You're scaling fast, hitting revenue milestones, and attracting interest from investors and enterprise customers. Everything feels possible.
Then someone asks: "Where's your Companies House confirmation statement? Who are your persons of significant control? Are you GDPR-compliant? What's your Modern Slavery Act due diligence?"
These questions don't come from nowhere. Governance maturity has become a competitive advantage. Investors increasingly use transparency and compliance readiness as a signal of founder calibre. Enterprise customers have procurement teams that check these boxes before signing. Talent—especially remote-first teams—expect clarity on data handling and employment law.
This guide is built for founders and scale-up CEOs in the £1m–£100m revenue range—companies mature enough to have product-market fit but moving fast enough that governance can fall through the cracks. We've mapped the UK regulatory landscape, identified the blind spots that cost founders time and money, and outlined the governance milestones that build investor confidence and customer trust.
Transparency and compliance aren't barriers to growth. They're accelerators. Get ahead of the curve, and you'll move faster when it matters.
Why Governance Matters More Now Than Ever
Transparency isn't a compliance box. It's become a competitive advantage in fundraising, customer acquisition, and talent retention.
Ten years ago, founders could get away with loose governance. Today, three forces have changed the game entirely.
First: institutional investors care more than ever. When a VC fund commits £5m to your Series A, their own limited partners ask questions about your governance maturity. Investors now screen for: confirmed signatory arrangements, proper board structures, GDPR compliance, beneficial ownership clarity, and tax position transparency. A messy cap table or unclear data handling practices can kill a deal in diligence.
Second: enterprise customers demand it. When you sell to FTSE 250 companies or regulated businesses, their procurement teams will run compliance questionnaires. They'll ask for your ISO certifications, your data processing agreements, proof of GDPR compliance, your insurance, and evidence of proper employment law adherence. If you can't answer these questions quickly, you lose deals.
Third: scale-ups are now targets for regulation. The ICO (Information Commissioner's Office) is active. Employment tribunals are increasing. Companies House is stricter about filing accuracy. The Modern Slavery Act applies to you when you hit 250+ employees. Gender pay gap reporting kicks in at 250+ too. The further you scale, the more regulatory eyes are on you.
"We lost a £400k enterprise deal because our GDPR processor agreement wasn't in place. The customer's legal team flagged it in week three of negotiations, and we couldn't fix it fast enough. The deal slipped six months. Get this right early."
The fourth advantage is cultural. Transparent, well-governed companies attract stronger talent, especially at senior level. When you're recruiting a CFO, a Head of People, or a VP of Engineering from a larger company, they expect clear governance. Ambiguity signals instability.
The compounding effect is clear: founders who get governance right move faster through later-stage fundraising, win bigger customer deals, and build teams with lower turnover. That's the competitive advantage of transparency.
The UK Regulatory Landscape: What Applies When
Understanding which rules apply at different company sizes—and when obligations kick in—is the foundation of compliance planning.
The UK regulatory landscape is multi-layered and threshold-based. Most obligations don't hit all at once; they activate at specific revenue or employee count milestones. Understanding these thresholds is critical because they shape your compliance roadmap.
Companies House: The Foundation
Every limited company must file with Companies House. This is non-negotiable. What changes with scale is the depth and frequency of what you file.
Confirmation statements (formerly annual returns) must be filed every 12 months. This is straightforward, but many founders miss the deadline. Late filing triggers a fine (starting at £150 for under 3 months late), and repeated failures can result in strike-off—losing your company status entirely.
Persons of Significant Control (PSC) register: If anyone owns more than 25% of the company, holds more than 25% of voting rights, has the right to appoint/remove directors, or exercises significant influence over policy, they must be registered as a PSC. This is a major compliance blind spot. Many founders don't realize co-founders, angel investors, or preference shareholders need to be registered. Missing this can trigger enforcement action from Companies House.
Accounts filing. If your company is a micro-entity (revenue under £632k, balance sheet under £316k, employees under 10), you can file abbreviated accounts—quick and simple. Once you exceed these thresholds, you file full accounts, including director-approved statements and supporting notes. Above £6.5m in revenue, you may need an audit (unless you meet specific exemptions).
