How much does the ICO fine for GDPR breaches in the UK?

Maximum fines are the higher of £17.5 million or 4% of annual global turnover for the most serious infringements. In practice ICO enforcement focuses on reprimands, enforcement notices, and fines starting from a few thousand pounds for SMEs. The bigger exposure for an SME is usually the cost of a data-subject group claim or losing a customer contract after a breach.

What does the EU Data Protection & Privacy Essentials pack include?

The pack bundles 12 UK GDPR / EU GDPR-aligned policies: privacy policy, data retention, DSAR procedure, breach notification, ROPA, DPIA template, international transfers (including UK IDTA), lawful basis register, marketing consent, subject-access response template, third-party DPA, and cookies. It's designed so UK SMEs hit ICO accountability requirements in 48 hours — see live pricing on the product page.

UK GDPR Policies for UK Businesses

Q: What policies does UK GDPR actually require?

UK GDPR does not enumerate a fixed list of policies, but Article 5(2) 'accountability' means you must demonstrate compliance with documented measures. The ICO expects a privacy policy, retention schedule, DSAR procedure, breach response plan, ROPA (Article 30), DPIA template, lawful-basis register, international-transfer policy, and supporting DPAs with processors. Most UK SMEs run 10-14 distinct policies to cover it.

Q: Is UK GDPR different from EU GDPR?

UK GDPR is the UK's domestic version post-Brexit, implemented alongside the Data Protection Act 2018. The substantive obligations are almost identical but references to supervisory authority point to the ICO, fines are in sterling (max £17.5m or 4% of global turnover), and international transfers use UK IDTA or the UK Addendum rather than EU SCCs. If you serve EU residents you still need to comply with EU GDPR separately.

Q: Do I need a Data Protection Officer?

A DPO is mandatory only if you are a public authority, conduct large-scale systematic monitoring of individuals, or process special-category data at scale. Most UK SMEs do not need a formal DPO but must still appoint someone accountable for data protection and register with the ICO (£40-£2,900 fee depending on size). PolicySuite policies name a 'Privacy Lead' role that works for either scenario.

Q: What is a ROPA and do I need one?

A Record of Processing Activities under Article 30 documents every processing activity: purpose, categories of data subject and data, recipients, retention, security measures, and transfers. It is mandatory unless you are under 250 employees AND your processing is occasional AND non-special-category AND low-risk — which in practice excludes almost every B2B SaaS. Our pack includes a ROPA template plus a policy explaining when and how to update it.

12 ICO-aligned policies drafted for your business — privacy notice, ROPA, DSAR procedure, breach response and more. Ready in 48 hours.

UK GDPR ICO Accountability DPA 2018

Data Protection & Privacy Essentials pack

12 policies · £350 one-off

Lifetime access · no renewal · bespoke to your business

Get Started — Buy Pack Free account · preview sample policies · buy pack when ready

UK registered & ICO compliant 197 frameworks · 8 jurisdictions · 990+ bespoke policies Lifetime purchase · no renewal

What is UK GDPR?

Quick answer. UK GDPR is the UK's retained version of EU GDPR, in force since 1 January 2021 and enforced by the Information Commissioner's Office (ICO). It sits alongside the Data Protection Act 2018 and applies to almost every UK business that handles personal data — customer, employee, marketing, support, CCTV or website cookie data. Article 5(2) accountability requires controllers to evidence compliance, not just claim it.

UK GDPR is the UK's retained version of EU GDPR, in force since 1 January 2021 and enforced by the Information Commissioner's Office (ICO). It sits alongside the Data Protection Act 2018 and applies to almost every UK business that handles personal data — customer records, employee data, marketing lists, support tickets, CCTV footage, cookies on your site.

The cornerstone is Article 5(2) accountability: you don't just have to comply, you have to be able to prove you comply. That means documented policies, a ROPA, DPIAs for risky processing, a breach response plan, and DPAs with every processor. The ICO's first question in any investigation is always "show me your documentation".

Who needs UK GDPR policies?

Quick answer. Every UK business handling personal data — including employee HR records, which makes this effectively every employer. UK B2B SaaS firms (customers ask for privacy notices and DPAs before signing), e-commerce and DTC brands (cookie + marketing-consent scrutiny), agencies and consultancies acting as processors, and charities (the ICO has specifically targeted fundraising and supporter-data practices).

