Since the United Kingdom's departure from the European Union, data protection has not become simpler — it has become more nuanced. The UK General Data Protection Regulation (UK GDPR), retained in domestic law through the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018, mirrors the EU GDPR in most respects but operates under its own supervisory authority: the Information Commissioner's Office (ICO). For UK businesses, this means compliance obligations remain as rigorous as ever, and in some areas, the landscape has grown more complex.
Whether you are a ten-person accountancy firm in the City, a growing e-commerce brand in Shoreditch, or a healthcare provider with multiple London clinics, GDPR compliance is not optional. It is a legal requirement that carries significant financial penalties, reputational consequences, and operational risks if neglected. Yet many small and medium-sized enterprises continue to treat data protection as a back-office concern rather than a strategic priority.
This guide breaks down everything UK businesses need to know about GDPR in practical, actionable terms — from the core principles and individual rights to breach notification rules, ICO enforcement trends, and the technical measures your IT infrastructure must support.
What Is UK GDPR and How Does It Differ from EU GDPR?
When the Brexit transition period ended on 31 December 2020, the EU GDPR ceased to apply directly in the United Kingdom. In its place, the UK GDPR was created — essentially the EU regulation as it existed at that point, incorporated into UK law with necessary amendments to replace references to EU institutions with UK equivalents. The Data Protection Act 2018 supplements the UK GDPR, providing additional provisions specific to the UK context.
For the vast majority of UK businesses, the practical obligations under UK GDPR are identical to those under EU GDPR. The principles, the rights of data subjects, the requirements for lawful processing, and the standards for data security all remain substantively the same. However, there are important distinctions that businesses must understand.
In June 2021, the European Commission granted the UK an adequacy decision, allowing personal data to flow freely from the EEA to the UK without additional safeguards. This decision is reviewed periodically, and businesses transferring data between the UK and EU should monitor its status. If adequacy were revoked, Standard Contractual Clauses or other transfer mechanisms would be required.
| Aspect | UK GDPR | EU GDPR |
|---|---|---|
| Supervisory authority | Information Commissioner's Office (ICO) | National Data Protection Authorities (e.g., CNIL, BfDI) |
| Maximum fine | £17.5 million or 4% of global turnover | €20 million or 4% of global turnover |
| International transfers | UK adequacy regulations & UK-approved SCCs | EU adequacy decisions & EU-approved SCCs |
| Representative requirement | UK representative required for non-UK controllers | EU representative required for non-EU controllers |
| Legislative framework | UK GDPR + Data Protection Act 2018 | EU GDPR + national implementing laws |
| Lead supervisory authority | ICO (single authority for UK) | One-stop-shop mechanism across EU DPAs |
| Age of consent (children) | 13 years | 16 years (member states may lower to 13) |
Businesses that operate in both the UK and EU markets — or process data of individuals in both jurisdictions — may need to comply with both regimes simultaneously. This dual compliance requirement makes it even more important to have robust, well-documented data protection practices.
The 7 Key Principles of UK GDPR
At the heart of UK GDPR are seven principles that govern how personal data must be handled. These are not merely aspirational guidelines; they are enforceable legal requirements. Every processing activity your business undertakes must align with these principles, and you must be able to demonstrate that alignment if challenged by the ICO or by a data subject.
| Principle | What It Requires | Practical Example |
|---|---|---|
| 1. Lawfulness, Fairness & Transparency | Process data legally, fairly, and in a transparent manner. Individuals must know what you are doing with their data. | Clear privacy notice on your website explaining what data you collect, why, and who you share it with. |
| 2. Purpose Limitation | Collect data only for specified, explicit, and legitimate purposes. Do not repurpose it without a compatible legal basis. | Customer email collected for order confirmation must not be added to marketing lists without separate consent. |
| 3. Data Minimisation | Collect only the data that is adequate, relevant, and limited to what is necessary for the stated purpose. | A newsletter sign-up form should not require date of birth, home address, or phone number. |
| 4. Accuracy | Keep personal data accurate and up to date. Take reasonable steps to correct or erase inaccurate data. | Regular data quality checks on your CRM. Allow customers to update their own details via a self-service portal. |
| 5. Storage Limitation | Retain personal data only for as long as necessary for the processing purpose. Define and enforce retention periods. | Delete job applicant data 6 months after the role is filled, unless the candidate consents to remaining on file. |
| 6. Integrity & Confidentiality | Protect data against unauthorised access, loss, destruction, or damage using appropriate technical and organisational measures. | Encryption at rest and in transit, role-based access controls, regular security audits, staff training. |
| 7. Accountability | Demonstrate compliance. Maintain records, conduct DPIAs, appoint a DPO where required, and document decisions. | Maintain a Record of Processing Activities (ROPA) and conduct annual data protection impact assessments. |
The accountability principle underpins all others. It is not enough to comply — you must be able to prove it. This means maintaining written records, documented policies, training logs, and audit trails. If the ICO investigates, "we thought we were compliant" is not a defence. You need evidence.
