Focused data audit
A short, practical audit of what personal data the business actually holds, who has access to it, and where the live gaps are. No 60-page report — just the prioritised list.
Relevant: UK GDPR · Data Protection Act 2018
Data protection · Thames Valley
GDPR Solicitor for SMEs in the Thames Valley
UK GDPR compliance for an SME isn't about producing a 60-page policy no one reads. It's about a small number of practical decisions: what data you hold, who you share it with, what you tell customers, and what you do when something goes wrong. Get those right and the rest is paperwork.
GDPR Solicitor for SMEs in the Thames Valley.
SMEs across the Thames Valley — Reading, Slough, Maidenhead, Bracknell, Wokingham and the surrounding M4 corridor. Particularly relevant where customer or enterprise procurement is starting to demand a credible data position.
Thames Valley SMEs typically hit GDPR seriously for the first time when a large customer's procurement team asks for a DPA, a security questionnaire and a sub-processor list. The right preparation makes that interaction routine; the wrong preparation makes it a deal-blocker.
Common matters on this page.
Customer-facing DPA pack
A standard data-processing agreement, sub-processor list and security exhibit that the business can defend in front of enterprise procurement without rewriting it for every customer.
Breach response
A live or suspected breach — we work through the assessment, the 72-hour notification call, the customer communications and the remediation record.
International transfer position
A clean position on UK and EU international data transfers (UK IDTA, EU SCCs, transfer impact assessments) that actually matches the sub-processor stack.
Legal risks & how we manage them
What can go wrong — and how we contain it.
Customer DPAs that quietly accept processor obligations the business operationally can't meet.
We align the DPA with your real security and sub-processor reality — and push back on the impossible asks.
Sub-processor changes that breach existing customer DPAs without anyone noticing.
We put a lightweight sub-processor governance process in place that fits how the business actually runs.
Late or under-scoped breach notifications that turn a recoverable incident into a regulatory matter.
A short, agreed breach playbook — one page, not twenty — that the team can actually follow at 2am.
Legislation that shapes this work.
- UK GDPR
- The primary UK data-protection regime, governing processing, consent, transfers, breach notification and accountability.
- Data Protection Act 2018
- Supplements UK GDPR with UK-specific provisions on law enforcement, intelligence services, age of consent and exemptions.
- Privacy and Electronic Communications Regulations 2003
- Governs cookies, electronic marketing and direct marketing rules — the source of most ICO enforcement against SMEs.
FAQs
Questions we get asked.
- Do we need a DPO?
- Most Thames Valley SMEs don't strictly need a statutory DPO under Article 37. A named accountable person and a clear governance structure is usually proportionate and defensible.
- A customer is asking for a SOC 2 report — is that a GDPR question?
- Not directly, but it sits in the same conversation. We can help you build a credible response that addresses what the customer actually needs, without committing to a full SOC 2 audit if it isn't proportionate.
- We've had a possible breach — what's the first call we should make?
- Us, before the 72-hour clock matters. Most cases resolve without ICO notification once properly assessed, but the assessment has to happen quickly and on the right facts.
Topical cluster.
Speak to a GDPR solicitor for Thames Valley SMEs.
Speak to Radcliffe Enterprise Law for clear, commercial legal advice — by phone, video or in person.
Start the conversation