Product Roadmap

Planned features and upcoming improvements to the platform

UK GDPR Compliance Roadmap

A clear, regulator-aligned roadmap to UK GDPR compliance, written the way the Information Commissioner's Office expects organisations to implement and evidence compliance.

Works for startups, SMEs, and enterprises and maps directly to UK GDPR Articles, controller obligations, required documentation, processes, evidence, and penalties.

1

Phase 1 — Scope & Accountability

Weeks 0–2

Objective

Establish ownership and determine whether UK GDPR applies.

Key Actions

  • Confirm territorial and material scope (Art. 2–3)
  • Identify your role: Controller / Processor / Joint Controller
  • Appoint a Data Protection Officer (DPO) if required (Art. 37–39)
  • Define internal governance and reporting lines

Required Outputs

  • Data Protection Policy
  • DPO appointment record (if applicable)
  • Governance & accountability framework

ICO Evidence Test

"Who is responsible for data protection and how do they report to senior management?"

2

Phase 2 — Data Mapping & Lawful Basis

Weeks 2–4

Objective

Understand what data you process and why.

Key Actions

  • Create and maintain Records of Processing Activities (RoPA) (Art. 30)
  • Identify:
  • • Personal data categories
  • • Data subjects
  • • Lawful bases (Art. 6 / Art. 9)
  • • Retention periods
  • Identify processors and international transfers

Required Outputs

  • Article 30 RoPA
  • Lawful basis assessment
  • Data flow maps

ICO Evidence Test

"Show me where personal data is processed and the lawful basis for each activity."

3

Phase 3 — Risk Management & Privacy by Design

Weeks 4–6

Objective

Reduce risk before harm occurs.

Key Actions

  • Implement Data Protection by Design & Default (Art. 25)
  • Conduct DPIAs for high-risk processing (Art. 35)
  • Integrate privacy checks into product, IT, and change management

Required Outputs

  • DPIA reports with mitigation decisions
  • Privacy by design checklists
  • Risk register

ICO Evidence Test

"What was the last DPIA you carried out and what risks were accepted?"

4

Phase 4 — Security & Breach Preparedness

Weeks 6–8

Objective

Protect data and respond quickly to incidents.

Key Actions

  • Implement technical and organisational measures (TOMs) (Art. 32)
  • Encrypt data at rest and in transit
  • Establish a breach response process (Art. 33–34)
  • Test incident response annually

Required Outputs

  • Information security policy
  • Incident response plan
  • Breach register
  • Encryption and access-control evidence

ICO Evidence Test

"What happens in the first 24 hours after a data breach?"

5

Phase 5 — Individual Rights Management

Weeks 8–10

Objective

Make rights real, not theoretical.

Key Actions

  • Implement workflows for:
  • • Access, rectification, erasure, objection, portability (Art. 15–22)
  • Ensure responses within 30 days
  • Log all requests and outcomes

Required Outputs

  • Data Subject Rights Policy
  • DSAR logs
  • Response templates

ICO Evidence Test

"How do individuals submit requests and how do you track deadlines?"

6

Phase 6 — Vendor & International Transfer Controls

Weeks 10–12

Objective

Control third-party and cross-border risk.

Key Actions

  • Put UK GDPR-compliant DPAs in place (Art. 28)
  • Perform vendor due diligence and periodic reviews
  • Use IDTA or UK SCC Addendum for international transfers (Art. 44–49)
  • Complete Transfer Risk Assessments (TRAs)

Required Outputs

  • DPA register
  • Vendor risk assessments
  • TRA documentation
  • Transfer register

ICO Evidence Test

"Which processors handle personal data and how do you oversee them?"

7

Phase 7 — Evidence, Review & Continuous Compliance

Ongoing

Objective

Stay compliant and inspection-ready.

Key Actions

  • Maintain audit-ready evidence packs
  • Review policies annually
  • Refresh training at least yearly
  • Update RoPA and DPIAs on change

Required Outputs

  • Training logs
  • RoPA exports
  • DPIAs
  • Rights logs
  • Breach records
  • Policy revision logs

ICO Evidence Test

"Can you export your compliance evidence today?"

Penalty Awareness (Why the Roadmap Matters)

Failure to follow this roadmap exposes organisations to:

  • Up to £8.7m or 2% of global turnover (lower-tier breaches)
  • Up to £17.5m or 4% of global turnover (core principle or rights breaches)
  • Criminal liability under the Data Protection Act 2018 in serious cases

How to Use This Roadmap

You can:

  • Turn each phase into an internal project plan
  • Use it as an ICO inspection checklist
  • Map it directly to SOC 2 / ISO 27001 controls
  • Automate it in a compliance tool or AI assistant