Individual Rights Under UK GDPR
UK GDPR grants individuals (data subjects) a comprehensive set of rights over their personal data. Your business must have processes in place to recognise, validate, and respond to these rights requests within the legally mandated timeframes. Failure to respond — or responding inadequately — can result in complaints to the ICO and enforcement action.
| Right | Description | Response Deadline |
|---|---|---|
| Right to be informed | Individuals must be told how their data is collected, used, and shared. Delivered through privacy notices. | At the point of data collection |
| Right of access (SAR) | Individuals can request a copy of all personal data you hold about them, along with supplementary information. | One calendar month |
| Right to rectification | Individuals can request correction of inaccurate or incomplete personal data. | One calendar month |
| Right to erasure | Also known as the "right to be forgotten." Individuals can request deletion of their data in certain circumstances. | One calendar month |
| Right to restrict processing | Individuals can request that you limit the way you use their data while disputes or objections are resolved. | One calendar month |
| Right to data portability | Individuals can obtain and reuse their personal data across different services in a structured, machine-readable format. | One calendar month |
| Right to object | Individuals can object to processing based on legitimate interests or direct marketing. Marketing objections must be honoured immediately. | One calendar month (immediate for direct marketing) |
| Rights related to automated decision-making | Individuals can challenge decisions made solely by automated means that produce legal or significant effects. | One calendar month |
SARs are the most commonly exercised right, and they can be resource-intensive to fulfil. You must search all systems — email, CRM, shared drives, backups, chat logs — for the individual's data. Businesses that lack centralised data management or clear data maps often struggle to respond within the one-month deadline. Plan ahead: know where your data lives before a request arrives.
Lawful Bases for Processing Personal Data
Every processing activity must rely on one of six lawful bases defined in Article 6 of UK GDPR. Choosing the correct lawful basis is not a retrospective exercise — it must be determined before processing begins, and it should be documented in your Record of Processing Activities and communicated to individuals through your privacy notice.
Consent is often assumed to be the default lawful basis, but it is frequently the wrong choice for business-to-business processing. Consent must be freely given, specific, informed, and unambiguous — and critically, it must be as easy to withdraw as it was to give. For many routine business activities, legitimate interests or contractual necessity provide a more stable and appropriate legal foundation.
If you rely on legitimate interests, you must conduct a Legitimate Interest Assessment (LIA) that documents three things: (1) the purpose — what legitimate interest are you pursuing? (2) the necessity — is processing actually needed for that purpose? (3) the balance — do the individual's rights override your interest? Keep LIAs on file; the ICO may request them.
Data Categories: Personal vs Special Category Data
Not all personal data carries the same level of risk. UK GDPR draws a clear distinction between standard personal data and special category data, which requires additional protections and a separate legal basis under Article 9.
| Category | Examples | Protection Level |
|---|---|---|
| Standard personal data | Name, email, phone number, address, IP address, employee ID | Standard UK GDPR requirements |
| Special category data | Racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation | Elevated protection — requires Article 9 condition in addition to Article 6 lawful basis |
| Criminal offence data | Criminal convictions, offences, DBS check results | Specific conditions under DPA 2018 Schedule 1 |
| Children's data | Any personal data relating to individuals under 13 (UK) or 16 (EU) | Enhanced protections, parental consent often required, Age Appropriate Design Code applies to online services |
Data Breach Notification: The 72-Hour Rule
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This is not limited to cyberattacks — sending an email to the wrong recipient, losing an unencrypted USB stick, or a ransomware incident that renders data inaccessible all qualify as potential data breaches.
