Athlex
Contact
Athlex

Tag: free GDPR checklist

UK GDPR Compliance Checklist for Small Businesses (Without the Headache) | Athlex

8 minutes read
Clipboard checklist with a padlock shield and email icons representing GDPR compliance and data security

Running a business in the UK already comes with enough admin to make you question your life choices. Data protection should not be the thing that tips you over the edge.

If you collect personal data (and you probably do, even if it is “just” website enquiries, staff records, or customer emails), you need the basics in place. The good news: UK GDPR compliance is very doable when you focus on what actually matters.

This guide gives you a clear, practical checklist you can work through. No jargon. No panic. Just the steps that reduce risk and build trust.

If you want someone to sanity check it all, Athlex can help too, either one off or as your outsourced DPO. (More on that later.)

What counts as “personal data” in practice?

Personal data is information that can identify someone, directly or indirectly. Think:

  • Names, emails, phone numbers
  • Customer account details
  • IP addresses and online identifiers
  • Staff HR files and payroll details
  • CCTV footage (yes, still personal data)

If your business collects any of that, UK GDPR applies.

The Athlex UK GDPR checklist

1) Write a privacy notice that matches reality

our privacy notice is how you meet the transparency requirement: telling people what you do with their data, in a way they can understand. The ICO expects privacy information to include the required points under the transparency obligations (including Articles 13 and 14). (ICO)

Quick win: check your privacy notice answers these questions:

  • What data do you collect?
  • Why are you collecting it (your purposes)?
  • What lawful basis are you relying on?
  • Who do you share it with (like processors and platforms)?
  • How long do you keep it?
  • What rights do people have and how do they use them?
  • How can they contact you (and the ICO)?

If your notice is a copy paste from 2019, it is not “fine”. It is a trust leak.

Internal link suggestion: Review your website privacy notice as part of your toolkit offering (example link): [Website privacy notice review](/templates).

2) Sort your cookies and tracking (because the internet is nosey)

If your website uses analytics, marketing tags, pixels, embedded content, or anything that stores or accesses info on a user’s device, you need to follow the PECR rules on “storage and access technologies”. The ICO’s guidance explicitly covers cookies, tracking pixels, fingerprinting techniques, scripts and tags, and explains that PECR allows this only in certain circumstances or with valid consent. (ICO)

Also worth knowing: the ICO notes its storage and access guidance is under review due to the Data (Use and Access) Act coming into law on 19 June 2025. (ICO)

Quick win:

  • Make sure your cookie banner does not pre tick “accept”
  • Separate “necessary” from analytics and marketing
  • Keep a record of what cookies you use and why
  • Offer an easy way to change preferences

3) Create a simple Record of Processing Activities (ROPA)

A ROPA sounds terrifying until you realise it is basically a structured list of what data you use and why.

The ICO has detailed guidance on what needs documenting under Article 30, including things like purposes, categories, recipients, transfers, retention, and security measures. (ICO)
And the legal text for Article 30 sets out the core requirements. (Legislation.gov.uk)

Quick win: start with your top 8 to 12 processing activities, usually:

  • Website enquiries
  • Customer management and service delivery
  • Marketing emails
  • HR and payroll
  • Supplier management
  • IT access and security logs
  • Finance and accounting records
  • CCTV (if used)

You do not need a 200 line spreadsheet on day one. You need a working baseline.

4) Check your lawful bases (and stop guessing)

Most SME processing falls under:

  • Contract (you need data to deliver what was bought)
  • Legal obligation (payroll, tax, regulatory rules)
  • Legitimate interests (some operations and B2B marketing)
  • Consent (often marketing, cookies, and optional extras)

Quick win: list your purposes, assign a lawful basis to each, and make sure the privacy notice matches. Consistency is half the battle.

5) Put a DSAR process in place before you get one

A DSAR (data subject access request) is when someone asks for a copy of the personal data you hold about them.

Most businesses mess this up in one of two ways:

  • they ignore it because it went to the wrong inbox
  • they respond late because nobody owns the process

Quick win DSAR setup:

  • Pick an internal owner and a backup
  • Create a shared mailbox or ticket tag
  • Keep a DSAR log
  • Have a standard response template ready

http://athlex.co.uk/services/

6) Decide when you need a DPIA (and keep it lightweight)

A DPIA is a Data Protection Impact Assessment. It helps you identify and reduce privacy risks when you are doing higher risk processing.

Common triggers include:

  • Large scale monitoring
  • Using special category data
  • Profiling or automated decision making
  • New tech or new data sources

Quick win: create a one page “DPIA triage” checklist:

  • What are we doing?
  • What data is involved?
  • What could go wrong for people?
  • What controls reduce the risk?
  • Do we need to consult anyone?

