Frequently Asked Questions

UK GDPR (General Data Protection Regulation) is the UK's data protection law, which came into effect after Brexit. It applies to any organisation that processes personal data about UK residents — regardless of size.

If you hold customer details, employee records, or marketing lists, UK GDPR applies to you. There is no minimum size threshold — sole traders and micro-businesses are just as obligated as large corporations.

Under UK GDPR, you must have a valid lawful basis every time you process personal data. The six bases are:

• Consent — The person has given clear, specific consent. Must be freely given and easy to withdraw.
• Contract — Processing is necessary to fulfil a contract with the person (e.g. processing payment details).
• Legal obligation — You're required by law to process the data (e.g. payroll records for HMRC).
• Vital interests — Necessary to protect someone's life in an emergency situation.
• Public task — Processing is necessary for a task in the public interest (mainly applies to public bodies).
• Legitimate interests — You have a genuine business reason that isn't overridden by the individual's rights.

A Record of Processing Activities (ROPA) is a written record of all the ways your business handles personal data. Under UK GDPR Article 30, most organisations are required to maintain one.

It must include: what data you hold, why you hold it, where it's stored, how long you keep it, and the lawful basis for processing it.

Small organisations with fewer than 250 employees are technically exempt unless their processing is likely to result in a risk to individuals, is not occasional, or includes special category data. In practice, the ICO recommends all businesses maintain a ROPA regardless of size.

Special category data is personal data that carries higher risk and requires extra protection under UK GDPR. It includes:

• Health and medical information
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data and biometric data
• Sex life or sexual orientation

Processing special category data requires a stricter lawful basis (explicit consent or one of the specific conditions in Article 9) and stronger security measures.

Most organisations that process personal data must pay the ICO's annual data protection fee. The fee is currently:

• Tier 1 — £40/year (small organisations, up to 10 staff or up to £632,000 turnover)
• Tier 2 — £60/year (medium organisations)
• Tier 3 — £2,900/year (large organisations)

Some organisations are exempt — including charities, small occupational pension schemes, and those who only process data for personal, family or household purposes.

The ICO has two tiers of fines under UK GDPR:

• Up to £8.7 million or 2% of global turnover — for less serious infringements
• Up to £17.5 million or 4% of global turnover — for the most serious breaches

In practice, fines for small businesses are much lower — typically £1,000 to £100,000. However the ICO also issues enforcement notices, warnings, and reprimands which can damage your reputation even without a monetary fine.

ICO investigations are most commonly triggered by:

• Customer complaints — the most common trigger. An unhappy customer reports you.
• Data breach notifications — you report a breach and the ICO investigates further.
• Media reports — a data incident becomes public news.
• Sector sweeps — the ICO proactively audits specific industries.
• Whistleblowers — an employee or partner reports a concern.

The best defence is being able to demonstrate active, documented compliance. Datavacy gives you that audit trail.

No. Your Datavacy compliance score is an internal measure of how much of your GDPR groundwork is documented. It is not an official ICO rating or certification.

A high Datavacy score means you have the records and processes the ICO looks for during an investigation. It significantly strengthens your position — but it does not guarantee immunity from enforcement.

Most businesses are fully set up within 30–60 minutes. Here's a typical first session:

• Minutes 1–5: Sign up and complete the onboarding wizard
• Minutes 5–20: Add your data register entries (or import from a spreadsheet)
• Minutes 20–35: Log your consent records
• Minutes 35–45: Review your compliance score and download your first report

None at all. Datavacy was built specifically for business owners who are not lawyers or IT professionals. Everything is written in plain English with clear explanations of why each step matters.

If you can use online banking or send an email, you can use Datavacy. And if you get stuck, email hello@datavacy.co.uk — Our team responds.

Yes — Datavacy's Bulk Import feature accepts CSV files for both your Data Register and Consent Records. You don't need to reformat your existing spreadsheet.

Go to the Import page in your dashboard, upload your CSV file, and Datavacy handles the rest.

Datavacy helps you manage and document your GDPR obligations — it does not replace legal advice. For most small businesses, completing your data register, logging consents, and tracking SARs covers the vast majority of what the ICO looks for.

For more complex situations — such as processing special category data at scale, cross-border data transfers, or running a high-risk AI system — we recommend consulting a qualified data protection solicitor.

Datavacy runs automated checks every day at 9am and sends email alerts when action is needed:

• SAR deadline approaching — 7 days or less remaining
• Consent records expiring — 30 days or less until expiry
• Trial ending — 7 days before your trial ends
• Trial ending — 3 days before your trial ends
• Trial expired — on the day your trial ends

All alerts come from alerts@datavacy.co.uk. Add this address to your contacts to ensure they don't land in spam.

