GDPR for MSPs: How to Build a Data Privacy Compliance Service Line

GDPR came into force in May 2018. It is now 2026, and the average SMB client is still not compliant.

Not because they do not care. Because they do not know what compliance actually requires. They have a privacy policy someone generated with a template, a cookie banner that has not been reviewed since a web developer installed it, and no documented record of what personal data they hold, why they hold it, or how long they keep it. When a data subject request arrives, it lands in someone’s inbox with no process to handle it. When a breach occurs, the 72-hour clock starts ticking and nobody knows what to do.

MSPs are in the building. They manage the infrastructure where this data lives. They are the logical partner to make GDPR compliance manageable. The question is whether you have built the service line to deliver it.

What GDPR Actually Requires

GDPR is a regulation, not a framework. It does not offer a checklist. It sets out legal obligations that organisations must meet, and those obligations scale with the nature and volume of the personal data being processed.

The core obligations that consistently trip up SMB clients are these:

Lawful basis for processing. Every processing activity needs a documented lawful basis under Article 6. For most SMBs, the relevant bases are contract (processing necessary to deliver a service), legitimate interests (processing necessary for a business purpose that does not override individual rights), and consent (freely given, specific, informed, and unambiguous). The problem is that most businesses have never mapped their processing activities to a lawful basis. They have been collecting data because it was useful, not because they had a documented reason to do so. This becomes a problem when they receive a data subject erasure request and discover they cannot explain why they are still holding the data.

Record of Processing Activities. Article 30 requires controllers to maintain a written record of all processing activities. The ROPA must document: the purposes of processing, categories of data and data subjects, recipients, third-country transfers, retention periods, and a description of security measures. For a 30-person company, this typically covers 15-25 distinct processing activities across HR, sales, marketing, and operations. Almost no SMB has a current ROPA.

Data Processing Agreements. Whenever a controller uses a processor — a SaaS tool, a cloud provider, a payroll bureau, an IT support company — GDPR Article 28 requires a written contract that specifies the processor’s obligations and restrictions. The MSP is a processor. The MSP’s relationship with the client must be governed by a DPA. Most MSP contracts include a generic data protection clause rather than a properly structured DPA that meets Article 28 requirements. That gap creates liability for both parties.

Data Subject Rights. Individuals have eight rights under GDPR: access, rectification, erasure, restriction, portability, objection, rights related to automated decision-making, and the right to withdraw consent. Controllers must be able to fulfil requests within one month (extendable to three months for complex requests) and must have processes to verify the identity of requestors and locate the relevant data. For most SMBs, there is no process — a DSAR lands in the general inbox and someone has to figure out what to do with it.

Breach Response. Article 33 requires controllers to notify the supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in risk to individuals. Article 34 requires notification to affected individuals if the breach is likely to result in high risk. Having a breach response process documented before a breach occurs is the difference between an orderly 72-hour notification and a panicked scramble that misses the deadline and triggers a fine for both the breach and the notification failure.

Who Needs This Service

Every SMB processing personal data about EU or UK residents is within scope. In practice, this is almost every client you have. But the demand for compliance support clusters around specific triggers:

Contract requirements. Enterprise buyers, regulated businesses, and public sector organisations are increasingly requiring suppliers to demonstrate GDPR compliance as a procurement condition. Audits, questionnaires, and DPA reviews are being pushed down supply chains. When an SMB client lands their first enterprise customer, they discover compliance is a commercial requirement, not just a regulatory one.

ICO enforcement activity. The ICO has been increasing its enforcement activity against SMBs, not just large enterprises. Enforcement notices, reprimands, and fines arising from complaint-led investigations and breach notifications are a real risk. An ICO investigation typically starts with a questionnaire that asks for documentation most SMBs cannot produce. Clients who have experienced even a minor ICO interaction become compliance buyers.

