ISMS Copilot for UK SaaS companies
Win UK enterprise and public-sector deals with UK GDPR, DPA 2018 and Cyber Essentials handled in one workspace.
The UK SaaS stack, not a re-badged EU GDPR page
- Draft UK GDPR DPIAs, ROPAs and Legitimate Interests Assessments under the DPA 2018 regime, not generic EU GDPR
- Handle the UK-specific divergence points: ICO as supervisory authority, the IDTA and UK Addendum for transfers, and Data (Use and Access) Act 2025 amendments
- Run a Cyber Essentials self-assessment against the five core controls before submitting to a certification body
- Prepare Cyber Essentials Plus evidence for the hands-on technical verification
- Cross-map UK GDPR and EU GDPR when you sell into both jurisdictions so you do not maintain two parallel programmes
- Answer ICO-shaped breach questions with a 72-hour notification workflow
Built for the UK founder selling upmarket and into government
Cyber Essentials is mandatory for many UK central-government contracts handling sensitive data — the Copilot maps the firewall, secure-configuration, access-control, patch and malware controls to evidence
Pathway planning from Cyber Essentials to ISO 27001 when enterprise buyers escalate
International transfer assessments under the UK IDTA and Addendum for your sub-processor chain
Data subject rights handling (subject access, erasure, portability) under the DPA 2018
Dual-jurisdiction mapping for teams operating under both ICO and an EU lead authority
Plain-English explanations of where UK law now diverges from retained EU GDPR
UK GDPR divergence + Cyber Essentials for public-sector deals
UK SaaS compliance is not EU GDPR with a different flag. Since Brexit the UK runs the retained GDPR as amended by the Data Protection Act 2018, with the ICO as supervisory authority, the IDTA and UK Addendum replacing EU SCCs for restricted transfers, and the Data (Use and Access) Act 2025 introducing new recognised legitimate interests and lawful-ground exceptions. On top of that data protection layer sits Cyber Essentials: a UK government-backed scheme whose certification is contractually mandatory for many central-government and MOD-adjacent contracts that involve handling sensitive or personal data. ISMS Copilot drafts the DPA 2018 documentation set and runs the Cyber Essentials five-control gap analysis in the same workspace, so a UK SaaS vendor can answer both an ICO question and a public-sector tender requirement without two separate consultants.
UK GDPR framework guidance →Frequently Asked Questions
Is UK GDPR just EU GDPR with a different name?
No. It is the retained EU GDPR as amended by the Data Protection Act 2018 and the Data (Use and Access) Act 2025. The divergence points matter in practice: the ICO is the supervisory authority, restricted transfers use the IDTA or UK Addendum rather than EU SCCs, and the DUA 2025 added new recognised legitimate interests and lawful-ground exceptions. The Copilot tracks the differences so dual-jurisdiction teams do not conflate the two.
Why does a SaaS company need Cyber Essentials?
Cyber Essentials certification is contractually mandatory for many UK central-government and defence-adjacent contracts that involve handling sensitive or personal data. If you are selling into the UK public sector, it is frequently a gate before procurement will even evaluate you. The Copilot runs the five-control gap analysis and prepares Cyber Essentials Plus evidence for the assessor verification.
We sell to EU customers too — do we maintain two programmes?
No. ISMS Copilot cross-maps UK GDPR and EU GDPR so you run one programme with documented divergence points rather than two parallel sets of policies. The same workspace covers your ICO-facing obligations and an EU lead authority's.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.