Add an entry for every type of personal data your business holds. Common examples include:

• Customer names and contact details
• Email marketing lists
• Payment and financial information
• Employee and contractor records
• Health or medical information (if applicable)
• CCTV footage
• Website analytics data
• Supplier and partner contact details

For each entry, record what the data is, why you hold it, where it's stored, how long you keep it, and your lawful basis for processing it.

UK GDPR requires you to keep data only as long as necessary for the purpose it was collected. Common retention periods include:

• Financial records — 7 years (HMRC requirement)
• Employee records — 6 years after employment ends
• CCTV footage — maximum 31 days (ICO guidance)
• Marketing email lists — as long as consent remains valid
• Customer contracts — 6 years after contract ends
• Job applications (unsuccessful) — 6 months
• Health and medical data — varies by sector, typically 8–10 years

A Subject Access Request (SAR) is when an individual asks what personal data you hold about them. Under UK GDPR you have 30 days to respond — free of charge.

Your response must include:

• Confirmation of whether you hold data about them
• A copy of all personal data you hold about them
• Why you hold it and the lawful basis
• Who you share it with
• How long you intend to keep it

In most cases, no. However you can refuse or limit a SAR if it is:

• Manifestly unfounded — clearly made in bad faith with no genuine purpose
• Manifestly excessive — repetitive requests with no reasonable justification

If you refuse, you must tell the requester why within one month and inform them of their right to complain to the ICO. Refusing without valid grounds is itself a breach.

You can also withhold third party information included in a response if disclosure would affect the privacy of others.

A data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes:

• Sending an email with personal data to the wrong person
• A laptop or phone containing personal data being lost or stolen
• A cyberattack, ransomware or hacking incident
• A staff member accessing data they shouldn't
• Personal data accidentally published online
• Paper records containing personal data being lost

You must report a breach to the ICO within 72 hours of becoming aware of it — if the breach is likely to result in a risk to individuals' rights and freedoms.

Not all breaches need to be reported. You don't need to report if the breach is unlikely to result in any risk — for example, if an encrypted laptop is lost but the data cannot be accessed.

If the breach is likely to result in a high risk to individuals, you must also notify the affected individuals directly without undue delay.

Your first month is completely free — no credit card required. You get full access to all features during the trial period.

You'll receive email reminders at 7 days and 3 days before your trial ends. When the trial expires, you'll be prompted to choose a plan. We never auto-charge without your explicit consent.

Yes. No contracts, no lock-in periods. You can cancel your subscription at any time from your account settings.

When you cancel, your access continues until the end of your current billing period. After that, your account enters a 30-day data retention period during which you can export your records before they are deleted.

Starter (£19/mo) — Core compliance tools for sole traders and very small businesses. Includes Data Register, Consent Tracker, SAR Management, Compliance Score and Email Alerts.

Growth (£39/mo) — Everything in Starter plus Breach Log, Bulk CSV Import, Compliance Reports, Priority Support and up to 5,000 data subjects. Best for small businesses with staff.

Pro (£79/mo) — Everything in Growth plus multi-regulation coverage, unlimited data subjects, API access, Staff Training & Certificates, and the full Compliance Health Score. Best for agencies and multi-site businesses.

Yes. We offer a full refund within 14 days of your first payment if you're not satisfied. After 14 days, refunds are handled on a case-by-case basis.

Email hello@datavacy.co.uk to request a refund — Our team handles all requests personally and will always try to find a fair solution.

Yes. Datavacy uses industry-standard security practices:

• Encrypted database — All data stored in PostgreSQL with encryption at rest
• HTTPS everywhere — All connections encrypted in transit via TLS
• Secure authentication — Powered by Clerk, a dedicated security-focused auth provider
• EU hosting — Data stored in European data centres
• No data selling — We never share or sell your data to third parties

Your data remains accessible for 30 days after cancellation. During this period you can download your compliance reports and export your records.

After 30 days, your data is permanently deleted from our systems in accordance with our retention policy and UK GDPR Article 17 (right to erasure).

If you need a data export before deletion, email hello@datavacy.co.uk and we'll provide it within 48 hours.

You remain the data controller for all personal data you enter into Datavacy. You decide what data to enter, why, and for how long.

Datavacy acts as a data processor on your behalf — processing the data only as instructed by you and in accordance with our Data Processing Agreement (available on request).

Yes. Under UK GDPR Article 28, if you use Datavacy to process personal data on behalf of your clients, you may need a Data Processing Agreement between you and Datavacy.

Email hello@datavacy.co.uk to request a DPA. We aim to provide it within 2 business days.