
A customer runs a data-processing review before they sign. They want to know where personal data sits, which suppliers touch it, who the named contact is for a breach, and whether you can show a Record of Processing Activities. The product is approved and the price is agreed. The data-protection answers are what hold the contract in legal review.
This guide covers the practical route to a defensible GDPR position for UK and EU sales: the artefacts to produce, the order to build them, and the points where teams lose weeks. For what GDPR is, who it covers, and how a clean position opens the European market, read the GDPR framework spoke ``.
A UK company selling into Europe is usually subject to two regimes at once. UK GDPR sits with the Data Protection Act 2018 and is enforced by the ICO. EU GDPR reaches you through Article 3(2) when you offer goods or services to people in the EEA, enforced by member-state authorities. A defensible posture rests on a set of documented artefacts.
The regulation is long. The build order is not complicated once you take it in sequence, because each stage feeds the next.
1. Map your processing and build the ROPA (Article 30). The Record of Processing Activities is the foundation every other document reads from. List what personal data you hold, why, where it lives, who you share it with, and how long you keep it. The ICO publishes templates. Article 30(5) narrows the requirement for organisations under 250 staff, but the ICO's position is that most still need one, and buyers ask for it regardless.
2. Set a lawful basis for each purpose (Article 6). One basis per purpose, written down. A B2B SaaS company typically relies on contract, legitimate interests, and consent, with consent mandatory for most electronic marketing under PECR. Weak mapping here is the most common gap in a review: purposes lumped together, legitimate interests asserted with no balancing test, or consent that would not stand up. The Data (Use and Access) Act 2025 adds "recognised legitimate interests" as a basis for five defined categories that need no balancing test.
3. Publish privacy notices (Articles 13 and 14). Missing or stale notices are the easiest failure for a buyer's legal team to spot, because they can check them from your website in minutes. Make sure the notice matches what the ROPA says you actually do.
4. Put Data Processing Agreements in place (Article 28). Every processor needs an agreement carrying the eight Article 28 obligations. So does every sub-processor, one layer below where teams usually look. Missing sub-processor terms are a frequent finding, and a new tool adopted by one team without a DPA is how the gap opens.
5. Run DPIAs where processing is high-risk (Article 35). A Data Protection Impact Assessment is mandatory for large-scale special-category data, systematic monitoring, or new technology applied to personal data. Use the ICO screening criteria to decide, then document the assessment and the mitigations.
6. Fix your international transfers with a mechanism and a Transfer Impact Assessment. Any personal data leaving the UK or EEA to a country without an adequacy decision needs a transfer tool and a supporting assessment. UK exports use the ICO's International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. EU exports use the EU SCCs. The Transfer Impact Assessment is the supplementary-measures analysis that follows the Schrems II ruling and EDPB guidance: you check that the data still receives essentially equivalent protection at the other end. A US cloud service with no mechanism and no assessment is one of the clearest gaps a reviewer finds.
7. Appoint an EU representative where you need one (Article 27). No EU establishment and you target people in the EU means you appoint a representative inside the EU. This duty is independent of adequacy. The UK's adequacy status eases data flow from the EEA, but it does not remove the Article 27 obligation, and buyers who assume otherwise are often wrong. The duty mirrors: an EU seller with no UK establishment needs a UK representative.
8. Build the breach process before you need it (Articles 33 and 34). You have 72 hours from becoming aware of a breach to notify the supervisory authority where there is a risk to people's rights, and you must tell affected individuals where the risk is high. Write the runbook now: detection, assessment, decision, notification, and record, with a named person who owns it. A process invented during an incident misses the clock.
Most of this is evidence a growing company should hold anyway. Once it exists, it answers most of an incoming security and data-protection questionnaire in a single pass, which is where the commercial payoff sits.
The initial build, covering the ROPA, lawful bases, notices, core DPAs, first DPIAs, and the transfer position, is weeks to a few months of focused effort for a typical SME. There is no completion certificate at the end. GDPR is a continuing legal duty with recurring review cycles.
Timing matters right now because the regime is moving. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and amends the Data Protection Act 2018, rather than creating new UK GDPR Articles. Its core data-protection provisions commenced on 5 February 2026, and a new statutory complaints-handling duty follows on 19 June 2026. It also raised the maximum PECR fine to UK GDPR levels of up to £17.5m or 4% of global annual turnover. A posture built in 2024 and left alone is already behind.
The recurring blockers are consistent across reviews. No ROPA, or one that no longer matches how the business runs. Lawful-basis mapping that asserts legitimate interests with no balancing test or relies on invalid consent. Sub-processor agreements that were never collected. Transfers to a US service with no IDTA, Addendum, or SCCs, and no assessment behind them. No EU representative where one is required. Vendor DPAs that lapsed on renewal or were never gathered for newly adopted tools. A breach process that exists on paper but has never been tested against the 72-hour clock. Treating the Data (Use and Access) Act as either finished business or a reason to rebuild from scratch, when it amends the existing regime and adds a dated complaints duty.
GDPR is pre-mapped in Naq as an ongoing-duty framework inside one connected system, so the artefacts above are tracked and reviewed rather than rediscovered each year. Evidence you have already proven for ISO 27001, the NHS DSPT, or DTAC is reused into GDPR, which compresses the work because you build on what you hold. See the ISO 27001 , NHS DSPT, and NHS DTAC `` how-to guides for the same reuse in the other direction.
In-house virtual Data Protection Officers cover the controller-level judgement that software cannot make: lawful-basis calls, DPIA sign-off, and breach assessment. The Vendors module flags where a processor has no Data Processing Agreement recorded, so the gap surfaces on your side before a customer's review does. The Documents module runs draft-to-approved versioning with enforced review dates and an immutable activity stream, so notices and assessments do not quietly go stale. The AI assistant is read-only: it summarises and checks evidence on demand and never edits the record.
Naq operates as Naq Cyber UK Ltd in London and Naq Cyber B.V. in Amsterdam. That UK and EU footprint is a presence signal for NHS, public-sector, and EU buyers weighing where their data sits. It does not by itself guarantee formal data residency.
No. Adequacy eases the flow of personal data from the EEA to the UK, but the Article 27 duty is separate. If you have no EU establishment and you offer goods or services to people in the EU, or monitor their behaviour, you still need to appoint an EU representative. The two obligations are independent.
No. It received Royal Assent on 19 June 2025 and updates the existing regime through amendments to the Data Protection Act 2018, without adding new UK GDPR Articles. Core provisions commenced on 5 February 2026, with a complaints-handling duty from 19 June 2026. The core data-protection obligations remain in place.
If you send personal data to a country without an adequacy decision, yes. You need a transfer mechanism, the UK IDTA or Addendum for UK exports or the EU SCCs for EU exports, plus a Transfer Impact Assessment. The assessment checks that the data still receives essentially equivalent protection at the destination.
Every processor that handles personal data on your behalf, and every sub-processor beneath them, needs an Article 28 agreement carrying the eight required obligations. Missing sub-processor terms are a frequent review finding because they sit one layer below where teams usually check. Track them as vendors change.