GDPR Compliance: Where IT Ends, Policy Begins… and

GDPR Compliance: Where IT Ends, Policy Begins… and Businesses Get Caught Out

When most small and mid-sized businesses think about GDPR compliance, they immediately think of IT.

Firewalls. Encryption. Backups. Microsoft 365 security.

And yes — those things matter.

But here’s the uncomfortable truth:

Most GDPR failures don’t happen because of missing technology.
They happen because of missing policy, poor governance, and lack of evidence.

The Two Halves of GDPR (That Rarely Meet)

GDPR compliance lives in two distinct worlds:

1. IT Controls (What your IT Provider typically handles or should at least)

  • Device encryption (BitLocker, FileVault)
  • Secure email and phishing protection
  • Access control and MFA
  • Backup and disaster recovery
  • Patch management and vulnerability reduction

These are essential. They reduce risk.

But on their own, they are not compliance.

2. Organisational Measures (Where most businesses fall short)

  • Data protection policies
  • Acceptable use policies
  • Incident response procedures
  • Staff training and awareness
  • Data retention and classification rules
  • Supplier and processor agreements

These are what prove you are managing data protection — not just hoping technology covers it.

And this is where regulators focus.

The Overlooked Gap: “Show Me the Evidence”

In the event of a breach, the key question isn’t:

“Did you have good IT?”

It’s:

“Can you prove you were managing risk appropriately?”

This is where many businesses struggle.

Because evidence of management is rarely structured or maintained.

What Evidence Actually Looks Like in Practice

If the worst happens — a lost laptop, compromised mailbox, or data leak — you need to demonstrate accountability.

That evidence might include:

  • A documented risk assessment identifying the threat
  • A decision log showing why certain controls were chosen
  • Records of patching, updates, and monitoring
  • Staff training logs (who was trained, when, and on what)
  • Incident response procedures that were followed
  • Audit trails (e.g. login logs, access records)
  • Proof of encryption and device compliance
  • Supplier due diligence records

This is what separates:

  • A well-managed incident, from
  • A reportable compliance failure

When You Don’t Need to Report to the ICO

Not every breach needs to be reported.

Under UK GDPR, you only need to notify the ICO if the breach is likely to result in a risk to individuals’ rights and freedoms.

This is where strong IT and strong governance work together.

You may NOT need to report if:

  • The lost device was fully encrypted
  • Access was protected by strong authentication
  • Data was backed up and recoverable
  • You can evidence that the data was not accessed
  • You can demonstrate appropriate controls were in place

In simple terms:

If the data is unintelligible or adequately protected, the risk is low.

And if the risk is low, reporting may not be required.

When You DO Need to Report

You are likely to need to notify the ICO within 72 hours if:

  • Personal data is exposed in plain text
  • Accounts are compromised without MFA
  • Sensitive data (financial, health, ID documents) is involved
  • There is potential for fraud, identity theft, or harm
  • You cannot demonstrate control over the situation

And critically:

If you cannot evidence your controls — the assumption is they weren’t there.

The Real Risk: Silence Equals Negligence

Many businesses believe:

“We’ve got IT support, so we’re covered.”

But regulators don’t assess who your IT provider is.

They assess:

  • What risks were identified
  • What decisions were made
  • What controls were implemented
  • What evidence exists

No documentation = no defence.

Bridging the Gap: IT + Governance

This is where modern IT providers need to evolve.

It’s no longer enough to “look after the tech.”

Businesses need:

  • A joined-up approach between IT and policy
  • A clear compliance roadmap
  • Ongoing risk reviews and documentation
  • Someone accountable for interpreting risk at board level

This is the difference between:

  • “We installed security tools”
    and
  • “We manage risk and can prove it”

Final Thought

GDPR isn’t about perfection.

It’s about accountability.

If something goes wrong, the question is simple:

Can you demonstrate that you took appropriate steps to protect the data?

If the answer is yes — with evidence — you’re in a strong position.

If the answer is “we think so” — you’re exposed.

Call to Action

If you’re not sure whether your business could evidence its GDPR compliance in the event of a breach, that’s the real risk.

Start by understanding where your gaps are — not just in IT, but in governance.

Because when your tech goes awry…
it’s your evidence that protects you.