Director disqualification: Directors have legal responsibilities. Breach of duty, wrongful trading, or tax evasion can result in director disqualification. The Insolvency Service actively pursues cases. If you're a director, understand your duties under the Companies Act 2006.
Many founders don't register themselves or co-founders as PSCs. Then, when they raise investment or prepare for exit, due diligence uncovers the gap. Fix this now: review who controls your company and ensure everyone over 25% is registered. Check your current PSC register on Companies House online—you'll be surprised how many gaps exist.
HMRC: Tax Compliance
Tax is both a legal obligation and a diligence question for investors. HMRC now uses advanced data analytics to identify high-risk companies.
Corporation tax: File a tax return within nine months of your year-end. HMRC cross-checks this against your Companies House filing. If they don't match, expect inquiries. Keep documentation for 6 years.
VAT registration: Register for VAT once your revenue exceeds £85k (2024-25 threshold). Below that, registration is optional. Many founders wait until forced to register. Strategic registrations can work in your favour if you have high input VAT (e.g., SaaS companies buying cloud services).
PAYE and National Insurance: Once you employ staff, register for PAYE. Errors here are expensive: penalties, interest, and reputational damage if employees aren't paid correctly. Use payroll software (Xero, Quickbooks, Guidepoint) to automate this.
Statutory Sick Pay and Pension Auto-Enrolment: When you have employees, you must provide statutory sick pay (after 3 days). Once your payroll reaches £3m, you must auto-enrol employees into a workplace pension. Many founders miss the auto-enrolment deadline, resulting in significant back-contributions.
ICO and GDPR: Data Protection
The ICO actively pursues companies that mishandle personal data. For B2B SaaS especially, GDPR compliance is now a customer requirement, not optional.
Data Protection Officer (DPO): If you process personal data as a processor (handling customer data on their behalf), you should appoint a DPO—internal or external. If you don't have one, appoint someone to manage data handling at least.
Data Processing Agreements: If you're a processor, you must have written agreements with your customers (data controllers). This was the blind spot that cost the Helm member £400k. Get your standard agreement drafted, then scale it. Costs £1-3k but saves months in negotiations.
Lawful basis for processing: You must identify the lawful basis for every type of data you process: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. Document this in your privacy policy.
Data breach notification: If you suffer a personal data breach, you have 72 hours to notify the ICO. Have an incident response plan ready. The cost of being unprepared is severe—both in fines and reputation.
Subject access requests (SARs): When a customer or user asks for their data, you have 30 days to provide it. Have a process and audit trail ready.
Get a standard Data Processing Agreement (DPA) drafted by a lawyer or use a template from firms like Cooley. This costs £1-3k and becomes your standard contract term. Customers will ask for it; having it ready means deals close faster.
Modern Slavery Act: Supply Chain Transparency
Once you hit 250+ employees, you must publish an annual Modern Slavery Statement. This applies to any organization with a global turnover of £36m+. The statement describes your policies on modern slavery and human trafficking.
Below this threshold, the Act doesn't legally apply, but large customers may ask about it anyway. Build the habit early: audit your supply chain, document your policies, and be ready to answer.
Gender Pay Gap Reporting
At 250+ employees, you must publish annual gender pay gap data: mean and median hourly pay gaps, bonus pay gaps, and proportions of men and women in pay quartiles. The deadline is April 5 each year.
This is an absolute requirement above the threshold. Plan for it. Many companies discover gender pay gaps during the audit process and have to explain them publicly.
Employment Law
Employment law changes frequently. Key thresholds:
- Right to request flexible working: Available to all employees after 26 weeks of service. Have a process in place.
- Parental leave: Employees are entitled to up to 18 weeks of unpaid parental leave. Statutory maternity pay (39 weeks at 90% salary) is mandatory.
- Notice periods: Below 2 years' service, there is no statutory notice period (but you may have contractual obligations). After 2 years, the statutory minimum is one week per year of service, up to 12 weeks.
- Dismissal: You can't unfairly dismiss. Above 2 years' service, unfair dismissal claims can cost £20k-50k+ in tribunal awards. Have clear performance management and documentation.