Under Article 33 of UK GDPR, if a breach is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO within 72 hours of becoming aware of it. If the breach is likely to result in a high risk, you must also notify the affected individuals directly under Article 34.
Breach Response Timeline
Even if a breach does not meet the threshold for ICO notification, you are still legally required to record it in your internal breach register. Document what happened, the data involved, the effects, and the remedial action taken. The ICO can request access to this register during an investigation or audit, and gaps will be viewed unfavourably.
ICO Fines & Enforcement: What Is at Stake
The ICO has a range of enforcement powers at its disposal, from informal warnings and reprimands to formal enforcement notices and monetary penalties. While the maximum fine of £17.5 million (or 4% of global annual turnover) captures headlines, the ICO also issues fines at a lower tier of up to £8.7 million (or 2% of turnover) for less severe infringements.
Notable ICO Enforcement Actions
| Organisation | Fine | Violation | Year |
|---|---|---|---|
| British Airways | £20,000,000 | Insufficient security measures led to a data breach affecting 400,000+ customers | 2020 |
| Marriott International | £18,400,000 | Failure to implement adequate security for Starwood guest reservation database | 2020 |
| Clearview AI | £7,552,800 | Scraping images from the internet to create a facial recognition database without consent | 2022 |
| TikTok | £12,700,000 | Processing children's personal data without appropriate parental consent | 2023 |
| Interserve Group | £4,400,000 | Failing to keep employee personal data secure, resulting in a cyberattack | 2022 |
While headline-grabbing fines tend to involve large corporations, the ICO regularly takes action against smaller organisations. In recent years, the ICO has issued reprimands, enforcement notices, and fines to SMEs, charities, and sole traders. The size of your business does not exempt you from compliance — in fact, the ICO has stated that it expects smaller organisations to be more agile in implementing good data protection practices.
ICO Enforcement Trends by Category
GDPR Compliance Checklist for UK SMEs
Compliance is not a one-time exercise. It requires ongoing attention, regular review, and continuous improvement. The following checklist covers the essential foundations that every UK SME should have in place. If any of these items are missing or incomplete, your organisation is at risk.
Compliance Readiness by Area
Essential Compliance Items
| Category | Action Item | Priority |
|---|---|---|
| Documentation | Create and maintain a Record of Processing Activities (ROPA) | Critical |
| Documentation | Publish a comprehensive, plain-English privacy notice on your website | Critical |
| Documentation | Draft an internal data protection policy and distribute to all staff | Critical |
| Documentation | Define and document data retention schedules for each data category | High |
| Rights Management | Establish a process for handling Subject Access Requests within one month | Critical |
| Rights Management | Create templates for responding to rights requests (erasure, rectification, portability) | High |
| Security | Implement encryption for data at rest and in transit | Critical |
| Security | Deploy multi-factor authentication across all business systems | Critical |
| Security | Conduct regular vulnerability assessments and penetration testing | High |
| Breach Response | Create a documented data breach response plan with assigned roles | Critical |
| Breach Response | Maintain a breach register to record all incidents, even non-reportable ones | High |
| Training | Deliver GDPR awareness training to all staff at onboarding and annually thereafter | Critical |
| Third Parties | Ensure Data Processing Agreements (DPAs) are in place with all processors | Critical |
| Third Parties | Conduct due diligence on third-party processors before engaging them | High |
| Governance | Appoint a Data Protection Officer (DPO) if required, or a data protection lead | High |
| Governance | Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing | High |
Technical Measures for GDPR Compliance
GDPR does not prescribe specific technologies, but it does require "appropriate technical and organisational measures" to protect personal data. What constitutes "appropriate" depends on the nature of the data, the risks involved, the state of the art, and the cost of implementation. For most UK SMEs, the following technical measures represent the baseline expectations.
Technical Control Implementation Priority
Your backup strategy must account for GDPR requirements. If an individual exercises their right to erasure, you need a process to handle that data in backups. While it is generally accepted that backup data may be retained for legitimate business continuity purposes, you must ensure it is not restored after erasure and that backup retention periods are defined and enforced. Encrypted, immutable backups are the gold standard.
