Is Your London Business GDPR Compliant? A Simple IT Checklist

GDPR Still Catches London SMBs Off Guard

Seven years after GDPR came into force, the Information Commissioner's Office (ICO) is still levying significant fines against small UK businesses. In 2025, the ICO issued over £12 million in fines — and the vast majority involved basic, preventable IT failures rather than sophisticated attacks.

The common misconception is that GDPR compliance is a legal matter — something your solicitor sorts out with a privacy policy and a cookie banner. In reality, most GDPR obligations are IT obligations: how personal data is stored, who can access it, how long it's kept, and what happens when things go wrong.

If you run a London-based professional services firm — an accountancy practice, law firm, or estate agency — you hold significant volumes of sensitive personal data. Here's the IT checklist your setup needs to pass.

The 7-Point GDPR IT Compliance Checklist

✅ 1. Data Encryption at Rest and in Transit
All devices that store personal data must be encrypted. On Windows, that means BitLocker. On macOS, FileVault. Files shared with clients should be transmitted over encrypted connections (HTTPS, TLS). If a laptop is stolen and unencrypted, you have a reportable breach — full stop. TechSquad's security assessment checks every device in your fleet for encryption status.

✅ 2. A Documented Backup Policy (and Evidence It Works)
Under GDPR Article 32, you must demonstrate you can restore personal data after an incident. A backup running in the background but never tested doesn't satisfy this requirement. You need a written backup policy, automated daily backups, and a quarterly restore test — with records proving it was performed. Our managed IT support automates all three.

✅ 3. Role-Based Access Controls
Not everyone needs access to everything. GDPR's data minimisation principle requires that access to personal data is limited to those who need it for their specific role. That means user permissions on shared drives, separate admin accounts for IT functions, and a leaver process that revokes access within 24 hours. If your whole team can access your entire client database, that's a compliance gap.

✅ 4. Email Security Controls
Email is the most common GDPR breach vector for professional services firms. Sending client data to the wrong address, having your email account compromised, or storing sensitive documents in an unsecured inbox — all reportable incidents. You need: spam filtering, multi-factor authentication (MFA) on all email accounts, and ideally data loss prevention (DLP) rules that flag when sensitive data is sent externally.

✅ 5. A Written Incident Response Plan
GDPR Article 33 requires you to report a personal data breach to the ICO within 72 hours of becoming aware of it. Most businesses fail this not because they don't care, but because nobody knows the process. Your plan must define: who decides whether a breach is reportable, how to document it, who contacts the ICO, and how affected individuals are notified. Without this documented and tested, you're exposed.

✅ 6. Staff Data Protection Training
The ICO expects you to demonstrate that staff handling personal data have received appropriate training. Annual training is the minimum; role-specific training is required for anyone with elevated access. Training records — who attended, when, and what was covered — are evidence of compliance and can significantly reduce fines if a breach occurs despite your precautions.

✅ 7. Third-Party Processor Audit
Every cloud service, SaaS tool, or contractor that processes personal data on your behalf is a "data processor" under GDPR. You need a Data Processing Agreement (DPA) in place with each one. Review your software stack: CRM, accounting software, email marketing, cloud storage. If any processor stores UK citizen data without a current DPA, you're jointly liable for their failures. Most SMBs discover they have 15–20 active data processors — many undocumented.

How Much Does a Data Breach Actually Cost?

The ICO's maximum fine for SMBs is £17.5 million or 4% of global annual turnover — whichever is higher. For London small businesses, the real cost structure typically looks like this:

• ICO fines for SMBs: Typically £5,000–£200,000 for first-time, mid-severity breaches
• Legal and PR costs: £10,000–£50,000 minimum for any notifiable breach
• Client loss and reputational damage: Often the largest cost for professional services firms where trust is everything
• Remediation: £5,000–£30,000 to fix underlying systems and demonstrate compliance to the ICO

In 2025, a London solicitors' firm was fined £98,000 for an unencrypted laptop theft that exposed 3,400 client records — a preventable incident that would have cost under £500 to mitigate. The ICO cited the absence of a data protection impact assessment and lack of staff training as aggravating factors.

Red Flags Your IT Setup Isn't Compliant

You don't need a formal audit to spot the biggest gaps. These are the most common red flags we see in London professional services businesses:

• Shared passwords or shared accounts — No audit trail, no accountability, no way to revoke individual access
• No verified backup — Software running ≠ backup working. When did you last restore from it?
• Personal email for client communication — Gmail and Hotmail are outside your business's security controls and cannot be audited
• No MFA on business email — Email account compromise is the leading cause of ICO-reportable incidents for UK SMBs
• No record of staff training — "We told everyone at a team meeting" is not evidence of training in an ICO investigation
• Unlocked unattended devices — Particularly relevant for estate agents and solicitors with client-facing offices

If three or more of these apply, you have a material compliance gap. Start with our Free IT Health Check to see exactly where you stand.

How TechSquad London Helps

Scott Drinkwater is a CompTIA Security+ certified engineer with over 15 years of enterprise security experience — including roles at Genetec, Bosch, and Gallagher. He now applies that same enterprise rigour to London SMBs who can't afford an in-house security team but can't afford a breach either.

Our managed security and compliance service includes:

• Full GDPR-readiness IT assessment mapped to ICO expectations
• Device encryption audit and remediation across your entire fleet
• Backup implementation with quarterly restore testing and documented evidence
• Access control review and user permission restructure
• Email security hardening: MFA, DLP rules, spam filtering
• Incident response plan — written, tested, and ICO-ready
• Annual staff data protection training with attendance records
• Data processor inventory and DPA gap analysis

Compliance monitoring is included in our managed IT packages from £2,995 — so you're not buying a one-time audit that goes stale the moment your software stack changes.

Start With a Free IT Health Check

Not sure where you stand? Our Free IT Health Check takes 5 minutes and covers the four highest-risk areas for London SMBs: network security, backup status, email security, and website security. You'll receive a personalised report within 48 hours.

For a detailed GDPR compliance review, contact us directly. We work with accountants, solicitors, and estate agents across London — and we speak plain English, not legal jargon.