UK GDPR compliance for SMEs
The security side of data protection: keeping the personal data you hold genuinely safe, not just documented.
60 minutes · No prep · No obligation
Most SMEs did their GDPR work back in 2018. A privacy policy went up, a few boxes were ticked, and the subject has barely been revisited since. The law has not stood still, though, and neither have the expectations behind it. If you are evaluating your compliance, and specifically whether your business is secure enough to satisfy the law, this page covers the part of GDPR a cyber consultancy can help with: the security of the personal data you hold.
GDPR has changed, but the security duty has not
The UK's data protection law is the UK GDPR, sitting alongside the Data Protection Act 2018. In the past year it has had its biggest shake-up since it came in. The Data (Use and Access) Act 2025 received Royal Assent in June 2025, and its main data protection provisions took effect in February 2026. It adjusted several things: how subject access requests are handled, the rules around legitimate interests, and which cookies need consent.
Most of those changes are legal and procedural, and they belong to a data protection lawyer or a DPO. Here is the part that matters for security: the core security obligation did not change. Article 32 of the UK GDPR, which requires you to keep personal data secure, reads the same as it did. The Information Commissioner's Office also renewed its adequacy decision for the UK in December 2025, so the bar for protecting personal data has not dropped. The security duty is exactly where it was, and it still applies to you.
Understanding Article 32
Article 32 requires “appropriate technical and organisational measures” to keep personal data secure. That phrasing is deliberately vague, and the vagueness trips people up.
It does not hand you a checklist. What it does is make the standard proportionate. The measures you are expected to take scale with the sensitivity of the data and the harm a breach would cause. A business holding health records or financial details is expected to do more than one holding a mailing list.
In practice, appropriate measures usually mean controlling who can reach personal data and removing access when it is no longer needed, encrypting data on devices and in transit, keeping backups you have actually tested, and being able to restore systems after an incident. Article 32 also expects you to test and review these measures rather than set them once and forget them. None of this is exotic. It is ordinary security hygiene, with a legal obligation attached.
Reporting window
72hrs
From becoming aware of a personal data breach that poses a risk to people, to notifying the ICO.
The 72-hour breach clock
The point where data protection and security collide hardest is breach notification. If you suffer a personal data breach that poses a risk to people, you generally have to report it to the Information Commissioner's Office within 72 hours. In serious cases you also have to tell the affected individuals.
Seventy-two hours is not long, and the clock is unforgiving. You cannot meet it if you have no way of detecting a breach, no idea what data was affected, and no plan for who does what. The businesses that handle a breach well are the ones that decided in advance how they would.
Where the gaps usually are
When we look at GDPR security for an SME, the same five weaknesses come up. Each one is fixable, and none needs a large budget. They need someone to look.
Access sprawl
Former staff and old accounts still work. Too many people hold admin rights.
Unencrypted laptops
A single lost device turns into a reportable breach the moment it disappears.
Untested backups
Backups exist, but no one has ever restored from them. Nobody knows if they work.
Unvetted suppliers
Cloud services and processors handle personal data on your behalf, unchecked.
Cloud defaults
Platforms left on default settings that quietly expose data, with no attacker doing anything clever.
Most incidents we see start with one of these, often as a cloud misconfiguration rather than anything sophisticated.
How we help, and where our role ends
We are clear about our scope. GDPR has a legal side: lawful basis, privacy notices, data processing contracts, whether you need a Data Protection Officer. That side is the work of a data protection lawyer or a DPO, not a cyber consultancy. We will not pretend otherwise.
What we cover is the security half: practically implementing “appropriate technical and organisational measures”. That starts with advisory work, including a security assessment that shows where personal data actually lives and where it is exposed. It moves into hands-on remediation: fixing access control, getting encryption deployed, testing backups, and building a breach response you could actually run. For businesses that want this kept under review rather than treated as a one-off, a vCISO retainer keeps it current as the business changes.
Free · 60 minutes · No commitment
UK GDPR security FAQs
GDPR is Technical, Not Just Legal
If you are not confident your business could pass a hard look at how it protects personal data, book a free 60-minute call. We will talk through where the real risks sit and what it would take to close them.
Free · 60 minutes · No obligation