Skip to content
360 Cyber Compliance

UK GDPR audits, DPIAs, policies & training

Data Protection & UK GDPR

From gap audits and DPIAs to policies, data-processing agreements and staff training, we make UK GDPR and the Data Protection Act 2018 manageable — with the NHS Information Governance context care providers need.

What you get

  • A clear GDPR gap analysis and action plan
  • DPIAs, policies and records of processing
  • Practical staff data-protection training
  • Breach response you can actually follow

Pricing: Request a quote

What data protection and UK GDPR mean

In the UK, the handling of personal data is governed by the UK GDPR together with the Data Protection Act 2018. Between them they set out how organisations must collect, use, store and share information about identifiable people — from clients and service users to staff and suppliers. The regulator responsible for enforcing these laws is the Information Commissioner’s Office (ICO).

Personal data is any information relating to an identified or identifiable living person. Some data — including health and care information — is special category data, which carries stronger protections. For care and health providers this matters enormously, because much of the information you hold about the people you support falls into that more sensitive category.

Data protection is not a one-off project. It is an ongoing responsibility that touches almost every part of an organisation, and getting it right builds trust with the people whose data you hold.

Who must comply — and who is exempt

Almost every organisation processes personal data, so the law applies very widely. If you employ staff, keep client records, run a website with contact forms, or use suppliers who handle data on your behalf, UK GDPR applies to you.

There are limited exemptions and specific provisions for certain activities, and the obligations are proportionate — a small care agency is not expected to run the same programme as a national insurer. But the core principles apply regardless of size. Purely personal or household activity (such as a private address book) falls outside the law, but that rarely helps a business or care provider.

Separately, most organisations that process personal data must pay a data protection fee to the ICO unless a specific exemption applies. This is a legal requirement distinct from complying with the GDPR principles themselves.

The core principles and obligations

UK GDPR is built on a set of data protection principles. In plain terms, personal data must be:

  • Processed lawfully, fairly and transparently, on a valid lawful basis
  • Collected for specified, legitimate purposes and not used incompatibly
  • Adequate, relevant and limited to what is necessary (data minimisation)
  • Accurate and kept up to date
  • Kept no longer than necessary (storage limitation)
  • Kept secure through appropriate technical and organisational measures

You are also accountable — you must be able to demonstrate compliance, not just claim it. Individuals have rights too, including the rights to be informed, to access their data, to rectification, to erasure in certain circumstances, and to object to certain processing.

Breaches and DPIAs

Two areas deserve particular attention:

  • Personal data breaches. If personal data is lost, stolen or wrongly disclosed, you must assess the risk to individuals. Notifiable breaches must be reported to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of them. Where the risk to individuals is high, you must also tell the affected people. Having a tested breach procedure is essential to meeting that timescale.
  • Data Protection Impact Assessments (DPIAs). Where processing is likely to result in a high risk to individuals — often the case with health data or new technology — you must carry out a DPIA before you begin. Our DPIA guide explains when one is required and what it should contain.

Lawful bases in plain English

A frequent source of confusion is the idea of a lawful basis. UK GDPR does not say you may only process data with consent — it gives six possible lawful bases, and you must choose the one that genuinely fits each activity:

  • Consent — the person has freely agreed. Powerful but fragile, because it can be withdrawn, and it is often the wrong choice for something you need to do anyway.
  • Contract — processing necessary to deliver a service the person has asked for.
  • Legal obligation — processing you must do to comply with the law.
  • Vital interests — protecting someone’s life, which can be relevant in care emergencies.
  • Public task — carrying out an official function or task in the public interest.
  • Legitimate interests — a flexible basis for processing that a reasonable person would expect, balanced against their rights.

For special category data such as health information, you also need an additional condition on top of your lawful basis, because that data carries stronger protection. Care providers routinely rely on conditions relating to health and social care rather than consent, and getting this mapping right is one of the most valuable things you can do. Relying on consent by default — and then being unable to deliver care if someone withdraws it — is a common and avoidable trap.

What good compliance looks like in practice

A practical, proportionate data-protection programme usually includes:

ElementPurpose
Record of Processing Activities (ROPA)Know what data you hold, why, and where it goes
Privacy noticesTell people clearly how you use their data
Lawful basis mappingConfirm a valid basis for each processing activity
Data protection policy and proceduresSet expectations and give staff clear guidance
Retention scheduleKeep data only as long as needed
Data subject rights processHandle access and other requests within the time limits
Breach response planMeet the 72-hour reporting expectation
Supplier / processor agreementsEnsure third parties protect data properly
Staff trainingMake good practice everyday behaviour

Accountability: showing your working

A principle worth dwelling on is accountability, because it changes how the whole framework feels in practice. It is not enough to comply with the data protection principles — you must be able to demonstrate that you do. In other words, the ICO expects you to show your working. This is why the practical documents matter so much: a Record of Processing Activities, clear privacy notices, a data protection policy, a retention schedule and a breach log are not bureaucracy for its own sake, they are the evidence that your good intentions are matched by real practice. For a care provider, being able to produce these records also reassures commissioners, families and the CQC that data is being handled responsibly. The reassuring part is that accountability is proportionate: a small organisation is expected to keep proportionate, workable records, not to imitate the compliance machinery of a large corporate. Getting these foundations in place once, and keeping them current, is what makes every future request, audit or incident far easier to handle.

