Quick answer: A GDPR compliance checklist for a UK scale-up should cover eight core areas: lawful basis for processing, privacy notices, records of processing (ROPA), data subject rights, data protection impact assessments (DPIAs), supplier agreements, incident management, and staff training. The UK GDPR applies to any business that processes personal data about individuals in the UK — size is not an exemption. If you are growing fast, the gaps in your data protection approach grow with you.
Most GDPR compliance checklists are written for one of two audiences: large enterprises with dedicated legal teams, or micro-businesses with a single laptop and a mailing list. Neither is particularly useful if you are a scaling business — one with multiple data flows, a growing headcount, and investors or customers who will shortly start asking hard questions about your data protection posture.
The stakes at scale-up stage are higher than most founders or ops leaders realise. Data protection failures don't just attract regulatory fines — they slow down or kill deals, derail fundraising rounds, and erode the trust you have spent years building with customers. The ICO is clear that the UK GDPR applies regardless of business size, and it enforces accordingly.
This checklist is structured around what actually matters at the scale-up stage — not a theoretical list of obligations, but the practical areas where scaling businesses most commonly have gaps, and where those gaps are most likely to cause problems.
Under Article 6 of the UK GDPR, every processing activity requires a lawful basis. You cannot process personal data without one. The six available bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
For most scale-ups, the relevant bases are contract, legitimate interests — assessed via a Legitimate Interests Assessment — and in some cases consent, though consent is often harder to maintain correctly than businesses assume.
Privacy notices — your privacy policy, cookie notice, and any employee or recruitment privacy information — are your primary transparency mechanism under the UK GDPR. Articles 13 and 14 set out what must be included when personal data is collected directly or obtained from third parties.
Most scale-ups have a privacy policy. Fewer have one that is accurate, current, and actually reflects how the business processes data. A notice that refers to systems you no longer use, or retention periods you don't follow, creates its own compliance risk.
Article 30 of the UK GDPR requires organisations above a certain size to maintain a formal Record of Processing Activities. For smaller organisations, the exemption is narrow — it does not apply if processing is likely to result in a risk to individuals, involves special category data, or is not occasional. For most scale-ups, a ROPA is both legally required and commercially essential.
A ROPA is the foundation of your compliance programme. Without it, you cannot answer the basic due diligence questions that investors, enterprise customers, and regulators will ask. It is also the starting point for DPIAs, lawful basis assessments, and supplier management.
Trust Keith's privacy management platform includes a built-in data mapping and ROPA module designed for scaling businesses — so this doesn't have to live in a spreadsheet that goes out of date within weeks of being created.
A DPIA is required under Article 35 of the UK GDPR before carrying out processing that is likely to result in a high risk to individuals — including large-scale profiling, systematic monitoring, processing of special category data, and new technologies including AI tools.
Scale-ups launching new products, deploying new software that processes user data, or expanding into new markets are often in DPIA territory without realising it. Failing to conduct a required DPIA is a compliance failure in its own right, regardless of whether any harm actually results.
For a practical walkthrough, see Trust Keith's guide to AI DPIAs: when to run them and how to get them right.
Under Article 28 of the UK GDPR, whenever you share personal data with a third party that processes it on your behalf — a cloud platform, payroll provider, CRM tool, marketing platform, analytics vendor — you must have a Data Processing Agreement (DPA) in place. You, as the data controller, remain responsible for how that data is handled.
This is one of the most commonly overlooked areas at scale-up stage. Growth moves fast. New tools get adopted quickly. Supplier agreements get signed without checking whether a DPA exists or whether it actually meets the Article 28 requirements.
Under the UK GDPR, individuals have a range of rights: access (Subject Access Requests, or DSARs), erasure, rectification, restriction of processing, and the right to object. The standard response deadline is one calendar month from receipt of the request — that clock starts the moment a request is received, not when it lands in the right inbox. A missed deadline is a reportable failure if the requester complains to the ICO.
For a full walkthrough of the process, see How to Respond to a DSAR Request in 7 Simple Steps.
Under Article 33 of the UK GDPR, if a personal data breach is likely to result in a risk to individuals' rights and freedoms, it must be reported to the ICO within 72 hours of becoming aware of it. Where the breach poses a high risk to individuals, they must also be notified directly under Article 34.
72 hours is an extremely short window if you don't have a process already in place. Decisions about whether to report, who reports, what to say, and who needs to know internally cannot be made from scratch in the middle of an incident.
For more on prevention and response, see The Most Common Data Protection Incidents — And How to Prevent Them.
The ICO's accountability framework expects organisations to demonstrate that staff who handle personal data understand their obligations. In practice, a significant proportion of data breaches are caused not by technical failures but by human error — a misdirected email, a weak password, a phishing click, or a misunderstanding of what is and isn't permitted to be shared.
Training also matters commercially. If an investor or enterprise customer asks whether your staff are trained on data protection, "we have a policy" is not the same answer as "we have trained all staff, and here is the evidence."
Completing a checklist is a point-in-time snapshot. The harder challenge — and the one that distinguishes businesses that are genuinely compliant from those that have done a one-off exercise — is maintaining compliance as the business changes. New tools. New markets. New headcount. New products. Each one has data protection implications that need to be assessed, documented, and managed.
This is why the question for most scaling businesses isn't "have we done a GDPR checklist?" It's "do we have a privacy programme that scales with us?" The difference matters — particularly when a Series A investor asks for your data room, when an enterprise customer runs due diligence, or when the ICO comes knocking.
Trust Keith works with UK scale-ups at exactly this stage — combining a dedicated privacy expert embedded in your team with an intelligent platform that operationalises every area of this checklist: data mapping, ROPA, DPIAs, supplier management, DSAR workflows, incident management, and staff training. Not as a one-off project, but as an ongoing programme that evolves as you do.
Yes. The UK GDPR applies to any organisation that processes personal data about individuals in the UK, regardless of size. Some obligations — such as the formal ROPA requirement — have a limited exemption for smaller organisations, but this is narrow and does not apply to processing that involves risk, special category data, or that is not occasional. Most scaling businesses will not qualify for meaningful exemptions in practice.
A checklist is a self-assessment tool that helps identify what should be in place. A GDPR audit is a structured, evidence-based review of what is actually in place — typically conducted by an external expert — that produces findings, a gap analysis, and a prioritised remediation plan. For scale-ups preparing for investor or customer due diligence, an audit is usually more useful than a self-assessment alone.
Under UK GDPR Articles 37–39, a DPO is mandatory if your organisation processes personal data at scale, systematically monitors individuals, or handles special category data as a core activity. Many UK scale-ups in tech, healthtech, fintech, and HR tech will meet this threshold. Even where a DPO is not legally required, having qualified privacy expertise — whether in-house or through an outsourced DPO service — is increasingly expected by investors and enterprise customers.
At minimum, annually — and whenever a significant change occurs in the business: launching a new product, entering a new market, adopting a new tool that processes personal data, or taking on a new category of customer or employee. A compliance programme that was adequate at one stage of growth may not be adequate at the next.
The consequences vary by context. Regulatory enforcement from the ICO can include fines of up to £17.5 million or 4% of global annual turnover under the UK GDPR. Commercially, failing due diligence can delay or kill deals and is a common reason enterprise customers walk away. In fundraising, material gaps in data protection are increasingly a deal blocker at Series A and beyond. The cost of inaction almost always exceeds the cost of getting it right.