- Redundancy pay: Employees with 2+ years' service are entitled to statutory redundancy pay: 0.5 weeks per year for ages 22-40, 1 week per year for ages 41+.
Scale-ups often underestimate employment law risk. Hire an employment lawyer early. Cost: £500-1500 for contract templates and core policies. Benefit: avoiding a tribunal claim that costs 10x more.
Compliance Obligations: When They Kick In
A quick reference guide to UK regulatory obligations at different company stages.
| Regulation | Revenue Threshold | Employee Threshold | What It Requires | Cost to Implement |
|---|---|---|---|---|
| Companies House (All) | £0 (applies to all limited companies) | — | Confirmation statements (annual), accounts filing, PSC register | £100-400/year (if using an accountant) |
| Corporation Tax (All) | £0 (applies to all limited companies) | — | Tax return filing, payment on profits | £800-2000/year (if using an accountant) |
| VAT Registration | £85k (April 2024-25) | — | VAT returns (quarterly), accounting, compliance | £1500-3000/year + software |
| PAYE & National Insurance | — | 1+ employees | Payroll setup, RTI submissions, statutory sick pay | £50-200/month (payroll software) + admin |
| Pension Auto-Enrolment | £3m payroll | 1+ employees | Set up workplace pension, auto-enrol, ongoing admin | £2000-5000 setup + £500/year admin |
| GDPR Compliance | £0 (if processing any personal data) | — | Privacy policy, DPA, data processing audit, consent management | £2000-5000 (lawyer) + ongoing |
| Data Processing Agreement | £0 (if B2B or processor) | — | Standard DPA template, customer execution, compliance audit | £1500-3000 (lawyer) |
| Modern Slavery Act | £36m (global turnover) | 250+ | Annual Modern Slavery Statement, supply chain audit | £2000-5000/year |
| Gender Pay Gap Reporting | £0 (if 250+ employees) | 250+ | Annual gender pay gap analysis and publication | £3000-8000/year |
| Employment Law (Contracts, Handbooks) | — | 1+ employees | Employment contracts, staff handbook, grievance procedures | £1500-3000 (lawyer) |
| Directors & Officers Insurance | £0 (recommended at any size) | — | Coverage for director liability, employment practices | £2000-8000/year |
Costs are indicative (2024-25 UK rates) and vary by firm size, jurisdiction, and complexity. Larger companies often need additional specialized compliance (export control, financial conduct, etc.).
Five Founder Blind Spots (And How to Fix Them)
Common governance mistakes that surface during fundraising, customer deals, or regulatory inquiries. Fix these before they cost you.
Blind Spot #1: The Persons of Significant Control (PSC) Register
Many founders don't realize that owning 25%+ of the company triggers PSC registration. This applies to you, your co-founders, your early investors, and any preference shareholders with voting rights. Miss this, and Companies House can pursue enforcement action. During due diligence, investors always spot this gap.
Fix: Log into Companies House WebFiling right now and check your current PSC register. If it's blank or incomplete, update it immediately (online, free, takes 15 minutes). Use their Guidance on PSC determination if you're unsure who qualifies.
Blind Spot #2: Loose Director Duties Documentation
Directors have legal duties under Companies Act 2006: to act in good faith, avoid conflicts of interest, not accept benefits from third parties, declare conflicts of interest, and avoid wrongful trading. Many scale-up founders don't document these decisions formally—no board minutes, no declarations.
During fundraising due diligence, missing documentation looks like bad governance. Worse, if anything goes wrong (a failed investment, a failed acquisition, litigation), you lack the paper trail to prove directors acted properly.
Fix: Start taking board minutes now. For every significant decision (major investment, hiring, expenditure over X, customer loss, pivot), document: who was present, what was discussed, what was decided, and any conflicts of interest. Use a simple template. Cost: zero. Benefit: massive in a dispute.
Blind Spot #3: GDPR Data Processing Agreements
If you're a B2B SaaS company (or any processor of customer data), you must have a Data Processing Agreement with your customers. Many founders skip this, thinking "we'll do it when they ask." The problem: enterprise customers expect it as a contract standard. When they ask in week 3 of a £400k deal and you don't have it, the deal slips six months or dies.
