Athlex
Contact
Athlex

Tag: data breach response

UK GDPR Compliance Checklist for Small Businesses (Without the Headache) | Athlex

8 minutes read
Clipboard checklist with a padlock shield and email icons representing GDPR compliance and data security

Running a business in the UK already comes with enough admin to make you question your life choices. Data protection should not be the thing that tips you over the edge.

If you collect personal data (and you probably do, even if it is “just” website enquiries, staff records, or customer emails), you need the basics in place. The good news: UK GDPR compliance is very doable when you focus on what actually matters.

This guide gives you a clear, practical checklist you can work through. No jargon. No panic. Just the steps that reduce risk and build trust.

If you want someone to sanity check it all, Athlex can help too, either one off or as your outsourced DPO. (More on that later.)

What counts as “personal data” in practice?

Personal data is information that can identify someone, directly or indirectly. Think:

  • Names, emails, phone numbers
  • Customer account details
  • IP addresses and online identifiers
  • Staff HR files and payroll details
  • CCTV footage (yes, still personal data)

If your business collects any of that, UK GDPR applies.

The Athlex UK GDPR checklist

1) Write a privacy notice that matches reality

our privacy notice is how you meet the transparency requirement: telling people what you do with their data, in a way they can understand. The ICO expects privacy information to include the required points under the transparency obligations (including Articles 13 and 14). (ICO)

Quick win: check your privacy notice answers these questions:

  • What data do you collect?
  • Why are you collecting it (your purposes)?
  • What lawful basis are you relying on?
  • Who do you share it with (like processors and platforms)?
  • How long do you keep it?
  • What rights do people have and how do they use them?
  • How can they contact you (and the ICO)?

If your notice is a copy paste from 2019, it is not “fine”. It is a trust leak.

Internal link suggestion: Review your website privacy notice as part of your toolkit offering (example link): [Website privacy notice review](/templates).

2) Sort your cookies and tracking (because the internet is nosey)

If your website uses analytics, marketing tags, pixels, embedded content, or anything that stores or accesses info on a user’s device, you need to follow the PECR rules on “storage and access technologies”. The ICO’s guidance explicitly covers cookies, tracking pixels, fingerprinting techniques, scripts and tags, and explains that PECR allows this only in certain circumstances or with valid consent. (ICO)

Also worth knowing: the ICO notes its storage and access guidance is under review due to the Data (Use and Access) Act coming into law on 19 June 2025. (ICO)

Quick win:

  • Make sure your cookie banner does not pre tick “accept”
  • Separate “necessary” from analytics and marketing
  • Keep a record of what cookies you use and why
  • Offer an easy way to change preferences

3) Create a simple Record of Processing Activities (ROPA)

A ROPA sounds terrifying until you realise it is basically a structured list of what data you use and why.

The ICO has detailed guidance on what needs documenting under Article 30, including things like purposes, categories, recipients, transfers, retention, and security measures. (ICO)
And the legal text for Article 30 sets out the core requirements. (Legislation.gov.uk)

Quick win: start with your top 8 to 12 processing activities, usually:

  • Website enquiries
  • Customer management and service delivery
  • Marketing emails
  • HR and payroll
  • Supplier management
  • IT access and security logs
  • Finance and accounting records
  • CCTV (if used)

You do not need a 200 line spreadsheet on day one. You need a working baseline.

4) Check your lawful bases (and stop guessing)

Most SME processing falls under:

  • Contract (you need data to deliver what was bought)
  • Legal obligation (payroll, tax, regulatory rules)
  • Legitimate interests (some operations and B2B marketing)
  • Consent (often marketing, cookies, and optional extras)

Quick win: list your purposes, assign a lawful basis to each, and make sure the privacy notice matches. Consistency is half the battle.

5) Put a DSAR process in place before you get one

A DSAR (data subject access request) is when someone asks for a copy of the personal data you hold about them.

Most businesses mess this up in one of two ways:

  • they ignore it because it went to the wrong inbox
  • they respond late because nobody owns the process

Quick win DSAR setup:

  • Pick an internal owner and a backup
  • Create a shared mailbox or ticket tag
  • Keep a DSAR log
  • Have a standard response template ready

http://athlex.co.uk/services/

6) Decide when you need a DPIA (and keep it lightweight)

A DPIA is a Data Protection Impact Assessment. It helps you identify and reduce privacy risks when you are doing higher risk processing.

Common triggers include:

  • Large scale monitoring
  • Using special category data
  • Profiling or automated decision making
  • New tech or new data sources

Quick win: create a one page “DPIA triage” checklist:

  • What are we doing?
  • What data is involved?
  • What could go wrong for people?
  • What controls reduce the risk?
  • Do we need to consult anyone?

7) Tighten up supplier contracts

If a supplier processes personal data for you (email marketing platforms, cloud storage, CRM tools, payroll providers), you need the right data protection terms in place.

