Building a Compliance Roadmap for Your Business — Start Here
A compliance roadmap is the difference between “we’re working on compliance” and “we know exactly what we’re doing and by when.” Without one, compliance work feels endless. With one, it becomes a series of discrete, achievable phases.
This guide walks you through building a roadmap: understanding your scope, assessing your current state, identifying gaps, prioritising by risk and feasibility, and sequencing work over the next 12 months.
Why This Matters
Compliance without a roadmap creates decision fatigue. “Should we focus on cookies or accessibility this week?” “Is this high-priority or can we defer it?” “How long will this really take?” These questions block progress.
A roadmap answers these questions upfront. It shows you the full picture (all applicable regulations, all gaps, all interdependencies), gives you a sequence (which fixes first, which second, which can wait), and creates accountability (you have milestones, not just vague intentions).
Most importantly, a roadmap makes compliance feel finite. You’re not committing to “become perfectly compliant,” which is impossible. You’re committing to a specific set of deliverables across a specific timeline, which is achievable.
Step 1: Define Your Scope
Before you can build a roadmap, you need to know which regulations apply to your business. This is a one-time foundational step.
Answer these questions:
- Do you have a website? Yes → UK GDPR, PECR, Equality Act apply
- Do you have EU customers? Yes → EAA, potentially EU GDPR, potentially EU AI Act apply
- Do you have employees? Yes → Employment Rights Act, UK GDPR (employee data) apply
- Do you use AI tools? Yes → EU AI Act (if EU exposure), UK GDPR Article 22, potentially employment law apply
- Do you process personal data? Yes → UK GDPR, DUAA apply
- Do you provide services to the public? Yes → Equality Act (accessibility) applies
For each “yes,” you now have a regulatory domain in your scope.
Document this. Write down which regulations apply to you. Use the table from Which Regulations Apply to Your Website as your starting template.
Step 2: Assess Your Current State
For each domain in your scope, assess where you stand: Green (mostly compliant), Yellow (partially compliant), or Red (non-compliant or not started).
Quick assessment questions:
GDPR/Data Protection:
- Do you have a current, complete privacy policy? (Green: yes, Yellow: partial, Red: no or outdated)
- Does it explain all your data processing? (Green: yes, Yellow: mostly, Red: no)
- Is it accessible from every page? (Green: yes, Yellow: not all, Red: no)
Cookie Compliance:
- Do you have a cookie consent mechanism? (Green: working, Yellow: exists but cosmetic, Red: no)
- Does it block cookies before consent? (Green: yes, Yellow: not all, Red: no)
Website Accessibility:
- Have you assessed your site for WCAG failures? (Green: yes, remediated, Yellow: yes, gaps remain, Red: no assessment)
- Do you have critical failures (colour contrast, alt text, keyboard navigation)? (Green: no, Yellow: some, Red: many)
Employment Law:
- Have you updated your contracts for 2026 changes? (Green: yes, Yellow: in progress, Red: no)
- Do your managers understand day-one rights? (Green: yes, trained, Yellow: aware, Red: no)
AI Compliance:
- Do you use AI tools? (Green: assessed and documented, Yellow: using but not assessed, Red: not sure)
- Have you assessed them against EU AI Act or GDPR Article 22? (Green: yes, Yellow: partially, Red: no)
Cybersecurity:
- Do you have basic security measures (MFA, encryption, password manager)? (Green: yes, Yellow: partial, Red: no)
- Do you have incident response procedures? (Green: documented, Yellow: vague, Red: no)
Output: A one-page assessment showing your current state across all domains. This becomes your baseline.
Step 3: Identify Gaps and Prioritise
For each domain where you’re Yellow or Red, identify the specific gaps. Then rank them by three factors:
-
Enforcement Risk — Which domains are regulators actively pursuing?
- Highest: GDPR/data security (ICO actively fining), employment law (Fair Work Agency launching April 2026), accessibility (EAA enforcement ramping)
- Medium: cookie compliance (enforcement likely to increase), AI compliance (deadline August 2026)
- Lower: cybersecurity voluntary (Cyber Essentials is optional, though increasingly required for contracts)
-
Financial Exposure — What’s the maximum penalty if something goes wrong?