7) Tighten up supplier contracts

If a supplier processes personal data for you (email marketing platforms, cloud storage, CRM tools, payroll providers), you need the right data protection terms in place.

Quick win:

  • List your processors
  • Confirm what data they handle
  • Ensure you have a contract with data processing terms
  • Check where data is stored and whether there are international transfers

This is also one of the quickest ways to look credible in tenders.

8) Have a breach plan that is not just “panic”

Most “small incidents” become big ones because nobody knows what to do in the first hour.

The NCSC’s small business guidance includes practical steps for preparing your response and recovery from a cyber incident. (NCSC)

Quick win breach plan:

  • How to contain (disable accounts, isolate devices, preserve evidence)
  • Who to notify internally
  • How to assess severity and scope
  • Draft customer and stakeholder comms
  • Clear decision path for regulator notification

9) Keep only what you need (retention)

If your retention approach is “keep everything forever”, you are making your life harder and your risk bigger.

Quick win: define simple retention rules for the main categories:

  • Enquiries and leads
  • Customer records
  • Marketing lists and suppression lists
  • HR data
  • Financial records
  • CCTV

You can refine later. Start now.

10) Assign accountability (even if you do not “need a DPO”)

Not every business needs a formally appointed Data Protection Officer. But every business needs someone accountable for privacy tasks and decisions.

If you want ongoing support without hiring internally, an outsourced DPO model gives you a named expert, practical answers, and evidence you are taking governance seriously.

Outsourced DPO

Common myths that waste your time

“We are too small for GDPR”

If you process personal data, size is not a magic shield. The rules still apply, and the reputational damage from getting it wrong is often worse for SMEs.

“We have a privacy policy, job done”

A policy is not compliance. It is just a document unless your actual practices match what it says.

“Consent solves everything”

Consent is not the default. It is one lawful basis, and it comes with conditions (freely given, specific, informed, easy to withdraw). Use it when it fits.

What “good” looks like for an SME

You do not need perfection. You need a sensible, defensible baseline.

A good SME setup usually looks like:

  • Clear privacy notice and cookie controls (ICO)
  • A working ROPA baseline (ICO)
  • DSAR process and templates
  • DPIA triage and a repeatable approach
  • Supplier contract hygiene
  • A breach playbook informed by good practice (NCSC)
  • Retention rules you can actually follow

That is enough to reduce risk fast, answer tender questions confidently, and sleep slightly better.

FAQs

Do I need a Data Protection Officer in the UK?

Not always. It depends on what you do and the scale and type of processing. Many SMEs do not legally need one, but they still benefit from outsourced DPO support for governance, risk, and credibility.

What is the fastest GDPR win for a small business?

Update your privacy notice and cookie setup, then create a basic ROPA. These are high impact and relatively quick. (ICO)

What should I do if I think we have had a data breach?

Contain first, then confirm facts and scope. Follow a structured response and recovery plan. The NCSC guidance is a strong starting point for SMEs. (NCSC)

Next step: make it simple

If you want a clear baseline without spending weeks reinventing the wheel:

  • Use the Athlex templates and toolkits to build your core documents
  • Or get ongoing cover with our outsourced DPO service
  • Or book a one off review to identify gaps and prioritise fixes

A Complaints Revolution?

6 minutes read
What the Data (Use & Access) Act 2025 Means for Your Business
Hands holding a pen and checklist titled “Complaints Procedure” on a blue background, with a speech bubble icon and magnifying glass.

The UK’s data protection rules are changing again. Here’s what small and medium-sized businesses need to know about the new legal duty to handle data protection complaints and how to get ready.

Why this matters

The Data (Use & Access) Act 2025 introduces a major new responsibility for UK businesses. For the first time, organisations will be legally required to have a formal process for handling data protection complaints.

This means every business that processes personal data will need a clear way for people to raise concerns, and a plan for how those complaints are recorded, investigated and resolved.

The change builds on the existing UK GDPR and Data Protection Act 2018. It does not replace them, but it strengthens the rules around accountability and response times. The goal is simple: to make sure individuals can trust that their data rights are taken seriously.

If your business already manages data protection complaints properly, this may only mean a few small updates. But if you currently respond on an ad-hoc basis or tend to dismiss complaints that seem unfounded, it is time to make changes now.

The new duty in a nutshell

The Act received Royal Assent on 19 June 2025 and is being introduced in stages. The key stage for most organisations, current expected around 12 months from Royal Asset (so around mid- 2026), is the new legal duty to handle complaints.

