UK GDPR has been in force since January 2021. For most SMEs, the honest position is somewhere between "we did something in 2018" and "we know we should revisit this but haven't."
This checklist is designed for exactly that situation. Work through each section and note what's in place, what's partial, and what's missing. That gap analysis is the starting point for a manageable compliance roadmap.
Section 1: Foundations
Lawful basis
- We have identified a lawful basis under Article 6 for each of our main processing activities
- Where we rely on consent, that consent was freely given, specific, informed, and unambiguous
- Where we rely on legitimate interests, we have conducted (and documented) a Legitimate Interests Assessment (LIA)
- We do not rely on consent as a default when another basis is more appropriate
Record of Processing Activities (RoPA)
- We have a RoPA that documents all our main processing activities
- Each entry includes: purpose, lawful basis, data categories, recipients, retention periods, and security measures
- The RoPA is reviewed and updated at least annually, and whenever new processing begins
- If we process special category data, this is flagged and has an additional Article 9 basis documented
Privacy notice
- We have a privacy notice published on our website
- It covers all our processing activities, including any use of third-party tools or processors
- It is written in plain, accessible language
- It has been reviewed in the last 12 months
Section 2: Individual Rights
UK GDPR gives individuals eight rights. You must be able to respond to requests exercising any of them.
- Right of access (SAR): We can respond to Subject Access Requests within 30 days, free of charge
- Right to rectification: We have a process for correcting inaccurate personal data on request
- Right to erasure: We can identify and delete an individual's personal data on request (where applicable)
- Right to restriction: We can restrict processing for an individual without deleting their data
- Right to data portability: We can provide data in a structured, machine-readable format where required
- Right to object: We have a clear process for handling objections to processing, particularly for direct marketing
- Rights related to automated decision-making: If we use automated decisions with significant effects on individuals, we have a process to handle challenges
- Staff know how to recognise and route rights requests, and understand the timelines
Section 3: Data Processors and Third Parties
- We have a list of all third parties that process personal data on our behalf (cloud storage, payroll, email, CRM, etc.)
- We have a Data Processing Agreement (DPA) in place with each processor
- We have reviewed each processor's security practices and confirmed they are adequate
- Where processors are based outside the UK or EU/EEA, we have verified that appropriate transfer mechanisms are in place
- We do not share personal data with third parties without a valid basis for doing so
Section 4: Data Security
- Personal data is stored in access-controlled systems — only those who need it can access it
- We use encryption for sensitive data, both in transit and at rest
- Devices used to access personal data are password-protected and have up-to-date security software
- We have a clear process for managing staff leavers — including revoking access promptly
- We have assessed the security practices of all processors before engaging them
- We conduct periodic reviews of who has access to personal data systems
Section 5: Data Retention
- We have a documented data retention policy that sets out how long we keep different categories of personal data
- Retention periods are based on legal requirements, business needs, or both — not "we keep everything just in case"
- We have a process for deleting or anonymising data when retention periods expire
- Retention obligations are reflected in our RoPA
Section 6: Data Breach Response
- We know how to recognise a personal data breach (not just a cybersecurity incident — a lost paper file or misdirected email also counts)
- We have a documented breach response procedure
- Staff know to report suspected breaches immediately to the designated person
- We understand that reportable breaches must be notified to the ICO within 72 hours of becoming aware
- We know when a breach also requires notification to affected individuals
- We maintain a log of all breaches, including those that did not require external notification
Section 7: Special Situations
Marketing
- Our marketing lists consist of individuals who have given valid consent, or where we can rely on the "soft opt-in"
- Every marketing communication includes a clear, functional unsubscribe option
- We maintain a suppression list of unsubscribes and do not re-contact them
- We do not purchase third-party marketing lists without verifying how consent was obtained
CCTV (if applicable)
- We have a lawful basis and a documented purpose for operating CCTV
- Clear signage is in place notifying individuals that recording is in operation
- We have a retention policy for footage
- Access to footage is restricted to authorised personnel
Section 8: Governance
- We have a designated person responsible for data protection within the business
- Staff who handle personal data receive basic data protection training
- We conduct a Data Protection Impact Assessment (DPIA) for new projects involving high-risk processing
- We are registered with the ICO and pay the data protection fee (check ico.org.uk to confirm your status)
- We review our overall compliance position at least annually
Interpreting your results
Mostly ticked: You have a solid foundation. Focus on the gaps, document your position, and build a review cadence.
Partial across most sections: This is the most common position for SMEs. Prioritise the areas with the highest risk: breach response (72-hour clock), SAR handling (30-day deadline), and processor agreements.
Several unticked in Sections 1–3: Your foundations need attention before more detailed work is useful. Start with the RoPA and lawful basis, as everything else builds on them.
Your next steps
If the checklist has identified gaps, tackle them in order of risk rather than trying to do everything at once.
Highest priority
- Document your lawful bases and build a basic RoPA
- Ensure your SAR response process is functional and timed
- Get DPAs in place with your processors
- Implement a breach log and response procedure
Medium priority
- Update your privacy notice
- Implement a data retention policy
- Review access controls on personal data systems
Ongoing
- Staff awareness and training
- Annual RoPA and policy review
- DPIA for new high-risk processing activities
How Quantra supports your compliance programme
Quantra's workbenches are built around the compliance obligations SMEs find hardest to operationalise: Q-SAR for Subject Access Request workflows, Q-ROT for retention obligation tracking, Q-RoPA for building and maintaining your Record of Processing Activities, and the Quantra Agent for local PII detection in documents before data leaves your environment.
See all Quantra products →