- Highest: Employment law (uncapped for discrimination), GDPR (£17.5M / 4% turnover, but typically triggered by breach), accessibility (Equality Act uncapped)
- Medium: AI Act (€35M / 7% if high-risk use), PECR (£17.5M / 4% as of DUAA)
- Lower: Cyber Essentials (voluntary, financial penalty is contract loss not fines)
-
Feasibility — How hard is it to fix, and how much resource does it require?
- Quick win: cookie consent (1–4 weeks), privacy policy update (1–2 weeks), basic accessibility fixes (2–4 weeks)
- Medium effort: accessibility comprehensive audit (4–12 weeks), employment contracts update (2–4 weeks), cybersecurity baseline (4–8 weeks)
- Extended project: AI governance (12+ weeks), DSAR infrastructure (4–8 weeks), third-party data processing agreements (ongoing)
Create a prioritisation matrix:
| Domain | Enforcement Risk | Financial Exposure | Feasibility | Priority |
|---|---|---|---|---|
| Cookie consent | High | High | Quick win | P1 |
| Privacy policy | High | High | Quick win | P1 |
| Accessibility basics | High | High | Quick win | P1 |
| Employment contracts | High | Highest | Medium | P2 |
| Cybersecurity baseline | Medium | Medium | Medium | P2 |
| Accessibility audit | High | High | Medium | P2 |
| AI governance | Medium | High | Extended | P3 |
| DSAR process | Medium | Medium | Extended | P3 |
Output: A ranked list of gaps, prioritised by the combination of risk and feasibility. P1 items are “must do in Phase 1.” P2 items are “Phase 2.” P3 items are “Phase 3.”
Step 4: Sequence Work into Phases
Map priorities to realistic timelines. Assume you have limited time (most SMEs estimate 5–20 hours/month available for compliance work).
Phase 1: Quick Wins (Weeks 1–4) — Target: Achieve “good enough” on three P1 domains
- Cookie consent: Install consent tool, configure to block trackers, add cookie policy (3 weeks)
- Privacy policy: Update for DUAA, ensure linked from every page, add data subject rights (1 week)
- Accessibility basics: Add missing alt text, fix critical colour contrast, fix heading hierarchy (3 weeks)
Total Phase 1 effort: 4–6 weeks, parallelisable (these can run in parallel, not sequentially)
Phase 2: Foundation (Weeks 5–16) — Target: Establish baseline processes in P2 domains
- Employment contracts: Remove two-year qualifying references, add day-one rights language, update probation clauses (4 weeks, may require legal input)
- Accessibility audit: Full WCAG assessment, prioritised remediation roadmap (8–12 weeks, can run parallel with employment)
- Cybersecurity baseline: MFA implementation, password manager setup, encryption for sensitive data (4–6 weeks)
Total Phase 2 effort: 8–12 weeks
Phase 3: Systems (Weeks 17+) — Target: Implement monitoring and cross-domain integration
- DSAR process: Internal procedures, staff training, documentation (4–6 weeks)
- Regulatory monitoring: Subscribe to ICO, NCSC, GOV.UK updates (ongoing, 2–4 hours/month)
- AI governance: If applicable, assess all AI tools in use, document classifications, implement transparency (8–12 weeks)
- Annual review: Calendar reminders, checklist-driven review (2–3 days annually)
Output: A 12-month roadmap showing which work happens in which phase, with realistic timelines.
Step 5: Assign Ownership and Milestones
For each phase, assign ownership (who’s responsible?) and set milestones (completion dates).