Quick win:

  • List your processors
  • Confirm what data they handle
  • Ensure you have a contract with data processing terms
  • Check where data is stored and whether there are international transfers

This is also one of the quickest ways to look credible in tenders.

8) Have a breach plan that is not just “panic”

Most “small incidents” become big ones because nobody knows what to do in the first hour.

The NCSC’s small business guidance includes practical steps for preparing your response and recovery from a cyber incident. (NCSC)

Quick win breach plan:

  • How to contain (disable accounts, isolate devices, preserve evidence)
  • Who to notify internally
  • How to assess severity and scope
  • Draft customer and stakeholder comms
  • Clear decision path for regulator notification

9) Keep only what you need (retention)

If your retention approach is “keep everything forever”, you are making your life harder and your risk bigger.

Quick win: define simple retention rules for the main categories:

  • Enquiries and leads
  • Customer records
  • Marketing lists and suppression lists
  • HR data
  • Financial records
  • CCTV

You can refine later. Start now.

10) Assign accountability (even if you do not “need a DPO”)

Not every business needs a formally appointed Data Protection Officer. But every business needs someone accountable for privacy tasks and decisions.

If you want ongoing support without hiring internally, an outsourced DPO model gives you a named expert, practical answers, and evidence you are taking governance seriously.

Outsourced DPO

Common myths that waste your time

“We are too small for GDPR”

If you process personal data, size is not a magic shield. The rules still apply, and the reputational damage from getting it wrong is often worse for SMEs.

“We have a privacy policy, job done”

A policy is not compliance. It is just a document unless your actual practices match what it says.

“Consent solves everything”

Consent is not the default. It is one lawful basis, and it comes with conditions (freely given, specific, informed, easy to withdraw). Use it when it fits.

What “good” looks like for an SME

You do not need perfection. You need a sensible, defensible baseline.

A good SME setup usually looks like:

  • Clear privacy notice and cookie controls (ICO)
  • A working ROPA baseline (ICO)
  • DSAR process and templates
  • DPIA triage and a repeatable approach
  • Supplier contract hygiene
  • A breach playbook informed by good practice (NCSC)
  • Retention rules you can actually follow

That is enough to reduce risk fast, answer tender questions confidently, and sleep slightly better.

FAQs

Do I need a Data Protection Officer in the UK?

Not always. It depends on what you do and the scale and type of processing. Many SMEs do not legally need one, but they still benefit from outsourced DPO support for governance, risk, and credibility.

What is the fastest GDPR win for a small business?

Update your privacy notice and cookie setup, then create a basic ROPA. These are high impact and relatively quick. (ICO)

What should I do if I think we have had a data breach?

Contain first, then confirm facts and scope. Follow a structured response and recovery plan. The NCSC guidance is a strong starting point for SMEs. (NCSC)

Next step: make it simple

If you want a clear baseline without spending weeks reinventing the wheel:

  • Use the Athlex templates and toolkits to build your core documents
  • Or get ongoing cover with our outsourced DPO service
  • Or book a one off review to identify gaps and prioritise fixes

The Top ICO Enforcement Trends SMEs Must Act On in 2025

5 minutes read
And How to Get Ahead
Flat illustration showing a gavel, security shield, key icon and connected vendor nodes around a central business, in Athlex brand colours, representing ICO enforcement trends and GDPR risk for SMEs

The UK’s data-protection landscape is evolving fast, and SMEs are now directly exposed to enforcement action once largely associated with public bodies or large multinationals. As the BDO enforcement trends analysis reviewing ICO enforcement trends 2025,  highlights, the ICO is increasingly focused on fundamental compliance failures rather than technical edge cases, meaning SMEs face the same expectations as larger organisations.

To help UK SMEs stay ahead, this guide breaks down the three most prominent ICO enforcement themes in 2025 and explains how each relates directly to the core duties under UK GDPR.

ICO Enforcement Trend 1: DSAR Delays & Right-of-Access Failures

The ICO continues to treat DSAR delays as one of the most serious indicators of poor governance. This theme appears repeatedly in enforcement notices and aligns closely with the BDO analysis.

A recent example is the enforcement notice issued to South Wales Police, requiring the organisation to clear a backlog of more than 350 overdue SARs by mid-2026.

Although policing bodies sit in a unique context, the principle is identical for SMEs:
a delayed, incomplete, or mismanaged DSAR is a governance failure, not an administrative error.

Why SMEs are vulnerable

  • DSAR processes are often informal or undocumented
  • Staff rely on untracked shared inboxes that hamper compliance
  • Manual redaction takes longer than expected and slows response times
  • Identity verification checks are inconsistent or incomplete
  • No clear owner is assigned to coordinate DSAR responses

Consequently, SMEs often fail “by accident”, simply because processes were never clearly built.

