GDPR has been with us since 2018, but a remarkable number of small business owners still find themselves either slightly baffled by it, quietly ignoring it, or convinced it’s primarily a large-business concern that doesn’t really apply to them.

It applies to them.

It really doesn’t have to be complicated. Most of what GDPR requires from a small business is fairly logical when you strip away the legal language, and a lot of what you’re probably already doing counts towards compliance. The key is understanding what’s actually expected, so you can make deliberate decisions rather than guessing.

This isn’t legal advice, if you are ever unsure speak to a lawyer. 

GDPR — the General Data Protection Regulation — is the framework that governs how organisations collect, store, use, and protect personal data. In the UK, it’s implemented through the UK GDPR and the Data Protection Act 2018, and it’s overseen by the Information Commissioner’s Office, usually called the ICO.

“Personal data” means any information that relates to an identifiable living individual. That includes names, email addresses, phone numbers, postal addresses, payment information, and any other detail that could be used, alone or in combination with other information, to identify a specific person.

If you hold information about customers, suppliers, staff, or anyone else, GDPR applies to you. The size of your business doesn’t change that obligation, though it does affect how you need to demonstrate compliance.

GDPR is built around six principles. In the regulation they’re stated formally, but in practice they come down to this:

Only collect what you need. If you’re selling someone a product, you don’t need their date of birth unless there’s a specific reason. Collect what’s necessary for the purpose, not everything you might theoretically find useful one day.

Be honest about what you’re doing with it. People should know why you’re collecting their information and what you’re going to do with it. This is usually handled through a privacy notice. Plain English is not just acceptable here; it’s actively preferable.

Use it only for what you said you’d use it for. If someone gives you their email address to receive order confirmations, that doesn’t mean you can add them to a marketing list. Different purposes require separate consent or a separate legitimate reason.

Keep it accurate. Outdated customer records and old contact details aren’t just inefficient, they’re a compliance issue. Having a basic process for keeping data up to date matters.

Don’t keep it longer than you need it. Data that you no longer have a reason to hold should be deleted. This applies to old customer records, former employee details, historical enquiries that didn’t convert. Define how long you keep different types of data and stick to it, even a rough retention policy is better than none.

Keep it secure. This is where GDPR and cyber security overlap most directly. You have an obligation to protect personal data from unauthorised access, accidental loss, or destruction. Strong passwords, access controls, backups, and basic security practices aren’t optional they’re part of your data protection obligations.

Marketing without a proper basis is a common area of non-compliance. Sending marketing emails to people who haven’t opted in, or who opted in to one thing but are being contacted about something different creates risk. Under UK GDPR, you need either clear consent (they actively opted in) or a “legitimate interests” basis with a documented reason. The rules around the soft opt-in for existing customers are specific and worth checking.

Not having a privacy notice on your website is another common gap. If you collect any information through your site, even just through a contact form, you need a privacy notice that explains what you collect, why, how long you keep it, and what people’s rights are. It doesn’t need to be long, but it does need to exist and be readable.

Not being able to respond to subject access requests is a practical problem many businesses discover only when asked. Anyone whose data you hold can formally request a copy of it. You have one month to respond. If you can’t locate what data you hold on a given individual, that’s a problem. Knowing where your personal data lives in your systems is essential.

Not reporting breaches promptly is perhaps the most consequential gap. If personal data is lost, stolen, or accessed without authorisation, you may have 72 hours to report it to the ICO from the moment you become aware it may have occurred — not once you’ve confirmed all the details. Most small businesses are unaware this clock even exists.

For most small businesses, genuine GDPR compliance doesn’t require a full-time data protection officer or an expensive external audit. It requires a handful of practical measures.

• A simple data inventory: a record of what personal data you hold, where it lives, why you have it, and how long you keep it. A spreadsheet is fine.
• A privacy notice on your website that explains your data handling in plain English.
• A process for handling subject access requests — who handles them, how you’d retrieve the relevant data, and how you’d respond within a month.
• Clear, documented consent for marketing, or a documented legitimate interests assessment if that’s your basis.
• Basic security measures: strong passwords, multi-factor authentication on key systems, access controls so staff can only see the data they need, and a backup process for critical data.
• A defined retention schedule — even five lines covering your main data types — so you’re deleting data you no longer need rather than accumulating it indefinitely.
• An understanding of what constitutes a breach and what your obligations are if one occurs.

Most organisations that process personal data are required to pay an annual data protection fee to the ICO — currently £40 to £60 per year for most small organisations. This is separate from being GDPR compliant; it’s a specific registration requirement.

The exemptions from this fee are narrower than many people assume. An unregistered organisation that suffers a data breach faces a considerably harder conversation with the regulator than one that is properly registered.

If you’re not certain whether you’re registered, the ICO’s registration checker at ico.org.uk/registration takes about two minutes to use.

The Data (Use and Access) Act 2025 came into law in June 2025 and is currently being implemented. For most small organisations, the core data protection obligations under UK GDPR remain unchanged. The ICO is publishing guidance on what the new Act means in practice as implementation progresses — it’s worth checking ico.org.uk for updates if you have specific questions about how it affects your sector.

It’s worth being clear about what GDPR is not, because there’s a lot of noise around this.

It is not primarily a mechanism for fining small businesses into oblivion. The ICO’s publicly stated preference is to guide and support businesses into compliance rather than penalise them. The significant fines that make the news tend to involve large organisations with systematic failures.

It is not an impossible compliance burden for businesses without legal teams. The principles are common sense, the practical requirements are manageable, and the ICO’s own guidance is genuinely written to be accessible.

It is not something you can permanently tick off a list and forget about. Data handling practices need to be reviewed as your business changes and that includes when you adopt new tools. AI tools, for example, raise specific questions about what data leaves your systems. We cover that separately.

• ICO small business hub
• ICO registration checker
• ICO breach reporting
• ICO privacy notice guidance
• AI Tools Are Already in Your Business
• The Cyber Security Gap Most Small Businesses Don’t Know They Have
• What to Do in the First Hour of a Cyber Attack