Phase 1 example:
| Task | Owner | Start | End | Success Criteria |
|---|---|---|---|---|
| Cookie consent tool selection | Sarah (Operations) | Week 1 | Week 1 | Tool selected, vendor approved |
| Cookie consent implementation | Developer (external) | Week 2 | Week 3 | Consent mechanism live, trackers blocked |
| Cookie policy writing | Sarah | Week 2 | Week 3 | Policy published, linked from footer |
| Privacy policy update | Sarah + Legal review (external) | Week 1 | Week 4 | Updated policy live on website |
| Accessibility audit (auto tools) | Sarah (or accessibility consultant) | Week 1 | Week 1 | Scan completed, findings prioritised |
| Accessibility remediation | Developer | Week 2 | Week 4 | Alt text added, contrast fixed, heading hierarchy corrected |
Output: A phase-by-phase assignment showing who does what and by when. This becomes your steering document.
Step 6: Set Up Tracking and Review Cadence
Compliance work is easy to defer if you don’t track it. Set up simple tracking:
Monthly check-ins (30 min):
- Update progress on current phase tasks
- Identify blockers and resolve them
- Adjust timeline if needed
Phase completion review (1 hour):
- Assess whether phase goals were met
- Document what worked and what didn’t
- Kick off next phase
Annual compliance review (2–3 hours):
- Regulatory changes: Did any new regulations apply? Did existing ones change?
- Business changes: New employees? New products? New customer geographies?
- Effectiveness: Are your implemented measures still working?
- Next cycle: What’s the priority for year 2?
Output: A calendar with review dates and owners.
Your 12-Month Roadmap Template
Here’s what a complete roadmap looks like:
COMPLIANCE ROADMAP 2026
SCOPE
- UK GDPR (website, employees, personal data)
- PECR (cookies)
- Equality Act (accessibility)
- Employment Rights Act (2 employees)
CURRENT STATE (March 2026)
- GDPR: Yellow (privacy policy outdated, cookie consent non-functional)
- Cookies: Red (no functioning consent, pre-consent tracking)
- Accessibility: Red (no assessment, visible failures)
- Employment Law: Yellow (contracts don't reflect April 2026 changes)
PHASE 1: QUICK WINS (April–May 2026, weeks 1–4)
Goal: Achieve good-enough on GDPR, cookies, accessibility basics
- Week 1: Select + approve cookie consent tool (Sarah)
- Week 2–3: Implement cookie consent, update privacy policy (Sarah + Developer)
- Week 2–4: Fix critical accessibility failures (Sarah + Developer)
Success: Consent mechanism live, privacy policy current, alt text added
PHASE 2: FOUNDATION (June–August 2026, weeks 5–16)
Goal: Update employment law, establish accessibility baseline, cybersecurity
- Weeks 5–8: Update employment contracts, manager training (HR + External Legal)
- Weeks 5–12: WCAG audit and remediation roadmap (Accessibility consultant)
- Weeks 9–14: Cybersecurity baseline: MFA, encryption, password manager (Developer)
Success: Contracts updated for April 2026 changes, accessibility audit complete, security measures in place
PHASE 3: SYSTEMS (September onwards, weeks 17+)
Goal: Implement ongoing monitoring and cross-domain integration
- Regulatory monitoring: Subscribe to updates, monthly review (Sarah, 2 hrs/month)
- Annual compliance review: September 2026 (full team, 3 hours)
MILESTONES
- 31 May 2026: Phase 1 complete
- 31 August 2026: Phase 2 complete
- Ongoing: Monthly check-ins, annual reviewWhat to Do Now
Step 1 (this week): Answer the scope questions above. Write down which regulations apply to your business.
Step 2 (this week): Assess your current state in each domain using the Green/Yellow/Red framework.
Step 3 (next week): Create your prioritisation matrix. Identify your P1 (quick wins), P2 (foundation), and P3 (systems) items.
Step 4 (next week): Draft your 12-month roadmap using the template above. Assign ownership. Set milestone dates.
Step 5 (ongoing): Set up monthly check-ins and review cadence. Assign responsibility to track progress.
To stay informed about regulatory changes that might affect your prioritisation, subscribe to our fortnightly newsletter. Bartram Complete can also help — it screens all your domains, identifies specific gaps, and delivers a prioritised roadmap ready to implement.
But you can build a roadmap yourself using the framework above. The key is moving from “we’re thinking about compliance” to “we have a specific plan with owners and dates.” That specificity is what turns good intentions into actual progress.