> For the complete documentation index, see [llms.txt](https://docs.oxfordinfosec.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oxfordinfosec.com/gdpr-compliance.md). # GDPR Compliance ## Introducing the Service If your business handles personal data (customer details, employee records, user accounts), you have obligations under UK and EU data protection law. That means having the right policies in place, knowing what data you hold and why, telling people clearly how you use their information, and being ready to deal with a request or a breach when one arrives. Most small businesses know they should have this in order but have never had the time or the expertise to do it properly. The work gets put off until a customer questionnaire, an investor's due diligence, or a contract clause forces the issue. At that point the gaps are obvious and the deadline is tight. Oxford Infosec's GDPR Compliance service puts the foundations in place as a defined project. We map your data, write the policies and procedures you actually need, get your privacy notices accurate, and make sure you can demonstrate compliance to anyone who asks. You finish the project with a complete, proportionate set of data protection documentation and processes that reflect how your business genuinely operates. This is a project, not an ongoing role. It gets you compliant and hands over cleanly. It does not include a named Data Protection Officer, day-to-day handling of requests from individuals, or acting as your formal contact with the regulator. Where you have an ongoing obligation or want someone to run privacy for you, that is our separate DPO as a Service, and we explain the difference below. ## What Problem Does This Solve? If any of these sound familiar, this service can help: | Situation | What typically happens without GDPR foundations in place | | ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | | **A customer or investor asks for your GDPR documentation** | You scramble to find or create policies, and the answers you give are inconsistent or clearly written overnight. | | **You have no record of what personal data you hold** | Nobody can answer "what data do you have and why", which undermines every other part of compliance. | | **Your privacy notice was copied from a template years ago** | What you tell people does not match what you actually do, which is exactly what a regulator or buyer looks for. | | **Someone asks for a copy of their data and you have no process** | Confusion over who handles it, what the deadline is, and where the data lives, all under a one-month legal clock. | | **Your lawful basis for processing has never been worked out** | Marketing, analytics, and data sharing carry on with no clear justification, which is a common cause of complaints. | | **Staff have had no data protection training** | People mishandle personal data because nobody has told them what the rules are or why they matter. | We work through each of these, put the missing pieces in place, and leave you able to show a clear, defensible data protection position. ## GDPR Compliance vs a DPO These two services solve different problems. This one gets you compliant as a project. The DPO service is an ongoing role for organisations that need someone to run data protection for them, either because the law requires a DPO or because they would rather it was handled. | GDPR Compliance (this service) | DPO as a Service | | ------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------- | | A fixed-scope project that puts your policies, records, and processes in place | An ongoing engagement with a named, independent Data Protection Officer | | Builds the data subject request and breach response procedures | Operates those procedures day to day, handling requests and breaches as they arise | | Sets up your Record of Processing Activities | Maintains the Record of Processing Activities over time | | Hands over so you (or a future DPO) can run things | Acts as your formal contact point with the Information Commissioner's Office (ICO) | | Optional light-touch annual review to keep documentation current | Continuous advice, monitoring, training, and regulator liaison throughout the year | If you are legally required to appoint a DPO, or you simply want privacy taken off your plate, start with the DPO service. If you need to get compliant and are happy to run the day-to-day yourself, this is the right service. Many organisations do this project first and add the DPO service later if their obligations grow. ## Fit for Small Businesses This service is designed for organisations that need proper data protection foundations without the headcount or budget for a full-time privacy function. Typically that means: * **20 to 200 employees**: large enough to have real data protection obligations, small enough that ongoing in-house privacy expertise is not realistic * **Handling personal data**: customer accounts, employee records, user data, marketing lists, or other information about identifiable people * **Operating in the UK or EU**: subject to UK GDPR, EU GDPR, or both * **Responding to external pressure**: procurement questionnaires, due diligence, or contract clauses that require evidence of compliance, rather than a legal duty to appoint a DPO We tailor everything to your size and risk profile. The ICO is clear that smaller organisations need a "smaller-scale approach to accountability": you do not need the same level of documentation as a bank or a hospital. We focus on what is genuinely required and what is proportionate, not on generating paperwork for its own sake. If you are legally required to appoint a DPO, or you want someone to operate data protection on an ongoing basis, our DPO as a Service is the better fit. ## Outcomes: What You Get ### Compliance foundations in place | Outcome | What this means | | --------------------------------------- | ----------------------------------------------------------------------------------------------------- | | **You know what data you hold and why** | A complete Record of Processing Activities that shows what personal data you process, why, and how | | **Your lawful basis is clear** | Every kind of processing has a justification that holds up, including marketing and analytics | | **Your policies match how you work** | A proportionate set of data protection policies and procedures written for your business, not generic | | **Your privacy notices are accurate** | What you tell people on your website, in your app, and in contracts matches what you actually do | | **You have processes ready to use** | Procedures for data subject requests and breaches are written and ready before you need them | ### Confidence with customers and partners | Outcome | What this means | | ---------------------------------------------------- | ------------------------------------------------------------------------- | | **You can answer privacy questionnaires accurately** | The evidence is documented and ready, not invented under deadline | | **Contracts have the right terms** | Data processing agreements are in place with your suppliers and customers | | **You are not the weak link** | Partners and customers can see you take data protection seriously | ### Clarity and control | Outcome | What this means | | ----------------------------------- | -------------------------------------------------------------------------------------- | | **A defined end point** | You know what compliance looks like for your business and when you have reached it | | **Demonstrable accountability** | If something goes wrong, you can show you put proper measures in place | | **Your team understands the rules** | Staff know how to handle personal data, so good practice is built into day-to-day work | ## How It Works The service is delivered as a project that gets you compliant, with an optional light-touch annual review