UK & EU · Legal obligation · ICO / DPAs ✓ Live in platform

UK GDPR & EU GDPR — a legal obligation for every organisation that processes personal data.

Both UK and EU GDPR require documented policies, technical controls, and evidence of compliance. 786 Cyber generates every required document — Data Protection Policy, Privacy Notice, DPIA process, Incident Response Policy — and maps Article 32 technical measures automatically.

Start your GDPR roadmap free Speak to an expert
Applies to: All UK organisations  ·  All EU organisations  ·  Any organisation serving EU residents

UK GDPR vs EU GDPR

Two regimes. Same principles. 786 Cyber covers both.

UK GDPR applies post-Brexit to organisations established in the UK, or processing personal data of UK residents. It is enforced by the Information Commissioner's Office (ICO). Fines reach £17.5 million or 4% of global annual turnover.

EU GDPR applies to organisations established in the EU, or any organisation anywhere in the world that processes personal data of EU residents. It is enforced by national Data Protection Authorities (DPAs). Fines reach €20 million or 4% of global annual turnover.

The two regimes share the same core principles and documentation requirements. 786 Cyber generates documentation that satisfies both — with tags clearly indicating which articles and provisions each document addresses.

Six GDPR principles (Art. 5)

Lawfulness, fairness and transparency · Purpose limitation · Data minimisation · Accuracy · Storage limitation · Integrity and confidentiality. Your Data Protection Policy must document how you comply with each.

Article 32 — Technical measures

Encryption, pseudonymisation, access controls, and incident response processes are explicit Article 32 requirements. 786 Cyber maps every technical control to the relevant article automatically.

72-hour breach notification

Both UK and EU GDPR require you to notify your supervisory authority within 72 hours of becoming aware of a personal data breach. Your Incident Response Policy must document this process.

Why it matters

GDPR isn't just about avoiding fines. It's about building the data governance that modern business requires.

The cost of non-compliance
Regulatory fines: The ICO issued over £7 million in fines in 2023 alone. EU DPAs issued over €1.7 billion. Fines are not reserved for large organisations — SMEs have been fined for basic documentation failures.
Reputational damage: ICO enforcement action is public. A fine or formal reprimand signals to clients, partners, and prospects that you cannot be trusted with their data — damage that often outlasts the penalty itself.
Contract losses: Enterprise and public sector clients require documented GDPR compliance before sharing personal data with suppliers. Non-compliance ends commercial relationships.
Breach liability: Without documented technical measures, you cannot demonstrate to the ICO that you took appropriate steps. This removes the most important mitigating factor in any enforcement action.
What good GDPR compliance unlocks
Client and partner trust: Documented data governance signals that you handle personal data responsibly — a requirement for any client entrusting you with staff, customer, or patient information.
Supplier approval: Enterprise procurement questionnaires routinely ask for your Privacy Policy, Data Protection Policy, and evidence of security controls. GDPR compliance documentation answers all of these.
Data Processing Agreement readiness: Clients increasingly require a signed DPA before sharing personal data. 786 Cyber's documentation framework prepares you to respond to these requests immediately.
Reduced breach impact: Organisations with documented incident response processes notify the ICO faster, demonstrate appropriate controls, and consistently receive more favourable treatment in enforcement proceedings.

"GDPR compliance documentation isn't legal overhead — it's the paper trail that protects your business when something goes wrong, and the signal that opens doors before anything does."

GDPR compliance checklist

Key documentation and controls required under UK & EU GDPR.

786 Cyber generates every document on this list — tagged to the relevant articles and cross-referenced to related frameworks.

  • !
    Data Protection Policy — documents how your organisation collects, processes, stores, and deletes personal data. Addresses all six Art. 5 principles.
    framework:gdprframework:uk-gdprpolicy:data-protectiondomain:data-protection
  • !
    Privacy Notice — transparent information for data subjects about how their data is used (Art. 13/14). Must be published and accessible.
    framework:gdprpolicy:privacy-notice
  • !
    Incident Response Policy — documents your 72-hour breach notification process (Art. 33). Must define roles, responsibilities, and escalation paths.
    framework:gdprframework:uk-gdprpolicy:incident-responseseverity:critical
  • !
    Technical security measures (Art. 32) — encryption at rest and in transit, access controls, MFA, and regular security testing all documented and evidenced.
    framework:gdprcontrol:encryptioncontrol:mfadomain:access-control
  • !
    Data Retention Policy — documents how long each category of personal data is held and how it is securely deleted. Addresses Art. 5(1)(e) storage limitation principle.
    framework:gdprpolicy:data-retentiondomain:data-protection
  • ~
    Data Protection Impact Assessment (DPIA) process — documented process for assessing privacy risk in new projects processing high-risk personal data (Art. 35).
    framework:gdprpolicy:dpiadomain:risk
  • ~
    Subject Access Request process — documented procedure for handling data subject rights requests (Art. 15–22) within the 30-day statutory deadline.
    framework:gdprdomain:data-protectioncontrol:sar-process
  • ~
    Third Party / Processor agreements — Data Processing Agreements (DPAs) in place with all third parties processing personal data on your behalf (Art. 28).
    framework:gdprpolicy:third-party-riskdomain:data-protection
  • Records of Processing Activities (RoPA) — documented inventory of all personal data processing activities (Art. 30). Required for most organisations with 250+ employees, recommended for all.
    framework:gdprdomain:data-protectioncontrol:data-mapping

How 786 Cyber helps

Every GDPR document generated. Every Article 32 control tracked.

📝

Complete policy suite

Data Protection, Privacy Notice, Incident Response, Data Retention, DPIA, and Third Party Risk policies — all generated and pre-populated for your organisation.

🏷️

Article-level tagging

Every control and policy tagged to the relevant GDPR articles — and cross-referenced to UK GDPR, ISO 27001, and other frameworks simultaneously.

🔔

72-hour breach process

Incident Response Policy includes the 72-hour notification process, escalation paths, and ICO/DPA notification template — ready before an incident occurs.

📋

Audit trail & evidence vault

Every technical measure documented and logged. When the ICO asks for evidence of controls, it's already compiled — timestamped and version-controlled.

👥

Role-based access

Admin, Security Lead, and Viewer roles ensure only the right people can access sensitive compliance documentation — itself an Art. 32 technical measure.

📬

Monthly compliance summaries

Monthly reports track your GDPR compliance progress, outstanding controls, and risk score — giving your DPO or leadership team a clear picture every month.

Get your GDPR documentation in order today.

Generate your Data Protection Policy, Privacy Notice, and Incident Response Policy in minutes — tailored to your organisation.

Start free — generate your policies Speak to an expert All frameworks →