Information Security Management
GDPR Toolkit for SMEs
A complete set of EU/UK GDPR guides and templates to help you keep it simple.
If you handle personal data about people in the UK or EU, GDPR applies to you in practice. This toolkit helps you implement it in a way that’s proportionate, evidence-led, and realistic for SMEs.
My GDPR Toolkit is tailored for small- to medium-sized businesses to help you tame that daunting monster.
Take control and be confident you have met the regulation, rather than trying to ignore it and hoping you won’t have a data breach that costs your organisation reputationally and financially.
Instant download • Word/Excel formats • Used by SMEs
Why I Created This Toolkit
I built this because GDPR often fails for two reasons: people don’t know where to start, and they overcomplicate it.
This toolkit gives you clear guidance, a choose-your-path implementation plan, and the templates you need to evidence what you’re doing, without turning it into a never-ending project.
This toolkit is my answer to that problem.
It gives you:
- Understand GDPR easily and how it applies to your organisation with the GDPR fundamentals guide.
- Implement GDPR simply, quickly, and effectively with my practical implementation guide and choose-your-path structure, so you can focus on the activities that matter to you.
- Save time, effort, and disruption with my ready-to-use templates to put control around your GDPR work (including privacy notices, DPIA/legitimate interests assessments, a ROPA, DSAR handling, retention, breach response, and supplier checks).
It’s the toolkit I wish I’d had when I first started out.
Used by SMEs who need to implement GDPR rapidly and correctly.
Who it’s for
This is for you if;
- You’re an SME that handles personal data and wants a practical way to get GDPR under control.
- GDPR sits with you (IT, ops, HR, marketing, founder) alongside your day job.
- You want clarity on what to do, in what order, without the fluff.
- You need templates and evidence you can actually use.
- You work with suppliers/SaaS, staff data, customer data, or marketing lists.
- You want simple governance guardrails, without turning GDPR into a project that never ends.
You don’t need to be a lawyer or a DPO. The language is plain and the steps are straightforward.
If you’re a consultant using this with clients, you’ll need a consultant licence (not a single-organisation licence). Please contact me.
What you’ll be able to do with it.
With the GDPR Toolkit you can:
- Understand what GDPR actually requires (and what doesn’t) using the introduction guide.
- Follow a step-by-step implementation path that fits your organisation, not a generic checklist.
- Produce the key documents and evidence you need (not just “good intentions”).
- Build a realistic plan with clear actions, owners, and priorities.
- Run GDPR like a manageable project with a clear map, less chaos, and fewer gaps.
- Handle common real-world situations confidently: data requests, supplier due diligence, retention decisions, and incident/breach response.
GDPR isn’t just about documents, it’s about being able to show what you’ve decided and why (accountability).
What’s Inside the Toolkit
GDPR Fundamentals Guide (Introduction)
A plain-English overview of GDPR, designed to help you understand what the law expects and what “good” looks like in real organisations. It covers the core principles, lawful bases, data subject rights, controller/processor responsibilities, and the practical nuts-and-bolts like cookie compliance, retention, DSARs and breach handling.
The GDPR Fundamentals Guide also flags higher-risk areas (such as DPIAs, children’s data, and complex international transfers) so you know when to pause, escalate, or treat something as a later-phase work item.
GDPR Implementation Guide (SME Route Map)
A practical, step-by-step guide designed to get you to a defensible GDPR baseline quickly, using a “Minimal Viable Compliance” approach.
The GDPR Implementation Guide provides a clear roadmap (so you only do what’s relevant), a Day 1 plan for core essentials, and optional modules for areas such as marketing/cookies, higher-risk processing (DPIAs), and international transfers. It also walks you through an 8-stage delivery process, with clear outputs at each step and direct pointers to the templates in the toolkit.
Templates and Working Documents
The toolkit templates are organised into three packs, so you only create paperwork that’s relevant to you.
Core (MVC Pack): the “minimum viable compliance” set that gets you to a solid, defensible baseline. It covers governance and scope, a gap and action plan, data flow mapping, your Article 30 ROPA, a modular privacy notice, a full DSAR procedure plus request log, training logs and a ready-to-deliver staff training deck, a security baseline checklist, supplier/processor register and DPA template, and an incident/breach plan with supporting flowcharts and logs.
Conditional (Triggered Pack): only used if you need it. Includes a consent tracker, DPIA template and register, international transfer inventory plus transfer mechanism checklist and TIA template, and practical checklists for PECR/direct marketing and cookies/tracking.
Boost (Enhancement Pack): for stronger maturity and clearer evidence over time. Includes a lawful basis register, legitimate interests assessment template, SME-friendly information security policy, regulatory updates log, and a data retention schedule template.
