privacy notice and ROPA template.
SMB cyber risk self-assessment
A 15-minute, plain-English self-assessment for small businesses — with a printable PDF report mapped to Cyber Essentials.
Why here: Surface the personal-data risks you currently carry.
Authoritative sources
We point you at the originals — government, regulator and standards bodies. Bookmark these.
- ICO — guide for organisations ↗
- ICO — register as a data controller ↗
If you process personal data and are not exempt, this is mandatory.
- ICO — report a breach ↗
Looking for something else? Browse all guides or jump straight to the tool index.