By /

Full UK GDPR Documentation

UK GDPR

About UK GDPR – Key Facts

Who it applies to?

UK GDPR covers all organisations that handle personal data – from large companies to sole traders and charities.
It also applies to businesses outside the UK if they offer goods or services to UK residents, even for free.
If you collect information like names, emails, phone numbers, addresses, payments, or IP addresses – it applies to you.

What it means to implement

Implementing UK GDPR is more than just having an ICO registration.
It means:

  • Having the policies and procedures the ICO requires.

  • Informing customers, suppliers, and staff how you use their data.

  • Keeping data secure and training staff.

  • Choosing partners (e.g., accountant, marketing provider) who are ICO registered and have strong data protection.

Documentation

  • External: public documents – Privacy Policy, Cookie Policy, Terms & Conditions.

  • Internal: private procedures, registers, and staff training records.
    ICO registration alone is not enough – you need both.

Penalties

ICO can fine up to £17.5 million or 4% of turnover for serious breaches, and can also restrict your ability to process data.

Full UK GDPR Documentation –
with Staff Training

Small or medium-sized business (no sensitive data)
£890
Businesses processing sensitive data or large organisations
£2100

A complete, business-ready GDPR framework for your company. We audit how you handle personal data, prepare all required internal and public documents, and train your team (two online courses with certificates). Everything is written in plain English and tailored to how you actually operate.

What the package consists of &
when “sensitive data” pricing applies

  • Audit – we map your data flows, legal bases, roles, risks and gaps.

  • Documentation – we draft every policy, procedure and register you must have (internal + public).

  • Training – two online courses (UK GDPR + Cybersecurity) with certificates for each employee.

Sensitive data (higher-tier pricing): applies if you process special category data (e.g. health, biometric or genetic data, racial/ethnic origin, religious or philosophical beliefs, political opinions, trade-union membership, sexual life/orientation) or you are a large organisation. This requires stricter measures and a broader document set.

What’s included (documents we prepare)

Mandatory set – always included

Public / external

  • Privacy Notice (for customers/suppliers/visitors)

  • Cookie Policy (always)

  • Website Privacy Policy (site/app version)

  • FOI Policy/Procedure (included as standard)

Internal

  • Privacy Policy (master internal policy)

  • ROPA – Record of Processing Activities

  • Data Retention Policy

  • Data Breach Policy + Breach Register

  • DSAR Register (requests from data subjects – always)

  • Register of Consents (e.g., marketing/newsletters)

  • Authorisation to Process Personal Data (staff) + Register of Authorisations

  • Staff Data Protection Policy (goes with the authorisations)

  • Data Security Policy (core security rules)

  • Data Processing Agreement (Processor contract) – template

  • Form/Channel-specific privacy notices (contact forms, newsletter, social profiles)

Additional where relevant (included when your setup requires it)

  • DPIA – Data Protection Impact Assessment (high-risk processing)

  • Sensitive Data Processing Policy (when handling special category data)

  • CCTV Policy

  • BYOD – Bring Your Own Device Policy

  • Social Media Policy / Password Policy / Email & Messaging Policy

  • Media/Image Consent Form

  • Records of DSAR handling workflow (templates + guidance)

  • Supplier/Processor due-diligence checklist (ICO-style vetting)

Scroll to Top