GDPR compliant.
Talk Think Do is fully compliant with the UK General Data Protection Regulation. We handle personal data with care, operate documented data processing practices, and build GDPR compliance into the software we create and maintain for clients.
Discuss your data requirements
What GDPR requires.
The UK General Data Protection Regulation (UK GDPR), retained following Brexit, sets the legal framework for how personal data about UK residents must be collected, stored, processed, and protected. It applies to any organisation that handles personal data in the UK, regardless of whether that data is about employees, customers, or end users.
For software companies, GDPR creates specific obligations depending on whether the organisation is acting as a data controller (determining why and how data is processed) or a data processor (processing data on behalf of a controller). Talk Think Do typically acts as a data processor when building and supporting software that handles our clients' end-user data, and as a data controller for the personal data we hold about our own contacts and staff.
The regulation is enforced by the Information Commissioner's Office (ICO) in the UK. Fines for serious breaches can reach £17.5 million or 4% of global annual turnover, whichever is higher. More practically, a data breach or non-compliance finding can cause significant reputational damage and disrupt business operations.
Core GDPR principles
- Lawful basis — Personal data must only be processed where there is a valid legal basis
- Purpose limitation — Data collected for one purpose cannot be reused for another without grounds
- Data minimisation — Only collect and retain data that is necessary for the stated purpose
- Accuracy — Personal data must be kept accurate and up to date
- Storage limitation — Data should not be retained longer than necessary
- Integrity and confidentiality — Data must be protected against unauthorised access, loss, or destruction
- Accountability — Organisations must be able to demonstrate compliance, not just claim it
How we handle data protection in practice.
Data Processing Agreements
Where we process personal data on behalf of a client, we operate under a Data Processing Agreement (DPA) that sets out the scope, nature, and purpose of processing, the types of data involved, and our obligations as a processor. This is a standard part of our contracts.
Data residency in the UK and EEA
The software we build on Azure is architected to keep personal data within UK or EEA data centres by default. Where data transfers outside these regions are required, we ensure appropriate safeguards are in place.
Privacy and security by design
We build data protection into application architecture from the start. That means minimal data collection, appropriate encryption at rest and in transit, role-based access controls, and audit logging, not retrofitted compliance.
Breach notification procedures
Our ISO 27001-certified incident management process includes procedures for identifying and responding to personal data breaches. Where a breach is notifiable to the ICO (within 72 hours) or to data subjects, our process ensures we meet those obligations.
Sub-processor management
We maintain a record of sub-processors with access to personal data and ensure they operate to equivalent standards. Clients are entitled to receive our list of sub-processors and to object to changes.
Subject rights support
Where we build systems that hold personal data, we design them to support data subject rights: access, rectification, erasure, portability. The capability to fulfil these requests should not be an afterthought in system design.
Data protection and security on our blog.
Data protection questions?
We are happy to share our data processing practices, discuss our DPA terms, or answer specific questions about how personal data is handled in the systems we build and support.