The IT Provider's Role in GDPR Compliance
For most SMEs, the IT provider or managed service provider (MSP) is a critical link in the GDPR compliance chain. If your IT provider handles, stores, or has access to personal data on your behalf, they are acting as a data processor under UK GDPR. This creates specific legal obligations for both parties.
- Determines the purposes and means of processing personal data
- Bears primary responsibility for GDPR compliance
- Must choose processors that provide sufficient guarantees
- Responsible for responding to data subject rights requests
- Must notify the ICO of qualifying data breaches
- Must maintain Records of Processing Activities
- Conducts Data Protection Impact Assessments
- Publishes privacy notices and manages consent
- Processes personal data only on the controller's documented instructions
- Must implement appropriate technical and organisational security measures
- Cannot engage sub-processors without the controller's authorisation
- Must assist the controller in responding to data subject rights requests
- Must notify the controller without undue delay upon becoming aware of a breach
- Must maintain its own Records of Processing Activities
- Must make available all information necessary to demonstrate compliance
- Must delete or return all personal data at the end of the service contract
What to Expect from a GDPR-Aware IT Provider
When evaluating or reviewing your IT provider's GDPR credentials, look for the following capabilities and commitments. A provider that cannot demonstrate these fundamentals may be putting your compliance at risk.
| Capability | What to Look For | Red Flag |
|---|---|---|
| Data Processing Agreement | A comprehensive DPA offered proactively, covering all Article 28 requirements | No DPA, or a vague one-page document |
| Security certifications | Cyber Essentials Plus, ISO 27001, or equivalent demonstrable standards | "We take security seriously" with no evidence |
| Encryption practices | AES-256 at rest, TLS 1.2+ in transit, encrypted backups | Unencrypted data storage or transmission |
| Breach notification process | Documented procedure to notify you within hours of detecting an incident | No defined breach escalation path |
| Access controls | Role-based access, MFA, privileged access management, regular reviews | Shared admin credentials or unmonitored access |
| Sub-processor transparency | Published list of sub-processors with notification of changes | Unknown or undisclosed sub-processors |
| Data location | Clear documentation of where data is stored and processed (UK/EEA) | Data stored outside adequate jurisdictions without safeguards |
| Exit & deletion procedures | Documented data return and secure deletion at end of contract | No procedure for data return or deletion |
Data Processing Agreements: What Must Be Included
Article 28 of UK GDPR mandates that processing by a processor must be governed by a contract (the Data Processing Agreement) that sets out specific terms. This is not optional — processing without a DPA in place is itself a compliance failure. The DPA must be in writing, including in electronic form.
Mandatory DPA Clauses
Common GDPR Myths Debunked
Misinformation about GDPR remains widespread, and these misconceptions can lead businesses into a false sense of security or unnecessary panic. Here are the most common myths we encounter when working with London businesses — and the reality behind each one.
- "GDPR doesn't apply to us after Brexit."
- "We're too small for the ICO to bother with."
- "We need consent for everything."
- "GDPR means we can't send marketing emails."
- "Deleting data is always required when asked."
- "A privacy policy on our website is enough."
- "GDPR is just an IT issue."
- "We're compliant because we use cloud services."
- UK GDPR applies to all UK businesses. It is substantially identical to EU GDPR.
- The ICO has fined and reprimanded sole traders, SMEs, and charities. Size is no defence.
- Consent is one of six lawful bases. Many activities rely on legitimate interests or contract.
- You can send B2B marketing and use the soft opt-in for existing customers under PECR.
- Erasure has exceptions: legal obligations, defending claims, public interest may override.
- A privacy policy is necessary but far from sufficient. You need documented policies, procedures, DPAs, training, and technical measures.
- GDPR is a business-wide responsibility involving legal, HR, marketing, operations, and IT.
- Using cloud services shifts some processing to a third party, but you remain the controller and are responsible for their compliance via DPAs and due diligence.
This is perhaps the most dangerous myth. The ICO does not have a turnover threshold below which it will not act. In fact, the ICO has specifically noted that small organisations often handle sensitive data — GP practices, legal firms, recruitment agencies — and a breach at a small firm can be just as harmful to individuals as one at a large corporation. Complacency based on size is a risk factor, not a protection.