GDPR Toolkit Contents
| Guide: GDPR Fundamentals | An introduction & overview of GDPR concepts, roles, principles, and what “good” looks like for SMEs. |
| Guide: GDPR Implementation Guide | Step-by-step route map to implement your toolkit, focusing on Minimal Viable Compliance first, then optional add-ons. This is your primary guide to implementing GDPR. |
| GDPR Governance & Scope Record | Capture governance basics: scope, accountability, ownership, key decisions, and how GDPR is managed. |
| GDPR Gap & Action Plan Workbook | Record current gaps and track actions, owners, priorities, and progress to completion. |
| Data Flow Map Example | Worked example to show what a completed data flow map can look like. |
| GDPR Data Flow Map | Map how personal data moves through your organisation (systems, sources, recipients, transfers). |
| GDPR ROPA Master (Processing Register) | Maintain the Article 30 Record of Processing Activities (ROPA) in a structured register. |
| GDPR Privacy Notice (Modular Terms) | Create/update an external privacy notice using modular clauses for common processing scenarios. |
| Data Subject Rights Procedure | Define how you handle data subject rights requests (DSARs) end-to-end, consistently and on time. |
| Data Subject Rights Procedure Flow | Visual flow to help staff follow the DSAR process and decision points. |
| Data Subject Request Log | Log DSARs (dates, identity checks, scope, deadlines, outcomes, exemptions, responses). |
| Training & Awareness Log | Track GDPR training, briefings, and awareness activities (who/when/what). |
| Security Baseline Checklist & Action Log | Baseline security checklist and action tracker for minimum appropriate safeguards for personal data. |
| Supplier & Processor Register | Register suppliers/processors, due diligence checks, contract status, and risk notes. |
| Data Processing Agreement (DPA) Template | Template clauses for controller–processor arrangements (and common GDPR contract requirements). |
| Incident & Breach Response Plan | Define roles, steps, timelines, and reporting approach for personal data incidents/breaches. |
| Incident & Breach Response Plan Procedure Flow | Visual flow showing the incident triage and breach decision/reporting pathway. |
| Incident & Breach Log | Log incidents, assessments, decisions, containment, notifications, and lessons learned. |
| Documentation & Change Index | Index all toolkit docs used by the organisation and track versions/changes over time. |
| Basic Staff Training Guide | Ready-to-deliver GDPR staff awareness training deck (core do’s/don’ts and practical guidance). |
| Consent Record Tracker | Track where consent is used, evidence captured, withdrawal handling, and refresh requirements. |
| DPIA Template | Run a Data Protection Impact Assessment when processing is likely to be high risk. |
| DPIA Register | Log DPIAs, outcomes, actions, and review dates in a central register. |
| International Transfer Inventory | Identify and record international transfers (data flows, recipients, and context). |
| Transfer Mechanism Checklist | Check/record which transfer mechanism applies (SCCs, adequacy, derogations, etc.). |
| Transfer Impact Assessment (TIA) Template | Assess transfer risks and safeguards when using SCCs/other mechanisms (as needed). |
| PECR & Direct Marketing Checklist | Assess and record compliance for email/SMS marketing, privacy rules, opt-in/opt-out, etc. |
| Cookie & Tracking Checklist | Document cookie/tracking use, consent needs, categories, and required notices/settings. |
| Lawful Basis Register | Record lawful bases per processing activity (and link to notices/ROPA where relevant). |
| Legitimate Interests Assessment (LIA) Template | Document the legitimate interests test (purpose, necessity, balancing) where you rely on it. |
| Information Security Policy | Provide a stand-alone information security policy aligned to protecting personal data (SME-friendly). |
| Regulatory Updates Log | Track regulatory changes, ICO guidance updates, and what you changed internally as a result. |
| Data Retention Schedule Template | Define retention periods, justification, and disposal methods by record/data type. |
All templates are supplied in Microsoft Word, Excel and PowerPoint formats, so they are easy to adapt to your organisation and branding.
How you use the GDPR toolkit
- Download instantly after purchase.
- Familiarise yourself with both the Fundamentals Guide and the Implementation Guide
- Decide your path through GDPR and what is relevant to your business
- Choose an aspect of your business (e.g. employee data) and follow the implementation guide.
- Rapidly implement following the 1 day plan, or the more detailed implementation roadmap
The toolkit is designed so you can scale up or down, depending on the size and risk of personal data being handled.
You are purchasing a licence to use these documents within your own organisation (or for your own client work, if that’s how you operate). You can customise them, but you cannot resell them as your own GDPR toolkit.
What exactly do I get with the toolkit?
You get three things: a GDPR fundamentals guide (plain-English overview), a step-by-step implementation guide (a route map you tailor to your business), and a structured set of templates (Core, Conditional, and Boost) to produce the documents and evidence you actually need.
Is this suitable for UK and EU GDPR?
Yes. It’s been specifically designed to support both the UK GDPR and EU GDPR.
How long does it take to implement?
That depends on your size and complexity, but the toolkit is designed to help you build a defensible baseline first, then add the “Conditional” items only if they apply. Most organisations can make meaningful progress quickly because you’re not starting from a blank page.
Will this work if we use lots of SaaS tools and suppliers?
Yes. The templates include practical supplier/processor documentation and checks, so you can get control over who you share data with, what agreements you need, and what evidence to retain.
Can I use this with multiple teams?
Yes, within your organisation. You can roll the toolkit out to multiple teams as your standard way of running projects. If you want to use it commercially with multiple external clients, please contact me to discuss licensing.
What is your refund policy?
I’m afraid I can’t provide refunds because once you have the files, you can’t send them back – however, I do provide examples of the templates above, which demonstrate their quality and effectiveness.
Ready to stop reinventing the wheel?
Instead of starting every project in a blank document or stitching together templates from the internet, give yourself and your team a straightforward, proven way to run work from idea to closure.