GDPR — the General Data Protection Regulation — changed how businesses in the UK and across Europe are required to handle personal data. Many founders have a general sense that GDPR involves data protection compliance, but fewer have a clear understanding of what it actually requires of businesses or the practical implications for how they operate day to day.
GDPR establishes the rights of individuals over their personal data and the obligations of businesses that collect, store, or process it. It requires businesses to have a lawful basis for processing personal data, to be transparent about how data is used, to store only what is genuinely needed, to keep it secure, and to respond when individuals exercise their rights. In the UK, GDPR has been retained post-Brexit as UK GDPR, with the same core principles applying.
GDPR applies to any business that processes personal data — including holding customer contact details, running an email list, or using website analytics. Scale of data processing affects the specific obligations that apply, but no business is exempt if it handles personal data in any form. Our guide to GDPR for UK businesses covers the core principles and what small businesses need to do to comply.