Data Protection
Written by Joanne Hughes, Policy & Compliance SpecialistLast reviewed Published

GDPR Policies and Consultancy

GDPR came into effect in May 2018 and UK GDPR in 2021. However, it is common knowledge that not all businesses are fully compliant or understands the current data protection regulation rules.

Often, this includes companies that launched after these dates. We offer companies GDPR Consultancy.

Being Compliant

To be fully compliant is to be GDPR aware throughout the business. Therefore templated GDPR policies from 3rd party companies are not useful and do not promote understanding. In fact, this approach can leave company heads even more confused about what to do about data security!

How We Can Help

At Policy Pros we have assisted multiple companies of up to 100 employees with GDPR compliance and understanding. Our easy to understand custom documentation covers all the key legislative considerations.

Also, staff training can help promote a culture of data security awareness.

What Our GDPR Policies Cover

  • Custom GDPR Policy Document.
  • Modification of existing documentation such as:
    • Employment contracts
    • Staff handbooks
    • Any other related documents
  • We can also create your:
    • Information Security Policy
    • Data Security Policy
    • Privacy Policy (if required for web and email)

ISO 27001

IN addition, we can also assist in ISO 27001 Information Security Management Certification analysis and a full suite of documentation. Please visit our Information Security page to see some of the requirements for ISO 27001.

Contact Us about GDPR Policies

If you are interested in GDPR policy writing or ISO 27001 please contact us via the form below.

UK GDPR in 2026: What Has Settled and What Is Still Moving

The UK's data protection framework continues to be the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

The Data (Use and Access) Act 2025 received Royal Assent in 2025 and is being commenced in phases through 2025 and 2026, modernising parts of the regime around research, smart-data sharing, and digital identity, while leaving the core principles intact.

The UK-EU adequacy decision was extended in 2024 and is up for review in 2025-2026. The UK-US Data Bridge remains in force for in-scope US transfers.

What an Effective GDPR Policy Suite Looks Like

  • A Data Protection Policy that names the senior responsible owner and the DPO (where required).
  • A Privacy Notice for each major personal-data flow (employees, customers, applicants, suppliers).
  • A Records of Processing Activities (ROPA) under Article 30.
  • A Data Breach Policy aligned to the 72-hour notification window.
  • A Data Subject Rights procedure covering access, rectification, erasure, portability and objection.
  • A DPIA template with a triage tool to decide when one is required.
  • An international transfer mechanism register (UK Addendum, UK IDTA, Data Bridge).
  • A retention schedule by data category.

Common ICO Enforcement Themes

  • Late breach notification (Article 33 timing not understood).
  • Privacy notices that misdescribe the lawful basis or the recipients of data.
  • Excessive retention (no schedule, or schedule not enforced).
  • Cookie consent banners that do not meet PECR standards.
  • Inadequate due diligence on processors (Article 28).

Frequently Asked Questions

Do I need a Data Protection Officer?

You must appoint a DPO if you are a public authority, your core activities require regular and systematic monitoring at scale, or you process special-category or criminal-conviction data at scale. Outside these cases, an SRO is recommended but not statutorily required.

What is the maximum fine?

The higher of £17.5 million or 4% of global annual turnover for the most serious breaches; £8.7 million or 2% of turnover for procedural breaches.

Does the Data (Use and Access) Act change much?

For most controllers, the day-to-day practice is unchanged. The Act streamlines parts of research, smart-data sharing, and digital verification services, and clarifies several long-running ambiguities.

What Policy Pros Delivers

Our GDPR policy library, ROPA, DPIA framework and breach process are designed to be ICO-defensible and to integrate with information security, HR, and procurement processes. We also support DPO-as-a-service for clients who need ongoing oversight.

Share:
Get a QuoteBrowse All Articles
Trustpilot Reviews - 5 Stars