Complying with the UK General Data Protection Regulation (UK GDPR) is essential for all small businesses that collect, store, or process personal data. Failure to meet these requirements can lead to significant fines and reputational damage, making it vital that business owners understand their legal obligations.

This practical guide explains key aspects of UK GDPR compliance, including lawful bases for processing, privacy notices, data subject rights, and steps to take in the event of a data breach.

Key Fact Summary
Regulation UK General Data Protection Regulation (UK GDPR) & Data Protection Act 2018
Applies to Businesses processing personal data of individuals in the UK
Maximum fine Up to £17.5 million or 4% of global turnover, whichever is higher
Key obligations Lawful processing, transparency, data subject rights, data security, breach notification
Regulator Information Commissioner’s Office (ICO)

Lawful Basis for Processing Personal Data

Under the UK GDPR, you must have a lawful basis to process any personal data. This is a fundamental principle that ensures data is handled legally and fairly. The most common lawful bases for small businesses include:

  • Consent: The individual has given clear permission for their data to be processed for a specific purpose.
  • Contractual necessity: Processing is necessary to perform a contract with the individual, such as fulfilling an order or providing a service.
  • Legal obligation: Processing is required to comply with a legal duty, for example, keeping financial records for tax purposes.
  • Legitimate interests: Processing is necessary for your legitimate interests or those of a third party, provided it does not override the rights of the individual.

It is crucial to identify and document the lawful basis you rely on for each type of processing activity. This forms part of your accountability under the UK GDPR and will be important if the ICO requests evidence of compliance.

Privacy Notices and Transparency

Transparency is a key requirement of UK GDPR. This means you must inform individuals about how you collect, use, and protect their personal data. The primary tool for this is a clear and accessible privacy notice.

Your privacy notice should include:

  • Who you are (your business name and contact details)
  • What personal data you collect and how you collect it
  • The lawful basis for processing
  • Why you collect the data (the purpose of processing)
  • Who you share the data with, if anyone
  • How long the data will be retained
  • Individuals’ rights regarding their data
  • How individuals can complain to the ICO if they believe their rights have been breached

Privacy notices must be provided at the point of data collection. For example, if you collect personal details via a website form, a link to your privacy notice should be clearly visible.

Updating Your Privacy Notice

Review your privacy notice regularly to ensure it reflects your current data processing activities. If you start using personal data in new ways, update the notice accordingly and inform affected individuals.

£200
Free cash when you open & spend

Ready to open your business bank account?

Open a Tide business account free and get up to £200 cash — use Tide referral code REFER200 when signing up or click the link below. Takes under 5 minutes, no credit check.

REFER200
Click to copy code Claim £200 Free →

Read our full Tide review →

*T&Cs apply. Affiliate link.

Data Subject Rights

UK GDPR grants individuals several rights over their personal data. As a small business, you must be prepared to uphold these rights and respond promptly to requests. The main rights include:

  • Right to be informed: The right to receive clear information about how their data is used (via privacy notices).
  • Right of access: Individuals can request a copy of the personal data you hold about them (a subject access request).
  • Right to rectification: The right to have inaccurate or incomplete data corrected.
  • Right to erasure: Also known as the “right to be forgotten,” individuals can request deletion of their data in certain circumstances.
  • Right to restrict processing: Individuals can ask you to limit how their data is used.
  • Right to data portability: The right to receive their data in a structured, commonly used format and transfer it elsewhere.
  • Right to object: Individuals can object to processing based on legitimate interests or direct marketing.
  • Rights in relation to automated decision-making: Protection against decisions made solely by automated processes.

You must respond to most requests within one calendar month. If requests are complex or numerous, you can extend this by a further two months but must inform the individual accordingly.

Data Security and Record-Keeping

Protecting the personal data you hold is a legal requirement under the UK GDPR. You must implement appropriate technical and organisational measures to safeguard data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Examples of security measures include:

  • Using strong passwords and two-factor authentication for systems accessing personal data
  • Encrypting sensitive data both in transit and at rest
  • Regularly updating software and applying security patches
  • Restricting access to personal data only to staff who need it
  • Training employees on data protection and security best practices

Additionally, businesses with 250 or more employees, or those processing certain types of personal data, must maintain detailed records of processing activities. However, it is good practice for all businesses to keep such records to demonstrate compliance.

Handling Data Breaches

A data breach occurs when personal data is accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed without authorisation. UK GDPR requires you to have procedures in place to detect, report, and investigate breaches promptly.

If a breach is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO within 72 hours of becoming aware. You must also inform affected individuals without undue delay if there is a high risk to them.

Steps to Take if You Suspect a Data Breach

  1. Contain and assess: Immediately secure the data and assess the nature and scope of the breach.
  2. Notify your data protection officer (if applicable): In small businesses without a formal DPO, senior management should be informed.
  3. Report to the ICO: Notify the ICO within 72 hours if required, providing details about the breach and mitigation steps.
  4. Inform affected individuals: If there is a high risk to their rights and freedoms, communicate clearly what happened and what they should do.
  5. Review and prevent: Investigate the cause and update your security measures and policies to prevent recurrence.

Keeping an incident log, even for minor breaches, helps demonstrate accountability and preparedness.

Quick Summary

  • Identify and document the lawful basis for processing personal data.
  • Provide clear, accessible privacy notices to all data subjects.
  • Respect and respond promptly to data subject rights requests.
  • Implement robust data security measures appropriate to the risks.
  • Have a clear procedure for detecting, reporting, and managing data breaches.
  • Regularly review policies and keep records to demonstrate compliance.

Always consider seeking professional legal advice to tailor compliance measures to your specific business needs.

Further Resources

For more detailed guidance on data protection compliance, visit the Information Commissioner’s Office (ICO) website. The ICO provides free resources, templates, and advice tailored for small businesses.

You can also consult the ACAS guide on employment and data protection if your business processes employee data.

Maintaining compliance with UK GDPR is an ongoing process. Regular training and reviews will help ensure your business respects data privacy and minimises risk.

Do small businesses need to register with the ICO?

Most small businesses processing personal data must pay a data protection fee and register with the ICO, unless they are exempt. Check the ICO’s self-assessment tool to confirm your obligations.

What should I include in my business’s privacy notice?

Your privacy notice should clearly explain who you are, what data you collect, the lawful basis for processing, how you use the data, who you share it with, how long you keep it, and individuals’ rights. It must be easy to find and understand.

How quickly do I need to notify the ICO of a data breach?

You must report a data breach to the ICO within 72 hours of becoming aware if it is likely to result in a risk to individuals’ rights and freedoms. If notification is delayed, you must provide reasons for the delay.

Official Sources
* GOV.UK: Set up a business  ·  * HMRC: Income Tax rates  ·  * HMRC: Corporation Tax  ·  * HMRC: VAT registration

Related Guides
Legal & HR
Data Protection Policy: What Your Business Needs
Read guide →
Legal & HR
Social Media Policy: What Your Business Needs
Read guide →
Legal & HR
Terms & Conditions: What Your Business Needs
Read guide →
Legal & HR
Employee Handbook: What to Include
Read guide →
Starting Up
Director's Responsibilities: What You Must Do by Law
Read guide →
Legal & HR
Anti-Money Laundering (AML): What Small Businesses Must Know
Read guide →