Staff or customer data breaches. A ransomware attack, a misdirected email, a stolen laptop — any personal data breach triggers GDPR notification obligations. MSPs who manage the infrastructure and respond to incidents are often first on the scene. If you are already managing the technical response, you should be managing the notification obligation too.

Sector pressure. Clients in healthcare, legal, financial services, and HR are under sector-specific pressure to demonstrate data protection compliance. A GP surgery, a solicitors firm, or a payroll bureau faces expectations from sector bodies, professional indemnity insurers, and clients that go beyond basic GDPR compliance. These clients are higher-touch but also higher-value.

Building the Service Line: Phase Structure

Phase 1: Data Mapping and Gap Assessment (3-5 weeks)

The foundation is a data mapping exercise. You cannot build a ROPA, identify lawful bases, or run a DPIA without knowing what personal data the client holds, where it lives, who has access, and how it moves through the business.

Start with a structured interview covering each business function: HR and payroll, sales and CRM, marketing, operations, finance, and IT. Map the personal data flows: what is collected, where it is stored (which systems, which cloud services, which third parties), who can access it, and how long it is retained. Build the initial ROPA draft from this mapping.

Run the gap assessment in parallel: identify missing lawful bases, absent DPAs with processors, unhandled DSAR obligations, absent retention schedules, and breach response gaps. The output is a prioritised remediation roadmap.

Phase 2: Documentation and Controls Implementation (4-8 weeks)

This phase converts the gap assessment into working compliance documentation:

ROPA completion. Finalise the Record of Processing Activities with lawful bases documented for each activity, retention periods set and approved, and processor relationships identified.

Data Processing Agreements. Draft and execute DPAs with all material processors — cloud providers, SaaS tools, subcontractors, and the MSP itself. For major processors (Microsoft, Google, AWS), the DPAs are standard controller-processor agreements available from the vendor. For smaller suppliers, the MSP may need to negotiate.

Privacy notices. Review and update customer and employee privacy notices to accurately reflect the processing documented in the ROPA. Notices must describe the lawful basis, retention periods, data subject rights, and contact details for the DPO or responsible individual.

DSAR process. Implement a documented DSAR handling process: a designated inbox, an identity verification procedure, a search protocol covering all systems where personal data is held, and a response template. The one-month response clock starts from receipt of the request, not from when someone notices it.

Breach response procedure. Document the breach response process: detection and escalation, breach assessment, ICO notification template, and individual notification procedure. The 72-hour clock starts from when the controller becomes aware, not when the investigation is complete. The notification must be filed even if not all information is available — controllers can supplement the notification as the investigation progresses.

Consent management (where applicable). Where the client relies on consent as a lawful basis for marketing or other processing, implement a consent management mechanism that captures, records, and enables withdrawal of consent. Website cookie consent needs to be audited against the actual cookies in use — most implementations are months or years out of date.

Phase 3: DPIA Delivery (as required)

A Data Protection Impact Assessment is mandatory for high-risk processing. MSPs should treat every new tool adoption, AI implementation, or major system change as a trigger to assess whether a DPIA is required.

Delivering a DPIA involves: describing the processing activity, assessing necessity and proportionality, identifying risks to data subjects, and documenting mitigating measures. If the residual risk remains high after mitigation, the controller must consult the ICO before proceeding with the processing.

For clients adopting AI tools with employee monitoring capabilities, new HR systems, or large-scale customer analytics platforms, a DPIA is almost always required. This is billable as a standalone service or as part of a project engagement.

Phase 4: Ongoing Compliance Retainer

GDPR compliance is not a one-time project. The retainer delivers:

• Annual ROPA review — processing activities change, new tools get adopted, staff roles shift
• DSAR handling support — manage or advise on incoming requests within the one-month window
• Breach response support — triage and notification support when incidents occur
• DPA maintenance — new processor relationships, updated standard contractual clauses
• Privacy notice updates — when processing changes or new services launch
• Staff awareness training — annual refresh for all staff handling personal data
• DPIA support — assessment when new high-risk processing is adopted

Clients who complete the initial project and then go without a retainer typically drift out of compliance within 18 months. New SaaS tools are adopted without DPAs. ROPAs go stale. DSARs get mishandled. The retainer is the mechanism that keeps compliance current.