Common mistakes

  • Relying on consent for everything. Consent is only one lawful basis, and often not the most appropriate one.
  • No record of processing. Without a ROPA it is very hard to demonstrate accountability.
  • Weak or missing breach procedures, leaving the 72-hour clock impossible to meet in a real incident.
  • Ignoring processors. You remain responsible for data handled by suppliers on your behalf.
  • Forgetting the ICO fee, which is a separate legal obligation.
  • Treating training as a one-off rather than an ongoing habit.

How it relates to the other standards

Data protection underpins much of the wider compliance landscape:

  • The technical “security of processing” expectation is directly supported by Cyber Essentials and Cyber Essentials Plus.
  • The governance elements overlap heavily with the DSPT for care and health providers.
  • ISO 27001 and IASME Cyber Assurance provide management frameworks that can house your data-protection controls — and Cyber Assurance Level 2 includes a dedicated GDPR assessment.
  • If you handle card payments, PCI DSS obligations sit alongside UK GDPR.
  • Where you need dedicated, ongoing oversight, an outsourced DPO can carry the responsibility for you.

Key terms are defined in our glossary.

How 360 Cyber Compliance helps

Data protection can feel daunting because it touches everything — but it becomes manageable when broken into proportionate, practical steps. We work on a transparent fixed-fee basis, following a clear delivery process tailored to your size and the sensitivity of the data you hold.

We help you understand what personal data you process and why, map lawful bases, produce or refresh the core documents (privacy notices, ROPA, policies, retention schedule), and put a workable breach-response process in place so the 72-hour expectation is realistic rather than theoretical. We help you handle data subject rights, complete DPIAs where they are needed, and get supplier agreements in order — and we can train your team so good practice sticks.

We provide practical support throughout and make no guarantees about regulatory outcomes; our role is to help you build honest, demonstrable compliance you can stand behind.

Individuals’ rights and how to handle requests

A large part of everyday data protection is responding well when people exercise their rights — most commonly the right of access, where someone asks for a copy of the data you hold about them. Handled poorly, these requests cause stress and missed deadlines; handled well, they build trust. The essentials are to recognise a request whenever it arrives (it does not have to mention “GDPR” or come on a form), to confirm who is asking, to respond within the statutory time limit, and to release the information carefully so you do not accidentally disclose someone else’s data. We help you put a simple, repeatable process in place so that requests are met calmly and on time, and so staff know what to do the moment one lands. If you would like a clear starting point, get in touch to discuss where your organisation stands today.

What you'll receive

  • A UK GDPR gap analysis and action plan
  • A Record of Processing Activities (RoPA)
  • Core data-protection policies and privacy notices
  • DPIA templates and support
  • A breach-response procedure
  • Plain-English staff training

On your own vs. with 360 Cyber Compliance

On your ownWith us
Interpret UK GDPR and the DPA 2018 yourselfWe translate the law into practical steps
Build a RoPA and DPIAs from scratchReady-to-use templates, completed with you
Hope your breach process holds upA tested procedure your staff can follow

A typical timeline

  1. 1

    Weeks 1–2

    Gap analysis and data mapping

  2. 2

    Weeks 2–4

    Policies, RoPA and privacy notices

  3. 3

    Weeks 4–6

    DPIAs, breach process and staff training

Indicative only — your timeline depends on your starting point, size and deadline.

Data Protection & UK GDPR across London

We support organisations in these boroughs — and remotely across the rest of the UK.

Why choose us for Data Protection & UK GDPR

Care & health specialists

DSPT, CQC expectations and NHS data flows are our day job, not a sideline.

Transparent fixed-fee engagements

A clear scope and price agreed up front — no open-ended day rates.

Remote delivery, UK-wide

Almost everything is done remotely, wherever you are in the country.

Award-winning expertise

Led by a BCS Fellow and NEXT CIO 2025, with 20+ years in IT, cyber security and compliance.

Practical, plain-English support

Clear guidance and templates throughout the assessment — no jargon.

Ongoing support

Annual renewals, surveillance audits and everyday advice after you are certified.

Frequently asked questions

Do we need a DPO?

Many care and health organisations do. If a mandatory DPO isn't required, an outsourced DPO is often the pragmatic choice.

Can you train our staff?

Yes — we deliver plain-English, care-sector-relevant training remotely or on-site.

What is a DPIA?

A Data Protection Impact Assessment identifies and reduces privacy risks before you start high-risk processing — for example new systems handling health data.

What is a RoPA?

A Record of Processing Activities documents what personal data you hold, why, and who you share it with. Most organisations are required to keep one.

How quickly must we report a breach?

Notifiable personal data breaches must be reported to the ICO without undue delay and within 72 hours of becoming aware. We help you decide and act fast.

How does GDPR relate to the DSPT?

The DSPT is largely how NHS-facing organisations evidence their data-protection obligations, so good GDPR practice feeds directly into a strong DSPT.

Get started with Data Protection & UK GDPR

Tell us where you are and we’ll come back within one working day with clear, no-obligation next steps.

  • Plain-English, jargon-free advice
  • Fixed-price quotes — no surprises
  • Delivered remotely across the UK

By submitting you agree to our privacy policy. We never share your details.