to keep the documentation current as your business changes. ### Phase 1: Getting Compliant Phase 1 typically takes four to eight weeks, depending on the size of your business, the volume of personal data, and how much is already in place. We scope it precisely after a short discovery call. | Activity | What this means in practice | | ----------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Kick-off and scoping** | A short alignment call to confirm what data you handle, which laws apply, who coordinates internally, and the deadline you are working to. | | **Data mapping and Record of Processing** | Work through what personal data you hold, where it comes from, why you process it, who you share it with, and how long you keep it, captured in a Record of Processing Activities. | | **Lawful basis and consent review** | Establish a defensible lawful basis for each kind of processing, and check that any consent you rely on is collected and recorded properly. | | **Privacy notices** | Review and rewrite the notices you give customers, employees, and website visitors so they are accurate, clear, and match what you actually do. | | **Policy and procedure suite** | Produce the documentation you need and will use: a data protection policy, a retention schedule, a data subject request procedure, a breach response procedure, and supplier and processor controls. | | **DPIA process and templates** | Set up a data protection impact assessment process and template so you can assess privacy risk before launching anything new that uses personal data. | | **Staff training and awareness** | Provide induction material and a short awareness session so your team understands their responsibilities under the new policies. | | **Gap remediation and sign-off** | Work through the gaps found during the project, confirm everything is in place, and hand over a complete set of documentation with a closing summary. | ### Phase 2: Annual Review (optional) GDPR compliance is not a one-off if your business keeps changing. The optional annual review is a light-touch check that keeps your documentation current. It is deliberately limited and does not include the continuous advice, request handling, or regulator liaison that the DPO service provides. | Activity | What this means in practice | | ----------------------------- | -------------------------------------------------------------------------------------------------------------- | | **Record and policy refresh** | Update the Record of Processing Activities and policies to reflect new products, suppliers, or ways of working | | **Process check** | Confirm the data subject request and breach procedures are still understood and being followed | | **Change capture** | Pick up significant business or regulatory changes since the last review and adjust the documentation | | **Questionnaire readiness** | Re-confirm that your evidence is current and ready for customer or due diligence questionnaires | ## What's Not Included This is a project to get you compliant. Ongoing operation of data protection is the DPO service. The boundaries below make the difference clear. | Out of scope | Why / Who does this | | ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Operating data subject requests** | We build the procedure and hand it over. Running requests as they arrive, within the legal deadline, is the DPO service or your own team. | | **Acting as your DPO or ICO contact** | We do not provide a named Data Protection Officer or act as your formal point of contact with the regulator. That is the DPO service. | | **Ongoing advice between reviews** | This service has a defined end point. For continuous advice and guidance as questions arise, use the DPO service. | | **Legal advice** | We advise on data protection practice, not employment law, contract law, or formal legal opinions. Use your lawyers for those. | | **EU Representative** | If you are UK-based but processing EU residents' data and need an EU Representative, that is a separate appointment. We can advise on whether you need one. | | **Implementing technical controls** | If the project finds you need better encryption or access controls, we tell you what is needed. Your IT team implements it. | | **Compliance platform subscription** | If you use a compliance automation platform, you pay for the subscription directly. We can configure it as part of the project where you have one. | ## Assumptions | Assumption | What this means for you | | --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | **You give us access to what we need** | We need to see your systems, talk to your people, and review existing documentation. If we cannot access something, we cannot advise on it. | | **Someone internally coordinates with us** | You need a point of contact who can answer questions, chase information, and make sure the work happens to the agreed timeline. | | **You act on findings** | The project adds value when its recommendations are implemented. Documentation that nobody adopts will not make you compliant. | | **Technical implementation is your responsibility** | We tell you what needs to change; your team or IT provider makes the technical changes. | | **Engagement is delivered remotely** | The work is delivered remotely in English during UK working hours. Any on-site work is agreed in advance and billed separately. | ## Who Delivers the Service Your project will be led by a qualified privacy professional holding recognised credentials, such as: | Credential | What it means | | ---------- | ---------------------------------------------------------------------------------------------------------- | | **CIPP/E** | Certified Information Privacy Professional/Europe. Demonstrates knowledge of European data protection law. | | **CIPM** | Certified Information Privacy Manager. Demonstrates ability to operationalise privacy programmes. | You will work with the same named consultant throughout the project. If you later take up the DPO service, the same person can continue, so you do not have to explain your business twice. ## Term and Pricing | Phase | Term | Pricing | | ------------------------------------- | ------------------- | ---------------------------------------------- | | **Phase 1: Getting Compliant** | 4–8 weeks | Fixed fee, scoped after a short discovery call | | **Phase 2: Annual Review (optional)** | Annual, light-touch | Fixed fee per review | This is a project rather than an ongoing retainer. If you need continuous data protection support, the DPO service is structured for that and priced accordingly. ## Combining with Other Services GDPR Compliance works well alongside Oxford Infosec's other services: * **DPO as a Service**: where you are legally required to appoint a DPO, or you want someone to run data protection on an ongoing basis, this is the natural next step. The compliance project gets the foundations right, and the DPO then operates and maintains them, handling requests, breaches, and the regulator on your behalf. * **ISO 27001**: many ISO 27001 controls relate to personal data. Getting your GDPR foundations in place first means the privacy elements of your information security programme are already covered. * **Cyber Essentials**: several Cyber Essentials controls touch personal data. The two sit naturally together, giving you both a recognised security certificate and a sound data protection position. * **vCISO**: a vCISO handles information security more broadly. Security and privacy overlap significantly, so the two coordinate to give you a coherent approach. For many small businesses, getting GDPR foundations in place is the right first step. It gives you a defensible position you can stand behind, and a clear path to ongoing support if your obligations grow. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.oxfordinfosec.com/gdpr-compliance.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.