GDPR for Small Businesses: What You Actually Need to Do
GDPR has a reputation for being complicated. For large organisations it genuinely is. For most small businesses, the practical obligations are more manageable than the reputation suggests — but they do need to be taken seriously. Here’s what you actually need to have in place.
What is UK GDPR and does it apply to you?
UK GDPR governs how organisations collect, store, use, and share personal data. It applies to virtually every business — including sole traders and small businesses. Personal data is any information that can identify a living individual: names, email addresses, phone numbers, IP addresses, or any combination of data that identifies someone, even if no single piece does so on its own.
If you hold any of the following, UK GDPR applies to you:
- Customer names and contact details
- Prospect email addresses in a marketing list
- Employee personal information
- Website visitor data via cookies or analytics
- CCTV footage of identifiable individuals
The Data (Use and Access) Act 2025
The DUAA received Royal Assent in June 2025, with core provisions in force from 5 February 2026. It amends the UK GDPR — it doesn’t replace it. For most small businesses, the practical obligations are broadly unchanged. The key updates are covered in the relevant sections below.
The six lawful bases for processing personal data
Every time you use someone’s personal data, you need a lawful basis. There are six options — choose the right one before you start processing, and document it. You cannot switch bases retroactively.
| Lawful basis | When it applies | Notes |
|---|---|---|
| Consent | Individual has explicitly agreed to a specific use of their data | Must be freely given, specific, informed, and unambiguous. Pre-ticked boxes don’t count. |
| Contract | Processing is necessary to fulfil a contract with the individual | For example, processing a customer’s address to deliver an order |
| Legal obligation | Processing is required by law | For example, keeping employee records for HMRC |
| Vital interests | Necessary to protect someone’s life | Rarely relevant for most businesses |
| Public task | Processing necessary to perform a public function | Relevant mainly to public bodies |
| Legitimate interests | You have a genuine reason that doesn’t override the individual’s rights | The most flexible basis — direct marketing to existing customers, contact management, fraud prevention. Must be documented. |
Your seven core obligations
Anyone whose data you collect must be told what you’re collecting, why, how long you’ll keep it, and who you’ll share it with. This is usually delivered through a privacy policy on your website. The ICO provides a free privacy notice generator at ico.org.uk — a good starting point.
Individuals can ask what personal data you hold about them. You must respond within one month, at no charge, providing a copy of everything you hold. From 2025, you’re required to carry out a “reasonable and proportionate” search rather than an exhaustive one — this is largely academic for small businesses, but you should know where your data is.
Beyond subject access, individuals have rights to erasure, rectification, restriction, data portability, and the right to object to processing. You’ll rarely receive formal requests, but you need a process for handling them within one month when you do.
A breach is any incident where personal data is lost, stolen, or accessed without authorisation — including a stolen laptop or a misdirected email. If likely to risk individuals’ rights, you must report to the ICO within 72 hours. Have a basic breach response plan in place before you need it.
Formally required only for organisations with 250+ employees, but strongly recommended for all. A simple spreadsheet covering what data you hold, why, how long you keep it, and who you share it with is invaluable if you face an investigation or a subject access request.
Third-party services that process data on your behalf — your CRM, email marketing platform, cloud storage — are data processors. You need data processing agreements in place with each (most reputable providers include these in their terms). Don’t use processors outside the UK/EEA without understanding the transfer mechanism.
From 19 June 2026, individuals have a statutory right to complain directly to your business about their data. You must acknowledge within 30 days. You need a formal complaints process before this date: a way to receive complaints, a designated handler, and a log of complaints and outcomes.
Cookies and your website
Non-essential cookies — including Google Analytics and most advertising trackers — require informed consent before being placed on visitors’ devices. Essential cookies (those required for the site to function) are exempt.
The DUAA introduced new, narrow cookie exemptions from February 2026, including for analytics cookies used solely to improve a service and for functional cookies that store user preferences. However, these still require offering a clear, simple opt-out at first use — they don’t make consent banners obsolete.
Cookie consent is handled by most website platforms and plugins. WordPress, for example, has several options (Complianz, Cookie Notice, CookieYes are popular). Make sure your implementation actually blocks non-essential cookies before consent — many default installations don’t.
Email marketing and GDPR
| Scenario | Rule | What it means in practice |
|---|---|---|
| Cold emails to consumers | Explicit prior consent required | Buying a mailing list and emailing people who don’t know you is not permitted |
| Cold emails to businesses | Legitimate interests may apply in some cases | Must be relevant to the recipient’s role and offer a clear opt-out |
| Existing customers | Soft opt-in applies | Can email about similar products or services — but you must have offered an opt-out at the point of data collection, and continue to offer opt-outs |
| Unsubscribe requests | Must be actioned promptly | Remove from all active marketing — not just the current campaign |
Do you need to register with the ICO?
Most organisations that process personal data must pay the ICO’s annual data protection fee:
| Tier | Who it applies to | Annual fee |
|---|---|---|
| Tier 1 | Turnover under £632,000 OR fewer than 10 staff | £40 |
| Tier 2 | Turnover up to £36 million OR fewer than 250 staff | £60 |
| Tier 3 | Large organisations above Tier 2 thresholds | £2,900 |
There are some exemptions — including processing purely for personal use, and some not-for-profit organisations — but most trading businesses will need to register. Check and renew annually at ico.org.uk/registration. Failure to register when required can result in a fine of up to £4,000.
The penalties for non-compliance
| Breach type | Maximum fine |
|---|---|
| Most serious infringements (including major data breaches) | £17.5 million or 4% of global annual turnover — whichever is higher |
| Less serious infringements | £8.7 million or 2% of global annual turnover |
| Cookie/PECR violations (from August 2025) | Now aligned with UK GDPR levels — up to £17.5 million |
| Failure to register with the ICO | Up to £4,000 |
In practice, the ICO focuses enforcement on larger organisations and serious breaches. Small businesses are far more likely to receive informal guidance or a reprimand first. But the reputational risk of a data breach is often more damaging for a small business than any regulatory fine — and the ICO’s enforcement activity has been increasing.
A practical GDPR checklist for small businesses
- Register with the ICO and pay the annual data protection fee (£40 for most small businesses)
- Publish a clear privacy notice on your website covering what you collect, why, and individuals’ rights
- Document your lawful basis for each type of processing you carry out — before you start, not after
- Have a process for responding to subject access requests and other rights requests within one month
- Have a basic breach response plan — who does what if personal data is lost or compromised
- Keep a simple record of what data you hold, why, for how long, and who you share it with
- Check data processing agreements are in place with key third-party processors (CRM, email platform, cloud storage)
- Review your cookie banner — reject must be as prominent as accept, and non-essential cookies must not fire before consent
- Implement a data protection complaints process before 19 June 2026
Useful resources
- ICO (Information Commissioner’s Office) — the definitive source for UK GDPR guidance at ico.org.uk
- ICO SME Hub — guidance specifically for small and micro businesses at ico.org.uk/for-organisations/sme-web-hub
- ICO privacy notice generator — free tool at ico.org.uk/for-organisations/make-your-own-privacy-notice
- ICO registration — check and pay your data protection fee at ico.org.uk/registration
- Your solicitor — for specific questions about your data processing, particularly if you handle special category data (health, race, religion) or process children’s data
More guides for UK small business owners
Right Hand Man covers everything from GDPR and legal compliance to VAT, hiring your first employee, and writing a business plan. Browse our guides or get in touch if you have a question.