Every UK business handling personal data — including employee HR records, so this effectively means every employer.
UK B2B SaaS companies — customers ask for your privacy policy and DPA before signing.
E-commerce and DTC brands — cookie compliance and marketing-consent scrutiny is rising.
Agencies and consultancies processing client data as a processor — you need contracts and documented safeguards.
Charities and not-for-profits — the ICO has specifically targeted fundraising and supporter-data practices.

Policies you need for UK GDPR

Quick answer. The ICO's accountability guidance translates into 12 documents: privacy policy (Article 13/14 notice), data retention, DSAR procedure, data breach notification (72-hour ICO reporting), ROPA (Article 30), DPIA template (Article 35), international data transfer (UK IDTA + Addendum), lawful basis register, marketing consent (PECR-aligned), subject-access response templates, third-party DPA (Article 28) and cookie policy.

The ICO's accountability guidance translates into the following 12 documents, all included in our Data Protection & Privacy Essentials pack:

Privacy Policy

External-facing Article 13/14 notice — lawful basis, retention, rights.

Data Retention Policy

Defensible retention periods by data category, with secure deletion.

DSAR Procedure

One-month response window, ID verification, exemptions handling.

Data Breach Notification

72-hour ICO reporting, data-subject notification triggers, log.

ROPA

Article 30 record of processing activities — controller and processor.

DPIA Template

Article 35 screening + full DPIA for high-risk processing.

International Data Transfer

UK IDTA, UK Addendum to EU SCCs, transfer risk assessments.

Lawful Basis Register

Article 6 basis per activity, plus Article 9 conditions for special data.

Marketing Consent Policy

PECR-aligned consent capture, soft opt-in, unsubscribe handling.

Subject-Access Response Template

Pre-drafted letters for valid, clarified, and refused requests.

Third-Party DPA

Article 28 processor contract — sub-processors, audits, transfers.

Cookie Policy

PECR + UK GDPR cookie banner rules, category-level consent.

Realistic timeline to ICO-ready compliance

Quick answer. 2–4 weeks for demonstrable compliance once policies are drafted. PolicySuite compresses the drafting phase from the traditional 4–8 weeks to 48 hours of structured questions and bespoke output. Then 1 week for review and effective-date stamping, 1 week to populate the ROPA, and 1–2 weeks to embed DSAR, breach and DPIA workflows into day-to-day operations.

Most UK SMEs can reach demonstrable compliance in 2–4 weeks once the policies are drafted. PolicySuite compresses the drafting phase from the traditional 4–8 weeks to 48 hours.

Day 1: Register with the ICO if you haven't already (£40/£60/£2,900 depending on size).
Days 2–3: Buy the Data Protection & Privacy Essentials pack, answer the structured questions, get 12 bespoke policies in 48 hours.
Week 2: Populate ROPA, run DPIA on highest-risk processing, sign DPAs with key processors.
Week 3: Publish privacy and cookie notices, update cookie banner, distribute internal policies.
Week 4: Run a DSAR and breach drill, collect staff acknowledgements, file evidence.
Ongoing: Annual review, update ROPA when processing changes, refresh training.

Policy packs for UK GDPR

Data Protection & Privacy Essentials

12 policies · £350 · UK GDPR + EU GDPR aligned

Incident Notification & Breach Reporting

8 policies · £250 · 72-hour ICO reporting readiness

Third-Party Risk & Contracting

10 policies · £300 · Article 28 DPA suite

Startup Essentials

10 policies · £250 · lightweight starter set

PolicySuite vs GRC platforms vs consultant vs DIY

Quick answer. GRC platforms (OneTrust, Vanta) automate inventory and DSAR ticketing but expect you to bring your own policies — typically £15k–£60k/year. Privacy consultants charge £3k–£15k for a UK GDPR policy set with 4–8 weeks turnaround. DIY templates are free but rarely ICO-ready and miss accountability evidence. PolicySuite produces ICO-defensible UK GDPR policies in 48 hours from £400.

UK SMEs typically compare four routes when sourcing compliance policies. Here's how they stack up on the decisions that matter.