International Data Transfers
If your business transfers personal data outside the UK — for example, using a US-based SaaS tool, a cloud provider with non-UK data centres, or sharing data with an overseas partner — you must ensure there is a lawful mechanism for that transfer. Under UK GDPR, personal data can only be transferred to countries that provide an adequate level of data protection, or where appropriate safeguards are in place.
Transfer Mechanisms Available
| Mechanism | When to Use | Complexity |
|---|---|---|
| UK Adequacy Regulations | Country has been assessed by the UK government as providing adequate protection (e.g., EEA countries, Japan, South Korea, Switzerland) | Low — no additional safeguards needed |
| UK International Data Transfer Agreement (IDTA) | Transfers to non-adequate countries. Replaces the old EU SCCs for UK transfers. | Medium — requires completion and execution between parties |
| UK Addendum to EU SCCs | If you already use EU SCCs, the UK Addendum extends coverage to UK GDPR transfers. | Medium — supplement to existing EU SCCs |
| Binding Corporate Rules (BCRs) | Intra-group transfers within multinational organisations. Approved by the ICO. | High — complex approval process, mainly for large enterprises |
| Derogations (Article 49) | Specific, limited circumstances: explicit consent, contractual necessity, legal claims, vital interests. | Low-Medium — but only for occasional, non-systematic transfers |
Even where a transfer mechanism is in place, you must conduct a Transfer Risk Assessment (TRA) to evaluate whether the destination country's legal framework provides sufficient protection in practice. This includes considering government surveillance laws, the rule of law, and the availability of effective legal remedies for data subjects. The UK's Data Protection and Digital Information Act has introduced some flexibility, but the core requirement remains: know where your data goes and assess the risks.
GDPR & Cookies: The PECR Connection
Many businesses conflate GDPR with cookie consent, but cookies are actually governed by the Privacy and Electronic Communications Regulations 2003 (PECR), which sits alongside UK GDPR. PECR requires consent for non-essential cookies, while GDPR governs the processing of any personal data those cookies collect.
Your cookie banner must offer a genuine choice. Pre-ticked boxes, "accept all" as the only prominent option, or cookie walls that block access unless all cookies are accepted are not compliant. Offer clear categories, allow granular control, and ensure "reject all" is as easy as "accept all." Record consent to demonstrate compliance if challenged.
Preparing for the Future: The Data Protection and Digital Information Act
The UK government's Data Protection and Digital Information Act (DPDIA), which received Royal Assent in 2024, introduces amendments to the UK GDPR framework. While it does not repeal UK GDPR, it modifies certain provisions with the stated aim of reducing compliance burdens for businesses while maintaining high data protection standards.
Key changes businesses should be aware of include:
| Change | Impact | Timeline |
|---|---|---|
| Recognised legitimate interests | A defined list of processing activities that qualify as legitimate interests without requiring a balancing test | Phased implementation |
| Research purposes broadened | Wider scope for using data for research, including commercial research | Phased implementation |
| ROPA requirements relaxed | Reduced record-keeping obligations for some lower-risk processing activities | Phased implementation |
| International transfers reformed | New framework for assessing adequate protection in destination countries | Phased implementation |
| ICO governance reformed | New governance structure and strategic priorities for the ICO | Active |
| Cookie rules simplified | Potential for broader analytics cookie exemptions without consent | Pending secondary legislation |
While the DPDIA introduces some flexibility, businesses should not reduce their compliance efforts in anticipation. The core GDPR principles remain unchanged, the ICO's enforcement powers are enhanced, and EU adequacy — which depends on the UK maintaining equivalent protections — could be at risk if standards are perceived to have dropped. Maintain your current standards and adapt as implementing guidance is published.
Frequently Asked Questions
Yes. UK GDPR applies to every organisation that processes personal data, regardless of size. There is no small business exemption. If you hold customer names, email addresses, employee records, or any other information that can identify a living individual, you must comply. The ICO has taken enforcement action against sole traders, micro-businesses, and charities, so size provides no protection.
Most organisations that process personal data must pay a data protection fee to the ICO. The fee is tiered based on your organisation's size and turnover: Tier 1 (£40 per year for micro-organisations), Tier 2 (£60 per year for SMEs), and Tier 3 (£2,900 per year for large organisations). Failure to pay the fee is a criminal offence. Only a narrow set of exemptions apply — check the ICO's self-assessment tool to confirm your obligation.