Under this duty, you will need to:

  • Acknowledge data-protection complaints within 30 days and tell people what will happen next
  • Investigate and respond promptly, without unnecessary delay, explaining the outcome in plain language
  • Record every complaint and document how and when it was resolved
  • Train staff to recognise, log and properly escalate data-protection complaints

These rules apply to all organisations that process personal data, regardless of size or sector.

You can read the official rollout plan on GOV.UK https://www.gov.uk/guidance/data-use-and-access-act-2025-plans-for-commencement

Two ICO consultations shaping the change

The Information Commissioner’s Office (ICO) is currently running two consultations to help define what “good” looks like in complaint handling.

  1. Guidance for organisations, explaining how to set up and manage a complaint-handling process.
    Deadline: 19 October 2025
    ICO Consultation on Complaints Guidance for Organisations
  2. The ICO’s own complaint-handling framework, which outlines how the regulator will assess and respond to complaints once the law is in force.
    Deadline: 31 October 2025
    ICO Consultation on Changes to How We Handle Data Protection Complaints

The first consultation tells you what your business needs to do. The second explains how the ICO will respond to complaints and what data they will monitor.

The risk of inaction

This is more than a procedural update. The ICO has made it clear that it will monitor complaint trends across sectors. Repeat or unresolved complaints could attract attention and follow-up engagement from the regulator.

If you do not have a reliable process in place, the risks include:

  • Reputational damage if complaints are mishandled or ignored
  • Evidence gaps that make it difficult to show compliance
  • Closer scrutiny if your business appears in repeated complaint reports

Even complaints that seem minor or unjustified must be logged and responded to. If you choose to ignore them, they will still count towards your complaint history. The ICO will be looking for businesses that can show they act on feedback, not those that hope issues go away.

If you already manage complaints effectively, you are in a good position. If not, now is the time to act. Setting up a clear process will protect both your reputation and your compliance record.

What good looks like

A compliant complaint-handling process should feel simple and transparent. It should show that you take customers seriously and can evidence your actions.

The ICO’s guidance suggests focusing on:

  • Visibility: make it easy for people to raise a concern, for example by publishing contact details or a form in your privacy notice.
  • Consistency: respond within set timeframes and keep records of all correspondence.
  • Evidence: log complaints in a way that allows you to track progress, outcomes and lessons learned.
  • Governance: review complaint trends regularly to identify recurring issues or training needs.

If you already have a process in place, check that it meets these standards and that your team understands it. If you do not, start simple. A shared inbox and a basic log are often enough for smaller businesses, as long as they are used consistently.

The bigger picture

The new complaint-handling duty is part of a wider move towards greater accountability and user empowerment. Alongside this, the ICO has been setting out its approach to user consent, transparency and digital choice – including its views on Meta’s “consent or pay” advertising model.

Both developments point in the same direction. The UK is not deregulating data protection; it is making it more practical. The focus is on evidence and accountability – being able to show not just that you comply, but that you care about how personal data is handled.

What to do next

If you are unsure where to start, focus on these steps:

  1. Create or review your complaint process.
    Have a clear route for people to raise issues, assign responsibility and set timeframes for acknowledgement and response.
  2. Keep records.
    Track all complaints, even if you think they lack merit. Record what was done, what you found and how you closed the issue.
  3. Update your privacy notice.
    Tell people how they can raise a complaint and what they can expect from you in return.
  4. Train your team.
    Make sure everyone who handles customer or employee data knows how to recognise and escalate a data protection complaint.
  5. Review contracts.
    Ensure any partners or suppliers who handle personal data know their role in your complaint-handling process.
  6. Monitor and improve.
    Look for recurring issues or delays. Fixing small process gaps now will reduce the risk of ICO involvement later.

How Athlex can help

At Athlex, we make compliance clear. We help businesses build practical, proportionate frameworks that work in the real world.

Our services include:

  • Designing or reviewing complaint-handling frameworks
  • Providing outsourced Data Protection Officer (DPO) support
  • Reviewing contracts and supplier arrangements
  • Updating privacy notices and policies
  • Delivering tailored training and audits for your team

If you would like help reviewing your approach to complaints, start with a free GDPR Health Check. We will show you where you stand, what is working well and what to fix first.

Book your free data protection health check.

In summary

The Data (Use & Access) Act 2025 is not a complete rewrite of data protection law, but it will change how accountability is judged.

Businesses with clear, consistent complaint-handling processes will adapt easily. Those without one will need to move quickly. Ignoring complaints – even the unfounded ones – will no longer be an option.

Taking action now will save time later and show your customers that you value their trust.