Pricing the Service

Data mapping and gap assessment: £2,000–£4,500 for a 25-100 person company.

Documentation and controls implementation: £5,000–£15,000 depending on complexity, number of processors, and volume of consent management work.

DPIA delivery: £1,500–£3,500 per assessment.

Ongoing compliance retainer: £600–£1,800/month covering ROPA maintenance, DSAR support, breach response, DPA management, and annual training.

The retainer model is particularly strong here because GDPR obligations are continuous. Unlike ISO 27001 where the certification cycle is three years, GDPR has no expiry. Any change to the business — a new tool, a new data type, a new market — potentially triggers a compliance obligation. Clients who understand this keep the retainer. Clients who do not understand it end up in an ICO investigation.

For an MSP with 15 clients on a GDPR retainer at an average of £1,000/month, that is £180,000 in annual recurring revenue — from a service that requires no hardware and deepens relationships with clients you already serve.

What Most MSPs Get Wrong

Treating it as a one-time documentation exercise. GDPR compliance is an ongoing obligation. Delivering a ROPA and a privacy notice and then moving on produces a document trail that will be out of date within 12 months. The commercial model needs to include the retainer from the start.

Ignoring the MSP’s own DPA obligations. Your own relationship with your client requires a compliant DPA under Article 28. Many MSPs use contracts with generic data protection clauses that do not satisfy Article 28 requirements. If a client faces an ICO investigation, your contract will be reviewed. Fix this in your own standard terms first.

Missing subprocessors. MSPs use third-party tools and subcontractors to deliver services. Each subcontractor that touches client personal data is a subprocessor. GDPR requires the controller to approve subprocessors, and the DPA chain must flow down. If you use a monitoring tool, a backup service, or a helpdesk platform that processes client data, those subprocessors need to be disclosed to the client and covered in the DPA.

Underestimating DSAR response complexity. A DSAR requires the organisation to search all systems where personal data about the requestor may be held — email, CRM, HR system, accounting software, backup archives, paper records. For most SMBs, this is more complex than it looks. Archived email alone can be a significant exercise. Building a realistic DSAR process requires understanding exactly where the client’s personal data lives.

Cookie compliance theatre. Cookie banners are visible, which makes clients think they address the consent requirement. Most cookie implementations do not — the banner fires analytics and marketing cookies before consent is given, does not respect rejected consent on subsequent visits, or does not accurately reflect the cookies in use. The ICO has been actively enforcing cookie compliance and publicly naming organisations for failures. An audit of the client’s cookie implementation is a quick win and often reveals significant remediation work.

Why GDPR Is the Right Service Line for 2026

ICO enforcement has matured. The era of “we will focus on big companies” is over. Complaint-led investigations against SMBs are producing reprimands and fines. Breach notifications are triggering audits. The regulatory risk for non-compliant SMBs is real and increasing.

At the same time, commercial pressure is increasing from the supply chain direction. Enterprise buyers requiring supplier compliance questionnaires now ask specifically about DPIA processes, ROPA documentation, and breach response procedures. The compliance question is landing in SMB sales conversations more frequently than it was three years ago.

Your clients will face these questions. They do not have the expertise to answer them. You do. The MSP who builds a credible GDPR compliance service line is positioned to intercept that requirement and deepen the relationship before a specialist comes in from outside.

GetCybr maps GDPR obligations to specific implementation tasks, evidence requirements, and documentation templates per client. MSPs can track ROPA status, DSAR timelines, DPA coverage, and breach response readiness across multiple clients from a single dashboard. When an ICO enquiry arrives, the compliance record is current, structured, and exportable.

See how GetCybr supports GDPR compliance delivery for MSPs.