The UK GDPR doesn't just apply to big corporations. If your small business collects any personal data from UK individuals — and virtually every business does — you have legal obligations under the UK General Data Protection Regulation and Data Protection Act 2018.
This guide cuts through the legal jargon and tells you exactly what you need to do as a small business owner.
Does UK GDPR apply to my small business?
Yes — if you:
- Have a website with a contact form, analytics, or newsletter sign-up
- Hold a customer database with names and email addresses
- Send marketing emails
- Process payments online or store payment details
- Have employees whose data you hold
- Use CCTV on your premises
…then UK GDPR applies to you. There is no minimum size threshold — sole traders, freelancers, and micro-businesses are all covered.
✅ Good news for small businesses: The ICO (Information Commissioner's Office) takes a proportionate approach to enforcement. The compliance requirements for a 5-person business are much lighter than for a multinational — but the basic obligations still apply.
The key principles you must follow
UK GDPR is built around seven data protection principles. In simple terms, personal data must be:
- Processed lawfully, fairly, and transparently — you need a legal reason and must tell people what you're doing
- Collected for specified, explicit purposes — don't collect data for one reason and use it for another
- Adequate, relevant, and limited — only collect what you actually need
- Accurate and up to date — keep records current
- Kept only as long as necessary — have a retention policy and stick to it
- Kept securely — appropriate technical and organisational measures
- Accountable — you must be able to demonstrate compliance
What documents do you need?
Privacy Policy (mandatory)
Every business that collects personal data needs a Privacy Policy on their website. It must explain what data you collect, why, how long you keep it, who you share it with, and what people's rights are.
Cookie Policy (if you use cookies)
If your website uses any non-essential cookies — including Google Analytics — you need a Cookie Policy and a cookie consent mechanism.
Data Processing Agreement (if you use third-party processors)
Under Article 28, you need written contracts with any third parties that process personal data on your behalf — cloud hosting providers, email marketing platforms, payment processors, etc.
Record of Processing Activities (ROPA)
If you have 250 or more employees you must maintain a ROPA. Smaller businesses are exempt — but it's still good practice to keep one.
Do small businesses need to register with the ICO?
Most organisations that process personal data must pay a data protection fee to the ICO. The fee ranges from £40/year (Tier 1, small businesses) to £2,900/year (Tier 3, large organisations).
You can check whether you need to register and pay the fee using the ICO's self-assessment tool. Some organisations are exempt — including sole traders processing data only for personal household purposes.
⚠ Failure to pay the ICO fee when required can result in a fine of up to £4,000. It takes about 10 minutes to register online.
Key rights you must be able to handle
Under UK GDPR, individuals have eight rights. As a small business, you need processes in place to respond to these requests within one calendar month:
- Right of access — provide a copy of all personal data you hold on someone
- Right to rectification — correct inaccurate data
- Right to erasure — delete data in certain circumstances
- Right to restrict processing — limit how you use someone's data
- Right to data portability — provide data in a machine-readable format
- Right to object — stop processing data for marketing or based on legitimate interests
- Rights related to automated decision-making — not be subject to solely automated decisions that significantly affect you
What about data breaches?
If you suffer a personal data breach — a laptop stolen, an email sent to the wrong person, customer data exposed — you must:
- Report it to the ICO within 72 hours if it's likely to result in a risk to people's rights and freedoms
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights
Not all breaches need to be reported. A postcard sent to the wrong address is different from a database of 10,000 customer records being exposed. The key question is whether there's a risk to individuals.
Practical steps to get compliant
- Audit your data — map out what personal data you hold, where it came from, who you share it with, and how long you keep it
- Get your documents in order — Privacy Policy, Cookie Policy, and DPA if needed
- Register with the ICO — if required, pay the annual fee
- Review your security — ensure you have appropriate measures in place (encryption, access controls, backups)
- Train your team — anyone who handles personal data should understand the basics
- Set up processes — for responding to data subject requests and handling potential breaches
The bottom line
UK GDPR compliance for small businesses doesn't have to be complicated or expensive. The core requirements — having a Privacy Policy, using data lawfully, keeping it secure, and responding to individual rights requests — are achievable for any business.
Start with the basics: get your Privacy Policy and Cookie Policy in place, make sure you have a lawful basis for everything you do with personal data, and register with the ICO if required.
Ready to generate your GDPR policy?
Answer a few questions about your business and get a personalised, legally-structured document in minutes.
Start free — from £29 →