How to spot the gaps before they turn into headaches

Since the UK formally separated from EU data laws, we’ve seen a lot change, but also, a lot stay the same. With the new Data (Use and Access) Act now in force, small business owners are right to ask: “Is our GDPR still up to scratch… or are we running on a version from 2018?”

Here’s how to check — and what to do if you spot gaps.

🔍 1. Your Privacy Notice Still Mentions the EU GDPR

If your website talks about “GDPR (EU) 2016/679” but doesn’t mention UK GDPR or the Data (Use and Access) Act, it’s time for a refresh.
✅ Action: Update your privacy notice with the correct legal framework and lawful basis.

🔐 2. You’re Collecting Data… But Unsure Why

You might be capturing emails, forms, cookies, or call data, but can you clearly explain why and under what lawful basis?
✅ Action: Map out your data flows and match them to one of the six lawful bases under UK GDPR.

🧾 3. You’ve Never Reviewed Your Data Processing Agreements

Many SMEs still rely on generic contracts. But if you’re working with freelancers, agencies, or cloud tools (like CRMs or AI apps), you need solid Data Processing Agreements in place.
✅ Action: Review your contracts and plug any gaps, especially if AI tools are involved.

📥 4. You’ve Never Had a DSAR… And Would Panic If You Did

The new Act provides greater clarity around “vexatious” requests, but DSARs remain essential. If you don’t have a clear procedure, even one email from a customer can throw your whole system into chaos.
✅ Action: Create (or review) your DSAR procedure and train your team.

🧩 5. Your Team Isn’t Fully on Board

Policies are great — but if they live in a forgotten folder, they won’t protect your business. Everyone on your team should know:

  • How to handle personal data

  • What to do in a data breach

  • Who to speak to when in doubt
    ✅ Action: Include data protection in onboarding, regular check-ins, and team training.

🧭 Need a sanity check?

If you’re not sure where your gaps are — or what counts as “good enough” these days — you’re not alone. I help small businesses create calm, realistic data protection plans that don’t rely on jargon or fear.

📩 Message me for a jargon-free GDPR health check, or book a free clarity call to get started.

Updated July 2025 to reflect the new Data (Use and Access) Act and current UK GDPR guidance.

Other articles you may be interested in: