SME data protection
evidence pack index
A practical index of the documents and artefacts you should be able to produce quickly when a regulator, buyer, or insurer asks. Built for proportionality, not perfection: a small number of accurate, current artefacts beats a folder of ignored templates.
This is a read-only template to help you structure your evidence. It is not legal advice. Use it to identify gaps and assign owners, not as a substitute for professional advice on your specific situation.
How to use this index.
The goal of an evidence pack is not to produce an impressive folder. It is to be able to answer four questions quickly and accurately when they are put to you: what data do you process, how do you protect it, how do you handle incidents, and how do you manage data subject rights? This index maps the artefacts that answer those questions, assigns them a priority tier, and notes what "good" looks like for each one at SME scale.
Mark each item Present, Partial, or Missing
Work through the index honestly. Partial means it exists but is out of date, incomplete, or does not reflect current practice. Treat Partial as Missing until you can verify the gap is closed. A document that was last updated two years ago is not current evidence.
Assign an owner and a review date to each item
An evidence pack without named owners does not get maintained. For each item, there should be a specific person (not a team, not “IT”) responsible for its accuracy and a calendar date by which it will next be reviewed. Quarterly review is the minimum for most items. Immediately-after-any-change is the requirement for critical items such as the RoPA and processor register.
Start with the Core tier and the items most requested in due diligence
The four most commonly requested items in buyer due diligence and insurer renewal are: the RoPA (or equivalent processing summary), the privacy notice, the processor register with DPA status, and the breach handling procedure. If you can produce these four quickly and accurately, you pass the initial screen in the large majority of cases. Build these before anything else.
Keep evidence lightweight but real
A brief, accurate, current document is worth considerably more than an elaborate template that was never properly populated. For the technical items (access controls, backups, patching), screenshots and exports from your actual systems beat a written description of what you intend to do. If you cannot produce evidence of MFA enforcement from your admin console, the evidence does not exist regardless of what your policy document says.
The “we do GDPR, trust us” moment. When a buyer, insurer, or regulator asks for your data protection documentation, the response “we are compliant but we don’t have it written down” is functionally the same as not being compliant. Credible control means demonstrable control. This index builds the demonstration capability.
Evidence pack index.
Use the Core items as your minimum viable pack: these seven artefacts answer the majority of regulatory, buyer, and insurer questions. The Strongly recommended items close the remaining gaps and are increasingly expected by cyber insurers. Contextual items apply in specific circumstances and should be assessed individually.
| Item | What “good” looks like at SME scale | Typical owner | Priority |
|---|---|---|---|
| Core: minimum viable evidence pack | |||
| Privacy noticeCustomer-facing statement of processing | Accurate and current: matches what the RoPA says you actually do. Covers data types collected, purposes, lawful basis, retention periods, data subject rights, processor disclosure, and contact details. Accessible on your website and provided at point of collection. Last reviewed within 12 months or immediately after any processing change. | Ops / Legal | Core |
| Records of processing (RoPA)Your processing inventory | A spreadsheet or equivalent covering every significant processing activity. Columns: processing activity name, purpose, lawful basis, data categories, data subjects, systems used, processors involved, retention period, and review date. Last updated within the last 12 months. Short is fine: a 20-row RoPA maintained honestly is better than a 200-row one last touched three years ago. | DPO / Ops | Core |
| Lawful basis mappingOne entry per processing activity | A clear, documented basis for each processing activity. Where legitimate interests is the basis, a brief written balance test: identify the interest, confirm the processing is necessary, and record why the interest outweighs the individual’s rights. Where consent is the basis, evidence of how consent is obtained, recorded, and withdrawn. Typically held within or alongside the RoPA rather than as a separate document. | Ops / Legal | Core |
| Retention scheduleHow long you keep what, and why | A simple table: data type, retention period, legal or business justification, deletion or archive method, and who is responsible for executing deletions. Aligned with the RoPA so every processing activity has a corresponding retention entry. Evidence that deletions actually happen: a process, not just a stated intention. Reviewed annually or when processing changes. | Ops / IT | Core |
| Data subject rights procedureSAR, erasure, rectification, portability | A documented workflow covering: who receives rights requests (dedicated email address preferred), how identity is verified before responding, response templates for the four most common request types, tracked deadlines (one calendar month), and escalation for complex or disputed requests. Evidence of any previous requests handled and how they were managed. At minimum, the procedure must exist before the first request arrives. | Customer Ops | Core |
| Processor registerAll suppliers processing personal data on your behalf | A register of every third party that processes personal data on your behalf: CRM, HR and payroll, IT support, cloud storage, email marketing, finance software, and any other system holding data about your customers, staff, or prospects. For each: supplier name, what data they process, business purpose, country of processing, and when the relationship was last reviewed. This is distinct from your general supplier list: it covers specifically those with data access. | Ops / Procurement | Core |
| Data processing agreements (DPAs)Article 28 contracts with processors | A signed DPA or equivalent contractual clauses for every processor in your register. At minimum each DPA must cover: subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, the controller’s instructions, sub-processor controls, security obligations, breach notification requirements (to the controller, not just the ICO), and audit rights. Many SaaS vendors now include DPA terms in their standard agreements: confirm they have been accepted and are on file. | Legal / Procurement | Core |
| Strongly recommended: expected by most cyber insurers and buyers | |||
| Security controls summaryBrief technical posture document | A one to two-page document covering the key security controls in place: MFA enforcement and scope, backup regime and isolation status, endpoint protection coverage, patching cadence, network controls (firewall, VPN), encryption at rest and in transit for sensitive data, and logging and alerting for high-risk events. Not a technical specification: a leadership-level summary of the controls in place and who is accountable for each. Updated when controls change, reviewed annually. | IT / Security | Strongly rec. |
| Access control evidenceScreenshots and exports, not descriptions | Actual evidence from your systems: a screenshot of the conditional access policy enforcing MFA, an export from your user directory showing active accounts (confirming leavers are removed), evidence of the most recent access review with its date and outcome. The distinction matters: a policy document saying “MFA is required” is an assertion; a screenshot of the admin console enforcing it is evidence. Buyers and insurers increasingly ask for the latter. | IT | Strongly rec. |
| Backup and restore evidenceTested, documented, dated | A record of your most recent successful restore test for each critical system: what was tested, the date, who performed the test, and the outcome. Not just confirmation that backup jobs ran. Confirmation that data was actually restored from backup and was intact. Cadence: at least every six months for critical systems, annually for less critical ones. Also confirms that at least one backup copy is isolated from production credentials, with a brief description of how isolation is achieved. | IT | Strongly rec. |
| Breach response playbookFirst-hour procedure with named owners | A documented step-by-step procedure covering: containment actions for the two or three most likely incident types, evidence preservation rules (what not to do as well as what to do), triage and assessment steps, a notification decision flowchart covering the ICO 72-hour obligation and individual notification, insurer notification requirements and timing, and client and supplier communication templates. Named owner for each decision point. Contact list that does not live only in the email system. Reviewed annually and rehearsed at least once. | Security / Ops | Strongly rec. |
| Incident and breach registerLog of incidents and near-misses | A running log of all security and data incidents, including those that did not meet the ICO notification threshold. For each entry: date of discovery, nature of the incident, data affected, actions taken, notification decision and rationale, and lessons learned or remediation completed. Demonstrates to the ICO and insurers that you have a practice of reviewing incidents and learning from them, not just responding reactively to significant events. | Ops | Strongly rec. |
| Data protection impact assessments (DPIAs)Required for high-risk processing | DPIAs completed before deployment for processing activities that meet the high-risk threshold: large-scale processing of special category data, systematic profiling, surveillance, new technologies with significant privacy implications. The critical point is timing: a DPIA completed after a system is already live is a justification document, not a DPIA. Signed off at leadership level. Documented even if the conclusion is that the risk is acceptable, as the documentation of the reasoning is itself what the ICO looks for. | Ops / DPO | Strongly rec. |
| Contextual: required in specific circumstances | |||
| International transfer assessmentRequired when data leaves the UK | Where personal data is transferred to countries outside the UK, a documented basis for each transfer: adequacy decision, UK International Data Transfer Agreement (IDTA), or an approved alternative safeguard. Many SMEs transfer data internationally without realising it (US-hosted SaaS, cloud platforms, analytics tools). The processor register should identify where each processor is based, and each non-UK processor should have a corresponding transfer basis documented. | Ops / Legal | Contextual |
| Staff awareness and training evidenceInduction and periodic refresh | Evidence that staff whose roles involve personal data have received data protection awareness training, at minimum at induction and with periodic refresh. Simple is acceptable: a completion log with dates and the names of the people who completed it. Content should cover the most practical risks for your organisation: recognising phishing, handling data subject rights requests, what to do when they suspect an incident, and the payment verification policy. Not a two-hour annual GDPR lecture. | HR / Ops | Contextual |
What reviewers ask first.