What SMEs should do

  • Implement a formal DSAR register
  • Use standardised verification templates
  • Assign responsibility for triage and drafting
  • Create a redaction decision record
  • Test your DSAR workflow every six months

See how Athlex Data Protection can help you with your UK GDPR compliance.

To strengthen your position, Athlex Data Protection includes DSAR review as part of its Free UK GDPR Compliance Audit.

ICO Enforcement Trend 2: System Errors & Data-Accuracy Failures

While many SMEs assume breaches are caused by sophisticated threat actors, the ICO’s recent fines show that basic security failings, particularly around access control and system configuration, remain the driving force behind most incidents. This is why BDO identifies weak security controls as a recurring enforcement theme.

A clear example of this is the £3.07 million fine issued to Advanced Computer Software Group (“Advanced”), a major processor used across the UK health and education sectors.

What happened

A ransomware attack exploited several preventable vulnerabilities, including:

  • inadequate access controls,
  • outdated software components,
  • unpatched critical systems, and
  • insufficient segregation of sensitive data.

Because Advanced was acting as a data processor, the incident demonstrated that processors are not insulated from ICO enforcement. Importantly, the ICO highlighted that robust Article 32 security measures apply equally to processors and controllers — a point many SMEs overlook when relying on third-party suppliers.

Why this matters for SMEs

Many SMEs rely on external IT providers, SaaS dashboards, or outsourced infrastructure. Consequently, they often inherit a false sense of security. Yet, as the Advanced case shows:

  • unpatched systems,
  • misconfigured access rights, and
  • weak administrator controls can create breach pathways that affect both the processorand its clients.

Furthermore, the ICO’s commentary stresses that technical misconfiguration is increasingly treated as a governance failure, not an unavoidable risk. In other words, SMEs are expected to demonstrate continuous security management – not reactive fixes after an incident.

What SMEs should do now

To reduce exposure to similar enforcement action:

  • Conduct regular patch-management reviews and document them.
  • Enforce multi-factor authentication onevery administrative and remote-access account.
  • Validate that third-party systems use secure configuration baselines.
  • Request evidence: recent pen-test summaries, MFA logs, and architecture diagrams showing data segregation.

ICO Enforcement Trend 3: Supply-Chain & Vendor Risk Is Now the Biggest Exposure

BDO notes that third-party suppliers are involved in a significant proportion of enforcement cases. This is evident across recent ICO actions.

A major example is the £14 million fine issued to Capita following a cyber incident that exposed the data of over 6 million people.

The ICO criticised:

  • slow isolation of the breach,
  • insufficient monitoring,
  • weak patching practices, and
  • inadequate oversight of third-party systems.

Similarly, the Upper Tribunal’s Clearview ruling confirmed that even overseas vendors fall under UK GDPR if they monitor UK residents.

Why SMEs must pay attention

SMEs are more dependent than ever on external providers – IT contractors, payroll services, marketing platforms, CRMs, SaaS tools, cloud storage, etc. Consequently, the regulator expects SMEs to:

  • verify supplier security
  • assess processors before onboarding
  • maintain a vendor register
  • require evidence of compliance
  • include audit rights and termination clauses

In other words, your compliance is only as strong as your weakest vendor.

What SMEs should do

  • Inventory all suppliers with data access
  • Request evidence: certifications, test summaries, logs
  • Ensure processor contracts meet Article 28 requirements
  • Assess vendors annually (high-risk: quarterly)

The Athlex Data Protection free audit highlights exactly where your vendor chain poses compliance risk.

ICO Enforcement Trend 4: Governance, Documentation & Accountability Are Under the Microscope

BDO’s report highlights that the ICO is increasingly examining how decisions are made, not just whether breaches occur. Good governance – leadership awareness, documented decisions, risk logs, and internal reporting structures — is now a major enforcement factor.

This aligns with the ICO’s call for views on new enforcement-procedural guidance, signalling more transparent and structured regulatory processes.

This means SMEs are expected to show:

  • clear data-protection ownership
  • leadership engagement
  • meaningful internal reporting
  • documented risk assessments and decisions
  • evidence of proactive compliance

How SMEs Can Stay Ahead – Starting Today

To prepare for these enforcement trends, SMEs should immediately focus on:
✔ DSAR workflows
✔ Data-accuracy controls
✔ Vendor oversight
✔ Incident readiness
✔ Governance documentation

And the simplest way to begin?

Use Athlex Data Protection’s Free UK GDPR Compliance Audit tool.

To read more about the biggest UK GDPR risks for SMEs, see our blog: Inside Out: Why Insider Risk Is the Biggest UK GDPR Blind Spot for SMEs.

 It covers DSARs, access controls, vendor risk, system accuracy, governance, and incident readiness –  all mapped into a clear action plan.