Compliance Support
Compliance doesn't have to be complicated. For most small businesses, the key obligations are Cyber Essentials (if you bid for government contracts) and UK GDPR (if you hold personal data — which almost every business does).
Cyber Essentials: what it is and why it matters
Cyber Essentials is a UK government-backed certification scheme. It defines five basic security controls that protect against the most common cyber attacks. Certification is mandatory for government contracts involving sensitive data.
- The five Cyber Essentials controls are: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Software Updates.
- Cyber Essentials (self-assessed) is the entry-level certification — suitable for most small businesses.
- Cyber Essentials Plus includes an independent technical verification — required for some higher-risk contracts.
- Certification is annual — you need to renew each year to maintain it.
- Certification fees start from a few hundred pounds and are available through NCSC-approved certification bodies.
UK GDPR basics for small businesses
UK GDPR (General Data Protection Regulation) governs how you collect, store, and use personal data. Almost every business holds some personal data — even just customer email addresses and names.
- You must have a lawful basis for processing personal data — consent, contract, and legitimate interest are the most common.
- Tell people what data you collect and why in a Privacy Policy — this must be accessible on your website.
- Don't collect more data than you need, and don't keep it longer than necessary.
- Secure the personal data you hold — this overlaps directly with Cyber Essentials controls.
- Most small businesses processing only standard personal data do not need to register with the ICO — but check using the ICO's self-assessment tool.
Data breach obligations
If personal data is lost, stolen, or accidentally exposed, you may have legal obligations to report it. Acting quickly reduces both the harm to individuals and the regulatory risk to your business.
- You must report a personal data breach to the ICO within 72 hours of becoming aware of it — if it poses a risk to individuals.
- You may also need to notify the individuals affected if the breach poses a high risk to them.
- Not all breaches need to be reported — a locked device with no personal data, for example, probably doesn't.
- Keep a record of all data breaches, even those you decide not to report — the ICO may ask to see it.
- Contact the ICO for guidance at ico.org.uk if you're unsure whether a breach requires reporting.
What records to keep
GDPR requires you to maintain a record of your data processing activities. For small businesses, this doesn't have to be complex — a simple spreadsheet is sufficient.
- Record what personal data you hold, where it came from, who you share it with, and how long you keep it.
- Document your lawful basis for processing each type of data.
- Keep records of consent where that's your lawful basis.
- Record data breaches, including those you decide not to report.
- Keep records of your data protection decisions — demonstrating accountability is a core GDPR requirement.
Getting Cyber Essentials certified
Certification is more straightforward than it sounds. Most small businesses can complete the self-assessment in a few hours if the basic controls are already in place.
- Start by reviewing the Cyber Essentials requirements on ncsc.gov.uk — the official guidance is clear and detailed.
- Our platform's security checklist maps directly to the five Cyber Essentials controls — completing it puts you on a strong footing.
- Choose a certification body from the NCSC's list of approved assessors.
- Complete the online self-assessment questionnaire — it typically covers firewalls, patch management, access control, malware protection, and secure configuration.
- Once certified, you can display the Cyber Essentials badge — it demonstrates your security posture to customers and partners.
Ready to protect your business?
Start free — no credit card needed