The opening questions in a buyer security questionnaire, an insurer renewal review, or an ICO information request are consistent across the large majority of cases. Preparing answers to these four questions with current, accurate evidence resolves the initial screen in most situations and determines whether a deeper review follows.
- Can you show what you process? The answer requires your RoPA and processor register. Not a summary from memory: an actual document that covers the processing activities, the lawful basis for each, and the third parties involved. If you can produce this quickly and confidently, the first question is closed.
- Can you show how you protect it? The answer requires your security controls summary and access control evidence. Technical assertions in a policy document carry less weight than screenshots from an admin console. MFA enforcement, leaver process discipline, and backup isolation are the three controls asked about most frequently.
- Can you handle incidents? The answer requires your breach response playbook and incident register. The question behind the question is: do you have a written procedure, a named owner, and a track record of applying it? An organisation that can show a breach register with entries and completed remediation actions demonstrates maturity that a business with no register cannot.
- Can you handle rights requests? The answer requires your data subject rights procedure. The question is whether requests are handled consistently, within the one-month deadline, with identity verification, and with a documented outcome. Evidence of previous requests handled (even if that evidence is “no requests received to date” is legitimate) is better than a procedure with no history of application.
Cyber insurers have substantially tightened their required controls since 2021. The most commonly required conditions in UK SME cyber policies now include: MFA enforced on email and remote access (not just available), tested and isolated backups, a documented incident response procedure, and in some policies Cyber Essentials certification as a condition of cover. A missing stated condition can void a claim after an incident, regardless of the premium paid. Pull your policy document and check the conditions section against your current evidence pack.
Keeping the pack current: a review rhythm that works.
An evidence pack that is built once and then ignored becomes a liability rather than an asset: it creates a documented gap between what the organisation said it does and what it actually does. The maintenance overhead for a proportionate SME evidence pack is modest if it is built into an existing operational cadence rather than treated as a separate compliance project.
These are the practical triggers for review:
- Immediately when processing changes. New system, new supplier, new product line, new country of operation, new data category. The RoPA, processor register, privacy notice, and any relevant DPAs are updated at the point of the change, not at the next scheduled review. The person responsible for the change is also responsible for triggering the documentation update.
- After every incident or near-miss. The breach response playbook and incident register are updated with the outcome, the lessons learned, and any remediation taken. If the incident exposed a gap in the playbook, the playbook is revised. The ICO expects to see a learning cycle, not just a notification.
- Quarterly for the access control and backup evidence. A leaver access review, a backup restore test, and a spot check of the MFA enforcement status. These are the three most commonly outdated items and the three most commonly examined in insurer reviews.
- Annually for everything else. A structured review of all remaining items against current reality. The RoPA checked for completeness, the privacy notice checked against the RoPA, the processor register checked for leavers and new additions, and the data subject rights procedure tested against current contact routes and response templates.
The ICO applies a proportionality lens to SME enforcement. A business of fifteen people with a well-maintained RoPA, current DPAs, and a documented breach procedure will be treated very differently from a business of the same size that cannot produce any of these when asked. The goal is demonstrable, good-faith effort, not perfection. An imperfect document that is actively used and regularly reviewed is considerably better than a comprehensive template that was never properly populated. Build the core tier first. Maintain it honestly. The rest follows from that.
If you want support building and maintaining this pack, the governance and compliance service covers gap assessment, documentation, and an ongoing review cycle designed for owner-led businesses at SME scale.