You must appoint a DPO if you are a public authority, if your core activities involve large-scale systematic monitoring of individuals, or if your core activities involve large-scale processing of special category data or criminal offence data. Most private-sector SMEs are not legally required to appoint a DPO, but it is best practice to designate a data protection lead who takes responsibility for compliance within the organisation.
You must assess the breach immediately. If it is likely to result in a risk to individuals' rights and freedoms, notify the ICO within 72 hours using the ICO's online reporting tool. If the breach poses a high risk, notify affected individuals directly without undue delay. Regardless of severity, record all breaches in your internal breach register. Having a documented breach response plan and conducting tabletop exercises ensures your team can respond effectively under pressure.
Yes, but with conditions. For electronic marketing (email, SMS, phone), PECR applies alongside GDPR. You generally need consent for unsolicited marketing to individuals. However, the "soft opt-in" allows you to email existing customers about similar products or services without fresh consent, provided you offer an opt-out. B2B marketing to corporate email addresses is subject to lighter requirements under PECR, but GDPR still applies to any personal data involved.
UK GDPR does not prescribe specific retention periods. Instead, you must define your own based on the purpose of processing. Common benchmarks include: 6 years for financial records (HMRC requirements), 6 years for contractual data (limitation period for breach of contract claims), 2 years for recruitment data, and as short as possible for marketing data. Document your retention schedule, apply it consistently, and ensure data is securely deleted when the retention period expires.
No. As the data controller, your business holds primary responsibility for GDPR compliance. Your IT provider, as a data processor, must follow your instructions and implement appropriate security measures. However, it is your responsibility to choose a compliant processor, put a Data Processing Agreement in place, and conduct due diligence. A good IT provider will support and enable your compliance — but they cannot absolve you of your obligations as controller.
Not automatically. While Microsoft, Google, and other major cloud providers offer GDPR-compliant infrastructure and have robust DPAs, compliance depends on how you configure and use these services. Misconfigured sharing settings, weak passwords, lack of MFA, poor data classification, and unmanaged devices can all create compliance gaps regardless of the platform. You must ensure your configuration, policies, and user behaviour align with GDPR requirements.
How Cloudswitched Supports GDPR Compliance
At Cloudswitched, we understand that GDPR compliance is not a one-off project — it is an ongoing commitment that requires the right combination of technical infrastructure, documented processes, and expert guidance. As a London-based managed IT services provider, we work with businesses across the capital to build and maintain IT environments that support data protection by design and by default.
Our approach to supporting GDPR compliance encompasses:
- Encrypted infrastructure: AES-256 encryption at rest, TLS 1.3 in transit, encrypted backups with verified restore testing.
- Identity and access management: Multi-factor authentication, conditional access policies, role-based permissions, and regular access reviews across Microsoft 365 and other platforms.
- Endpoint protection: Managed endpoint detection and response (EDR), automated patching, mobile device management, and remote wipe capability for lost or stolen devices.
- Backup and disaster recovery: GDPR-aware backup strategies with defined retention periods, immutable backup copies, and documented recovery procedures.
- Security awareness training: Staff training programmes covering phishing recognition, data handling, breach reporting, and individual rights awareness.
- Incident response support: Documented breach response procedures, rapid containment capabilities, and support with ICO notifications when required.
- Data Processing Agreement: A comprehensive DPA covering all Article 28 requirements, provided to every client as standard.
GDPR compliance is not something you achieve once and forget about. Regulations evolve, your business changes, new systems are introduced, and threats develop. Regular reviews, annual training refreshers, periodic audits, and an IT partner who understands the regulatory landscape are essential to maintaining compliance over the long term.
Need Help with GDPR Compliance?
Whether you are starting from scratch or looking to strengthen your existing data protection posture, Cloudswitched can help. Our team works with London businesses every day to build IT infrastructure that supports GDPR compliance — from encrypted cloud environments and access controls to breach response planning and staff training.
Get in touch for a free, no-obligation consultation about your GDPR compliance requirements and how our managed IT services can support your business.
Book a Free Consultation
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.