Fix: Get a standard DPA drafted. Work with a lawyer to create a template that covers data categories, security measures, sub-processors, and data subject rights. Cost: £1500-3000 upfront. Use it as standard contract language going forward. Updated annually, it's a maintenance task, not a crisis.
Blind Spot #4: Confirming Signatory Arrangements
Many founders don't document who can sign contracts, authorize spending, or commit the company. This becomes critical when you scale. If you hit £10m+ in ARR and suddenly a rogue team member signs a £5m contract, what's your recourse? Investors will ask: "How do you prevent this?"
Fix: Document signatory authority clearly. Who can approve spending under £50k? Under £500k? Who signs contracts? Who opens bank accounts? Get board approval for these limits and update them as you scale. Store documentation with your company secretary or in your governance folder.
Blind Spot #5: VAT and Tax Position Clarity
Many founders are unclear on their VAT status or have made assumptions about tax treatment that don't hold. This surfaces during investor diligence when the accountant asks, "Are you registered for VAT? If not, why not?" If your answer is "I don't know," it signals sloppy financial governance.
Fix: Get clarity from your accountant. Are you VAT-registered? Should you be? What's the tax treatment of your revenue? Have you registered for PAYE correctly? Don't assume; confirm with a chartered accountant. Cost: £200-500 for a review. Benefit: you'll know your tax position and can answer investor questions with confidence.
"We lost six weeks of due diligence because our GDPR agreements were missing. The customer's legal team flagged it. We scrambled to get a DPA drafted, but by then the deal was jeopardized. The lesson: governance is velocity. Get the basics right now, and you'll move faster later."
The Competitive Advantage: Why Transparency Wins
Governance isn't a cost centre. It's a growth lever that accelerates fundraising, customer acquisition, and team retention.
Investor Perspective: Governance as a Signal of Founder Calibre
VCs now use governance maturity as an early-stage screening signal. It's not the main investment thesis, but it shapes how they evaluate founder competence. A founder who understands PSC registration, has a documented cap table, and can speak clearly about GDPR compliance signals: "This founder sweats the details. They understand what mature companies need."
Conversely, a founder who can't answer basic questions about director duties or who has a messy cap table signals: "This founder is building a lifestyle business, not a venture-scale company."
During Series A due diligence, you'll spend 8-12 weeks in legal diligence. A well-governed founder moves through this phase in 6-8 weeks. That's two extra weeks to close the round or move on to the next investor. Compounded across your funding journey, proper governance saves months.
Customer Perspective: Compliance as a Close Condition
B2B SaaS companies selling to regulated industries (financial services, healthcare, insurance, legal) or to large enterprises will face procurement questionnaires. Standard questions include:
- Do you have ISO 27001 certification?
- Can you provide a Data Processing Agreement?
- Do you have directors & officers insurance?
- What's your GDPR compliance framework?
- Can you confirm your security controls?
A founder who says "Yes, we have all of this" moves a deal forward. A founder who says "We'll get that to you next month" either loses the deal or adds 3-6 months to the sales cycle. Over a year, losing three deals worth £200k+ each due to compliance gaps is a £600k revenue miss.
Talent Perspective: Trust and Institutional Credibility
When you're recruiting a CFO, a VP of People, or a General Counsel from a larger company, they expect governance clarity. They want to see:
- Clear cap table and equity documentation
- Documented board meetings and decisions
- Proper contract templates and employment agreements
- Financial controls and audit readiness
A candidate from a £200m+ company will walk if governance is chaotic. You lose top talent due to institutional credibility gaps. That CFO you wanted? They took a COO role at a better-governed competitor.
The Compounding Effect
The founders who move fastest through growth typically:
- Raise capital in fewer months (due to cleaner diligence)
- Close larger customer deals (compliance questionnaire ready to go)
- Retain senior talent (institutional credibility)
- Navigate exits more smoothly (buyers love clean governance)
These advantages compound. A founder who saves four weeks in Series A diligence can move faster in the market. A founder who closes customers faster hits revenue targets earlier. A founder with better retention avoids costly hiring and ramp cycles.
