Business Growth EngineBusiness Growth Engine
Data & Privacy Compliance

GDPR for Small Business: What You Actually Need to Do

UK GDPR compliance for small businesses stripped back to the six practical actions you actually need to take - from ICO registration to data breach respons

By Ian HarfordUpdated 17 May 20269 min read
Hand pointing at glowing GDPR digital interface with gear icons, padlocks and globe symbols on dark background

This is not legal advice

This article is for general information only. It is not legal, financial, or tax advice. Consult a qualified professional before making decisions for your business.

UK GDPR has a reputation for being complicated. Most of the guides written about it do not help - they read like legal textbooks and leave you no clearer on what you actually need to do. If you run a small business, hold customer contact details, and send a newsletter, your compliance obligations are probably more straightforward than you think. This guide from Business Growth Engine covers the six things you need to get right, in plain language, with specific actions you can take this week.

UK GDPR - not EU GDPR

Since Brexit, UK businesses operate under UK GDPR - the domestic version of the regulation retained and adapted by UK law. It shares the same core architecture as the EU version but is technically and increasingly practically distinct. Following the Data (Use and Access) Act 2025 (in force from 5 February 2026), UK GDPR has diverged further from EU GDPR in areas including automated decision-making, international data transfers, cookie consent, and enforcement penalties. The ICO (Information Commissioner's Office) is the UK's data protection regulator, not an EU body. This article covers the UK regime throughout.

What UK GDPR Actually Requires Small Businesses to Do

UK GDPR applies to any organisation that collects or processes personal data about individuals. For a small business, that means customer names and email addresses, enquiry forms, newsletter lists, and purchase histories all count.

The regulation does not require you to hire a data protection officer or build a compliance department. What it does require is that you handle personal data lawfully, transparently, and securely. In practice, for most small businesses, that comes down to six specific obligations.

  1. Register with the ICO and pay the data protection fee, if required

  2. Have a clear, accurate privacy policy

  3. Obtain valid consent before sending marketing emails

  4. Respond correctly to subject access requests

  5. Keep personal data secure

  6. Know what to do if you have a data breach

Each of these is covered in the sections below. If you can tick all six, you are in a reasonable compliance position for a small business at your stage.

Do You Need to Register With the ICO? How to Check

Most small businesses that process personal data are required to pay an annual data protection fee to the ICO. This is separate from simply being aware of GDPR - it is a registration requirement with a fee attached, and failing to pay it is a civil offence.

The fee is tiered based on your organisation's size and turnover. For most small businesses, the fee is currently £52 per year at Tier 1. Larger businesses pay more. A small number of organisations are exempt - including sole traders who only process data for their own personal household purposes, or businesses that process data solely for staff administration with no other use

Check your status in two minutes

The ICO has a self-assessment tool at ico.org.uk that tells you whether you need to register and what fee applies. If you hold any customer data and use it for marketing or communications, you almost certainly need to register.

If you are already registered, check your renewal date. ICO registration expires annually and you will receive a reminder, but it is easy to miss. A lapsed registration is a compliance gap worth closing quickly.

Your Privacy Policy: What It Must Cover and Where to Put It

A privacy policy is not optional if you collect personal data from customers or website visitors. Under UK GDPR, you have a legal obligation to tell people what data you collect, why you collect it, how long you keep it, and who you share it with.

Your privacy policy does not need to be 20 pages long. For a small business with straightforward data use, a clear one-page policy is entirely sufficient. What matters is that it is accurate, readable, and easy to find.

What your privacy policy must cover

  • Who you are and how to contact you

  • What personal data you collect (names, emails, purchase history, etc.)

  • Why you collect it and what legal basis you rely on (consent, legitimate interests, contract)

  • How long you keep data before deleting it

  • Whether you share data with third parties (email platforms, payment processors, accountants)

  • How individuals can access, correct, or request deletion of their data

  • Their right to complain to the ICO

Where to put it: link to your privacy policy in your website footer, in your email signup forms, and in any checkout flow where you collect customer data. It needs to be accessible before someone gives you their information - not buried in a subfolder no one will find.

Consent for Marketing Emails: The Rule Most Small Businesses Get Wrong

This is the area where most small businesses have an accidental compliance problem. Sending marketing emails to people who have not explicitly opted in is not just bad practice - it is a breach of UK GDPR and the Privacy and Electronic Communications Regulations (PECR), which govern direct marketing. Note that the Data (Use and Access) Act 2025, in force from 5 February 2026, significantly amended PECR, including raising the maximum fine for breaches from £500,000 to £17.5 million or 4% of global annual turnover.

Valid consent for marketing emails must be freely given, specific, informed, and unambiguous. That means a pre-ticked checkbox does not count. Burying consent in your terms and conditions does not count. Assuming that someone who bought from you once is happy to receive your newsletter does not count.

The soft opt-in exception

There is one limited exception worth knowing. If someone has purchased a similar product or service from you and you give them a clear opportunity to opt out at the time, you may be able to email them about similar products under the 'soft opt-in' rule. This does not apply to new prospects or contacts who have never purchased from you.

