GDPR Compliance for Small Businesses
A practical guide to UK GDPR for small businesses, covering what you need to do to handle personal data lawfully and avoid ICO enforcement.
The UK General Data Protection Regulation (UK GDPR), together with the Data Protection Act 2018, governs how businesses collect, store, use and share personal data. Every UK business that handles personal data – which includes virtually every business – must comply.
Small businesses are not exempt. The rules apply equally whether you have 2 employees or 2,000. The difference is that your compliance measures can be proportionate to the volume and sensitivity of the data you process.
What counts as personal data
Personal data is any information that can identify a living individual, directly or indirectly. This includes:
- Name, address, email address, phone number
- IP addresses and online identifiers
- Employee records (payroll data, performance reviews, health information)
- Customer records (invoices , order history, payment details)
- CCTV footage
- Location data
Special category data requires additional protections and includes health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership and sexual orientation.
The seven principles
UK GDPR is built on seven principles that you must follow:
| Principle | What it means |
|---|---|
| Lawfulness, fairness and transparency | You must have a legal basis for processing data and be open about how you use it |
| Purpose limitation | Collect data only for specified, explicit and legitimate purposes |
| Data minimisation | Only collect the data you actually need |
| Accuracy | Keep data accurate and up to date |
| Storage limitation | Do not keep data longer than necessary |
| Integrity and confidentiality | Keep data secure against unauthorised access, loss or destruction |
| Accountability | You must demonstrate compliance – it is not enough to simply be compliant |
Lawful bases for processing
You need at least one lawful basis to process personal data. The six lawful bases are:
Consent
The individual has given clear, specific, informed and unambiguous consent. Consent must be freely given – you cannot make a service conditional on consenting to data processing that is not necessary for that service.
Pre-ticked boxes do not count as consent. Silence or inactivity does not count. You must be able to prove that consent was given.
Contract
Processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. For example, processing a customer’s delivery address to fulfil an order.
Legal obligation
Processing is necessary to comply with a legal requirement. For example, keeping payroll records for HMRC, or retaining accounting records under the Companies Act.
Vital interests
Processing is necessary to protect someone’s life. This is rarely relevant for typical business activities.
Public task
Processing is necessary for performing a task in the public interest or for official functions. Mainly relevant to public authorities.
Legitimate interests
Processing is necessary for your legitimate interests (or those of a third party), provided those interests are not overridden by the individual’s rights. This is the most flexible basis but requires a Legitimate Interests Assessment (LIA) to document your reasoning.
For most small businesses, the most commonly used bases are contract, legal obligation and legitimate interests.
What you need to do
Privacy notice
You must provide individuals with a privacy notice explaining:
- Who you are (your identity and contact details)
- What data you collect
- Why you collect it (the lawful basis)
- Who you share it with
- How long you keep it
- The individual’s rights
- How to complain to the ICO
This should be on your website, in your terms of engagement and provided to employees as part of their onboarding.
Records of processing activities (ROPA)
If you have 250 or more employees, or if your processing is not occasional, you must maintain a Record of Processing Activities. In practice, the ICO recommends that all organisations maintain one, regardless of size.
A ROPA records:
| Element | Example |
|---|---|
| Purpose of processing | Customer order fulfilment |
| Categories of data subjects | Customers |
| Categories of personal data | Name, address, email, order history |
| Recipients | Delivery company, payment processor |
| Retention period | 6 years (legal obligation) |
| Security measures | Encrypted storage, access controls |
Data protection impact assessments (DPIA)
You must carry out a DPIA before processing that is likely to result in a high risk to individuals. This includes:
- Large-scale processing of special category data
- Systematic monitoring of publicly accessible areas (CCTV)
- Automated decision-making with significant effects
Most small businesses will not need to conduct DPIAs regularly, but you should assess whether your processing activities trigger the requirement.
Data subject rights
Individuals have the following rights under UK GDPR:
- Right to be informed – your privacy notice covers this
- Right of access (subject access request) – individuals can request a copy of their data; you must respond within one month
- Right to rectification – correct inaccurate data
- Right to erasure (“right to be forgotten”) – delete data when it is no longer needed, though this does not override legal retention requirements
- Right to restrict processing – limit what you do with data in certain circumstances
- Right to data portability – provide data in a structured, machine-readable format
- Right to object – individuals can object to processing based on legitimate interests or direct marketing
- Rights related to automated decision-making – individuals can request human review of automated decisions
Data breaches
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Notification requirements
| Situation | Requirement | Deadline |
|---|---|---|
| Breach likely to result in a risk to individuals | Notify the ICO | Within 72 hours of becoming aware |
| Breach likely to result in a high risk to individuals | Notify affected individuals | Without undue delay |
| Breach unlikely to result in risk | Document internally (no notification required) | N/A |
You must keep a breach register recording all breaches, regardless of whether they are reported to the ICO. The register should include the facts, effects and remedial action taken.
International transfers
If you transfer personal data outside the UK, you need to ensure adequate protections are in place. The UK maintains its own adequacy decisions (countries whose data protection laws are deemed adequate by the UK government). For transfers to non-adequate countries, you must use approved safeguards such as:
- Standard contractual clauses (UK International Data Transfer Agreement)
- Binding corporate rules
- Specific derogations for occasional transfers
Penalties
The ICO can impose significant fines for GDPR breaches:
| Tier | Maximum fine | Applies to |
|---|---|---|
| Standard | £8.7 million or 2% of global turnover | Administrative and procedural breaches |
| Higher | £17.5 million or 4% of global turnover | Breaches of core principles, data subject rights, international transfers |
In practice, fines for small businesses are proportionate to the size and nature of the breach. The ICO has other enforcement powers including warnings, reprimands, enforcement notices and audit powers.
Practical steps for small businesses
- Audit your data – understand what personal data you hold, where it is stored and who has access
- Write a privacy notice and make it accessible on your website
- Identify your lawful bases for each type of processing
- Review your contracts with data processors (cloud services, email marketing platforms, accounting software )
- Implement basic security measures – strong passwords, encryption, access controls, regular backups
- Train your staff – everyone who handles personal data should understand the basics
- Set retention schedules – do not keep data longer than necessary
- Have a breach response plan – know what to do and who to notify if something goes wrong
- Respond to data subject requests promptly – you have one month
GDPR compliance is not a one-off project. It requires ongoing attention as your business grows, your data processing activities change and the regulatory landscape evolves.