Over a three-year period, proper governance can mean the difference between a £50m and £100m+ exit.
Building a Compliance-Ready Scale-Up: Your 12-Month Roadmap
A practical step-by-step guide to establishing governance foundation, from today through your next major milestone.
Governance doesn't happen overnight. The key is systematic progress. Here's a roadmap broken into quarters, designed for founders at any stage of scale.
Month 1: Governance Audit (The Baseline)
Start with an honest assessment. Get your current cap table, list all outstanding shares/options/convertibles, check your PSC register, review your last Companies House filing. Are your director declarations up to date? Do you have written director authorities? Spend one day on this. Cost: zero. Output: a one-page gap analysis.
Month 2: Fix the Basics (Highest Impact, Lowest Friction)
Update PSC Register: Log into Companies House and ensure all 25%+ shareholders are registered. (15 minutes, free).
Document Director Authorities: Create a simple board resolution setting out who can sign contracts under £50k, £500k, etc. Store in a governance folder. (1 hour, zero cost).
Get a Tax Clarity Review: Schedule a 30-minute call with your accountant. Confirm VAT status, PAYE setup, and tax position. (£200-400).
Total cost: under £500. Total time: 3-4 hours. Total impact: you've eliminated three major diligence questions investors will ask.
Month 3: Legal Foundations (Mid-Priority, Medium Cost)
Employment Contracts & Handbook: If you don't have template employment contracts, hire an employment lawyer to draft them. Include modern provisions: flexible working, parental leave, remote work policy. Cost: £1500-2500. Output: a repeatable template you use for every new hire.
Board Minutes Process: Set up a simple process. Every month, or when decisions are made, document: attendees, decisions, any conflicts, and outcomes. Use a template. Assign someone (COO, company secretary, or founder) to own this.
Months 4-6: Customer-Facing Compliance (Revenue-Protecting)
Data Processing Agreement (DPA): If you're a B2B company or process customer data, get a standard DPA drafted. Work with a lawyer or use a template service (Legaltemplates, Ironclad). Cost: £1500-3000. Output: a living document you use as contract standard going forward.
GDPR Audit: Document what personal data you collect, where it's stored, who has access, and the lawful basis for processing. Create a simple register. No fancy tool needed; a spreadsheet works. Cost: £1500-3000 if you hire a consultant, or free if you do it with your team and a lawyer's guidance.
Privacy Policy: If you don't have a clear privacy policy, get one drafted. Cost: £500-1000.
Months 7-9: Insurance & Risk Management
Directors & Officers Liability Insurance: Once you're raising capital or have significant revenue, get D&O insurance. This covers personal liability if a director is sued for breach of duty, employment practices issues, or financial losses. Cost: £2000-5000/year. It's non-negotiable if you have a board.
Professional Indemnity Insurance: If you're a services business, add this. Covers claims by customers for negligence or breach of contract.
Cyber Insurance: If you process personal data or hold customer data, consider cyber insurance covering data breaches, business interruption, and crisis management. Cost: £1500-3000/year.
Months 10-12: Scaled Compliance & Governance Maturity
Pension Auto-Enrolment Audit: If your payroll is approaching £3m or you have significant employees, conduct a pension auto-enrolment readiness check. Cost: £500-1500.
Gender Pay Gap Assessment: If you're at 100+ employees, start collecting gender pay data. You don't need to publish until 250+, but start now so you understand your position and can address gaps proactively.
Supply Chain Audit: Document your key suppliers. Where are they based? Do they have any red flags (forced labour, environmental issues)? This is the groundwork for Modern Slavery Act compliance at 250+ employees.
Governance Checklist for Growth: Create a master checklist: PSC register, confirmation statements, tax filings, GDPR compliance, employment law, insurance. Assign ownership and set calendar reminders. This is your governance backbone going forward.
Companies House: companieshouse.gov.uk — free PSC register checks, confirmation statements, accounts filing.
ICO (Information Commissioner's Office): ico.org.uk — GDPR guidance, data processing agreements, breach notification process.
ACAS (Advisory, Conciliation and Arbitration Service): acas.org.uk — employment law guidance, templates for dismissal, redundancy, flexible working.