The practical action here is to audit your email list. If you cannot trace where each subscriber came from and confirm they actively opted in, you have a problem worth addressing. Most email marketing platforms (Mailchimp, Klaviyo, and others) let you segment by signup source, which makes this easier to check.

Going forward, every signup form should include an explicit, unticked opt-in checkbox with clear wording - something like: "I agree to receive marketing emails from [Business Name]. You can unsubscribe at any time." Simple, specific, and compliant.

Handling a Subject Access Request: What to Do if a Customer Asks

Under UK GDPR, any individual has the right to ask you what personal data you hold about them. This is called a Subject Access Request (SAR). When someone submits one, you are legally required to respond within one calendar month. Note that, under the Data (Use and Access) Act 2025 (in force from 5 February 2026), the clock can be paused while you verify the requester's identity or seek reasonable clarification about the scope of the request.

For a small business, a SAR is unlikely to be common - but it does happen, and being unprepared is where businesses run into trouble. The response does not need to be elaborate. You simply need to provide the individual with a copy of all personal data you hold about them, explain what you use it for, and confirm who you have shared it with.

Illustrative example - based on a common UK founder scenario, not a specific documented case

A sole trader running a small e-commerce business receives an email from a former customer asking to see what data is held about them. The owner searches their Shopify order history, email platform, and accounting software, pulls together the relevant records - name, email, order history, and delivery address - and replies within the month with a clear summary. No specialist software required.

You cannot charge a fee for responding to a SAR in most cases, and you cannot ignore it. If a request is clearly unfounded or excessive, you may be able to refuse or charge a reasonable fee, but this is a narrow exception - do not use it as a default.

Data Security: The Basics Every Small Business Must Have in Place

UK GDPR requires you to keep personal data secure using appropriate technical and organisational measures. For a small business, that means taking sensible, proportionate steps to reduce the risk of a breach - not building enterprise-grade security infrastructure.

The standard is proportionality. You are not expected to spend more on security than makes sense for the scale of data you hold, but you are expected to have thought about it and taken reasonable precautions.

Practical data security basics for small businesses

  • Use strong, unique passwords for every tool that holds customer data - a password manager makes this manageable

  • Enable two-factor authentication (2FA) on your email account, CRM, and any platform holding customer records

  • Only give staff access to data they actually need - not everyone needs full customer records

  • Do not store customer data in personal email accounts or unsecured spreadsheets on shared drives

  • Use reputable platforms that comply with UK GDPR requirements for email marketing, payments, and customer records.*

  • Delete data you no longer need - holding old customer records indefinitely increases your risk

Most small businesses are already using cloud-based tools - Shopify, Xero, Mailchimp, or similar. These platforms carry their own security certifications and compliance obligations. That does not remove your responsibility, but it does mean the security baseline is higher than it would be if you were managing everything locally.

* Where platforms transfer personal data outside the UK, ensure an appropriate transfer mechanism is in place under UK GDPR (such as an International Data Transfer Agreement or UK Addendum to EU SCCs).

What to Do If You Have a Data Breach

A data breach is any incident where personal data is accidentally or unlawfully accessed, disclosed, altered, lost, or destroyed. That includes a hacked email account, a misdirected email containing customer details, or a stolen laptop with unencrypted files on it.

Not every breach needs to be reported to the ICO - but some do. If the breach is likely to result in a risk to the rights and freedoms of individuals, you must report it to the ICO within 72 hours of becoming aware of it. If the breach is unlikely to pose a significant risk, you still need to document it internally, but you do not need to report it.

72 hours goes quickly

The 72-hour reporting window starts from the moment you become aware of a breach - not when you have finished investigating it. You can submit an initial report and follow up with more detail later. Do not wait until you have the full picture before contacting the ICO if the deadline is approaching.

Responding to a Data Breach: Four Steps

Contain

Immediately limit further access or exposure. Change compromised passwords, remove unauthorised access, or take affected systems offline if necessary.

Assess

Work out what data was affected, how many people are involved, and what the likely impact is. Document everything as you go.

Report

If the breach meets the threshold for reporting, notify the ICO within 72 hours. If affected individuals face a high risk, you must also notify them directly and promptly.

Review

Once the immediate incident is resolved, identify what went wrong and what you need to change to prevent a recurrence. Update your internal breach log regardless of whether a report was required.

Keeping a simple internal breach log - even a spreadsheet - is good practice regardless of whether individual incidents require ICO notification. It demonstrates that you are taking compliance seriously, which matters if you are ever subject to an ICO investigation.

GDPR compliance is a process, not a project

Getting compliant is not a one-time task. As your business grows, the data you hold and the tools you use will change. A brief annual review of your privacy policy, ICO registration, consent records, and security setup is enough to stay on top of your obligations without it becoming a burden. BGE covers this and the broader compliance picture for UK founders at businessgrowthengine.com.

Cut Through the Noise - Get the BGE Newsletter

Get Practical Guidance You Can Use This Week

Ready to cut through the noise? Join the BGE newsletter for practical guidance, tool recommendations, and real-world insights for UK founders and business owners - delivered weekly to your inbox. No fluff, no spam, unsubscribe any time.