	PolicySuite	GRC platforms (Vanta, Drata, SecureFrame)	Compliance consultant	DIY templates
Typical cost	£250–£1,500 one-off	£10k–£40k per year	£5k–£30k one-off	£0 + your time
Pricing model	Lifetime purchase	Annual seat-based	Project fee	Free (indefinite effort)
Time to policies ready	48 hours	4–8 weeks setup	8–16 weeks	Months — rarely finished
UK-specific content	✓ Built for UK SMEs	Partial — US-originated	✓ If UK consultant	Partial — ICO templates only
Bespoke to your business	✓ LLM-tailored from your answers	Partial — fill-in-the-blank	✓ Yes — manual	✗ Generic template
Framework coverage	197 frameworks · 8 jurisdictions	20–50 frameworks	Whatever the consultant knows	Up to you to find
Audit-ready evidence	✓ Acknowledgements, distributions, version history	✓ Strong — but seat-priced	✗ You track it yourself	✗ You track it yourself
Suits <50-person SMEs	✓ Designed for UK SMEs	✗ Price-prohibitive at SME scale	Sometimes — depends on scope	✓ If you have the time
Cost to switch away	✓ You own the docs — export anytime	✗ Lose access on cancellation	✓ You own the docs	✓ You own the docs

See full head-to-head comparisons →

Frequently asked questions

What policies does UK GDPR actually require?

UK GDPR does not enumerate a fixed list of policies, but Article 5(2) accountability means you must demonstrate compliance with documented measures. The ICO expects a privacy policy, retention schedule, DSAR procedure, breach response plan, ROPA (Article 30), DPIA template, lawful-basis register, international-transfer policy, and supporting DPAs with processors. Most UK SMEs run 10–14 distinct policies to cover it.

Is UK GDPR different from EU GDPR?

UK GDPR is the UK's domestic version post-Brexit, sitting alongside the Data Protection Act 2018. Substantive obligations are almost identical but references to supervisory authority point to the ICO, fines are in sterling (max £17.5m or 4% of global turnover), and international transfers use UK IDTA or the UK Addendum rather than EU SCCs. If you serve EU residents you still need to comply with EU GDPR separately.

Do I need a Data Protection Officer?

A DPO is mandatory only if you are a public authority, conduct large-scale systematic monitoring, or process special-category data at scale. Most UK SMEs do not need a formal DPO but must still appoint someone accountable and register with the ICO (£40–£2,900 fee depending on size). PolicySuite policies use a named "Privacy Lead" role that covers either scenario.

How much does the ICO fine for GDPR breaches?

Maximum fines are the higher of £17.5 million or 4% of annual global turnover for the most serious infringements. In practice ICO enforcement focuses on reprimands, enforcement notices, and fines from a few thousand pounds upwards for SMEs. For an SME the bigger exposure is usually the cost of a data-subject claim or losing a customer contract after a breach.

What is a ROPA and do I need one?

A Record of Processing Activities under Article 30 documents every processing activity: purpose, categories of data subject and data, recipients, retention, security measures, and transfers. It is mandatory unless you are under 250 employees AND your processing is occasional AND non-special-category AND low-risk — which excludes almost every B2B SaaS. Our pack includes a ROPA template plus the policy explaining how to maintain it.

What does the Data Protection & Privacy Essentials pack include?

12 UK GDPR / EU GDPR-aligned policies: privacy policy, data retention, DSAR procedure, breach notification, ROPA, DPIA template, international transfers, lawful basis register, marketing consent, subject-access response template, third-party DPA, and cookies. Lifetime access, bespoke to your organisation — see the product page for live pricing.

Get ICO-ready in 48 hours

Get 12 bespoke UK GDPR policies drafted for your business — lifetime access, no renewal.

Get Started — £350

References and primary sources

Quick answer. The framework guidance on this page is reviewed against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so an auditor, procurement reviewer or DPO can verify the alignment without taking the page on trust.

GDPR (Regulation EU 2016/679, EUR-Lex) — the primary EU regulation text.
European Data Protection Board — the EU DPA committee whose guidelines bind controllers and processors.
ICO accountability framework — the UK regulator’s practical compliance hub.
Data Protection Act 2018 — the UK statute giving force to UK GDPR.
ICO enforcement actions — precedent on monetary penalties and undertakings.
ISO/IEC 27701 (privacy) — the privacy-information management standard most controllers map alongside GDPR.

In our experience working with UK SMEs and similar organisations across the EU and US, the framework pages that survive enterprise vendor reviews are the ones that cite primary sources rather than secondary blog posts. Many UK SMEs typically discover this only after their first failed vendor questionnaire — the reviewer asked for a clause-to-source map and the standard reply pointed at a marketing page rather than the relevant regulator. The references above are the standing set we cite from inside the policies themselves so the chain stays intact end-to-end.