Lawyers: Hire specialists for contract templates (£1500-3000), GDPR (£2000-5000), and employment law (£1500-3000). Budget £5000-10000 for your first legal foundation year.
What Helm Founders Are Actually Doing: Real-World Governance
Insights from scale-up CEOs on governance challenges, timelines, and lessons learned.
How Helm Members Prioritize Compliance
We spoke with 15 Helm Club members across the £2m–£50m revenue range. Here's what's actually happening on the ground:
Timing: Most founders don't hire a proper finance person or governance lead until £5m+ in ARR. Before that, it's ad-hoc. The challenge: by the time you hire that person, you have six months of loose processes to clean up.
GDPR: B2B SaaS founders uniformly cited GDPR as the biggest friction point in customer deals. Those who had a standard DPA closed deals faster. Those who scrambled to build it mid-sales-cycle lost momentum.
Capital efficiency: One founder, who is now at £15m ARR, said: "I spent two weeks and £2000 getting my PSC register, director authorities, and board minutes process right. During Series A diligence, that saved us four weeks of back-and-forth. The lawyers could verify everything in day one."
Employment law: Multiple founders cited employment law knowledge gaps as a blind spot. One founder went through redundancy with no plan in place—cost £15k in legal fees and HR consulting. A founder who'd documented escalation and performance management processes moved through a similar scenario for £3k.
"The difference between us and founders who struggle is that we treat governance like a product roadmap. We have quarterly milestones: PSC register, contracts, GDPR, D&O insurance. Boring stuff. But when our Series A started, we were done. No surprises. No delays."
Common Mistakes Helm Founders Have Made
Mistake #1: Assuming "we'll sort governance when we raise." Reality: investors will slow-walk your deal if governance is a mess. Better to fix it before you pitch.
Mistake #2: Hiring a generalist accountant who doesn't understand scale-up compliance. Better: hire a specialist in your vertical or an outsourced CFO/bookkeeper team with scale-up experience.
Mistake #3: Not documenting decisions. Board meetings, director authorities, share issuance decisions—all get sloppy. Then during exit due diligence, you can't prove who decided what. Cost: renegotiation or deal loss.
Mistake #4: Treating compliance as a one-time project. Reality: it's ongoing. Quarterly confirmations, annual updates, regulatory changes. Assign someone to own it. Budget for it.
The Pattern: Founders Who Move Fastest
The founders in the Helm community who raise capital fastest and close larger customer deals have three things in common:
- Clarity: They know their cap table, their tax position, their compliance obligations. When asked, they answer in 30 seconds, not "let me check with my accountant."
- Documentation: They document decisions, keep board minutes, and maintain a governance checklist. When diligence starts, they have 80% of what's needed already compiled.
- Delegation: They assign governance ownership to someone (CFO, COO, company secretary) and hold them accountable. It doesn't live in the founder's head.
These aren't genius founders. They're disciplined founders. And discipline scales.
Key Takeaways: What You Need to Act On
- Transparency and compliance are competitive advantages. They accelerate capital raises, customer deals, and team recruitment.
- UK regulations apply at specific revenue and employee thresholds. Know which rules apply to you now.
- Five founder blind spots surface during diligence: PSC register, director duties, GDPR DPA, signatory authorities, and tax clarity. Fix these in your first quarter.
- A compliance-ready scale-up saves 4-8 weeks in legal diligence and closes bigger customer deals faster.
- Start with the basics: update your PSC register, document director authorities, and clarify your tax position. Total cost: under £500. Total time: 4 hours.
- Invest in legal foundations early: employment contracts, GDPR DPA, board minutes process. Total cost: £5000-8000. Benefit: eliminates 90% of diligence friction.
- Assign governance ownership. Don't let it live in your head. Hire a CFO, COO, or company secretary to own the checklist.
- Governance is ongoing, not one-time. Budget for annual updates, regulatory changes, and scaling requirements as you grow.
Ready to Build a Compliance-Ready Scale-Up?
Get a personalized governance roadmap for your company. Helm Club members get access to specialist lawyers, accountants, and governance templates built for scale-ups in your revenue range.
Get Started