BGE newsletter

Frequently asked questions

What is GDPR?

GDPR — the General Data Protection Regulation — changed how businesses in the UK and across Europe are required to handle personal data. Many founders have a general sense that GDPR involves data protection compliance, but fewer have a clear understanding of what it actually requires of businesses or the practical implications for how they operate day to day.
GDPR establishes the rights of individuals over their personal data and the obligations of businesses that collect, store, or process it. It requires businesses to have a lawful basis for processing personal data, to be transparent about how data is used, to store only what is genuinely needed, to keep it secure, and to respond when individuals exercise their rights. In the UK, GDPR has been retained post-Brexit as UK GDPR, with the same core principles applying.
GDPR applies to any business that processes personal data — including holding customer contact details, running an email list, or using website analytics. Scale of data processing affects the specific obligations that apply, but no business is exempt if it handles personal data in any form. Our guide to GDPR for UK businesses covers the core principles and what small businesses need to do to comply.

What is the ICO?

Many founders encounter references to the ICO without a clear understanding of what it is, what authority it holds, or what relationship their business will have with it. Understanding the ICO's role in the data protection landscape — and when businesses need to interact with it — is basic compliance awareness for anyone handling personal data.
The ICO — Information Commissioner's Office — is the UK's independent regulator for data protection and information rights. It oversees compliance with UK GDPR and related legislation, provides guidance to businesses and individuals, and has the authority to investigate complaints, conduct audits, and issue enforcement action including fines. Most businesses that process personal data are required to register with the ICO and pay an annual data protection fee.
ICO registration is a legal requirement for most organisations processing personal data. There are limited exemptions, but most businesses will need to register. Failure to register when required is a criminal offence. The ICO's website provides a self-assessment tool to determine whether registration is required. Our guide to ICO registration for UK businesses covers who needs to register and how to complete the process.

What is a data breach?

Data breaches are a significant business risk, yet many founders operate without a clear plan for what to do if one occurs or a full understanding of what constitutes a breach. Under UK GDPR, businesses have specific legal obligations when a breach occurs — including in some cases a duty to notify the ICO and affected individuals — making this a practical compliance requirement.
A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is not limited to cyberattacks — sending an email to the wrong person, losing a device with personal data, or accidentally publishing personal information all constitute breaches. Where a breach poses a risk to individuals' rights and freedoms, it must be reported to the ICO within a defined timeframe.
Not every breach requires reporting — only those likely to result in risk to individuals trigger the notification obligation. All breaches should be documented internally regardless of severity. Having a simple response process before an incident occurs — knowing who to notify and when — reduces the risk of a compliance failure compounding the original problem. Our guide to data breach response covers obligations and steps for UK businesses.

What is a lawful basis for processing data?

One of the foundational requirements of UK GDPR is that businesses must have a lawful reason — a lawful basis — for processing personal data. Simply wanting to use someone's data, or assuming that having received it means you can use it as you wish, is not sufficient. Understanding what the lawful bases are and which applies to a particular type of processing is a prerequisite for compliant data handling.
UK GDPR sets out six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For most small businesses, the most relevant are consent — where the individual has actively agreed to a specific use of their data — contract, where processing is necessary to fulfil an agreement, and legitimate interests, where the business has a genuine reason not overridden by the individual's rights. The basis used must be documented and communicated in the privacy policy.
Relying on the wrong lawful basis or failing to document it is one of the most common data protection gaps in small businesses. Consent in particular is often misapplied: it must be freely given, specific, informed, and unambiguous, and cannot be bundled into terms and conditions. Our guide to lawful bases under UK GDPR explains each basis and helps founders identify which applies to their data processing activities.

What is personal data?

Personal data sits at the heart of data protection law, but it is a broader category than many founders initially assume. A common misconception is that personal data is limited to obviously sensitive information such as financial records or medical history. In practice, it covers a much wider range of information, and understanding the definition correctly is the starting point for assessing what obligations apply.
Personal data is any information that relates to an identified or identifiable living individual. This includes names, email addresses, phone numbers, and home addresses, but also IP addresses, location data, device identifiers, and any information that could identify someone alone or in combination with other data. Special categories of personal data — such as health information, racial or ethnic origin, and political opinions — carry additional protections under UK GDPR and require a higher standard of justification to process.
Most businesses process personal data even if they do not think of it in those terms — a customer contact list, an email marketing database, or website analytics all involve personal data. Understanding what data you hold and why is the first step in compliance. Our guide to personal data and UK GDPR helps founders identify what they are processing and what that means for their obligations.
Share: LinkedInXFacebookWhatsApp Email

Get the Business Growth Engine newsletter

Practical analysis, delivered weekly.

Ian Harford

Ian Harford

FCIM Cmktr

Connect with Ian on:

Ian Harford FCIM CMktr is co-founder of GTi Business Systems Ltd and a Chartered Fellow of the Chartered Institute of Marketing. He writes practical UK business guidance for founders and SME owners.