Small business GDPR compliance: simple UK checklist

Published Friday 27 February 2026

Table of contents

• What is GDPR?
• Does GDPR apply to small businesses?
• What counts as personal data under GDPR?
• Key GDPR principles for small businesses
• Customer rights under GDPR
• How to comply with GDPR
• What are the penalties for GDPR non-compliance?
• GDPR resources for small businesses and advisors
• Making GDPR compliance manageable
• FAQs on small business GDPR compliance

Key takeaways

• Audit all personal data your business collects and processes by mapping every product, service and process that handles personal data, documenting what you collect, where it's stored, who can access it and how long you keep each type of data.
• Establish a valid legal basis for processing each type of personal data you collect, with the most common bases for small businesses being consent, contract fulfillment, legitimate business interest or legal obligation.
• Implement robust data security measures including access controls, encryption for sensitive data, limited user permissions and appropriate safeguards for any data transfers outside the UK.
• Create clear processes to handle customer rights requests within one month, including procedures to verify identity, access data, correct errors and delete records when legally required.

What is GDPR?

GDPR (General Data Protection Regulation) is an EU law that protects individuals' privacy and gives them control over how their personal data is collected, stored and used. It came into force in the UK on 25 May 2018, and applies to every company in the world that processes personal data about people in the EU.

GDPR gives control of personal data back to the people who own it, requiring businesses of all sizes to make data protection a core part of their operations.

The UK replicated GDPR into UK law before Brexit through the Data Protection Act 2018, so UK businesses have the same obligations under UK GDPR.

Does GDPR apply to small businesses?

Yes, GDPR applies to all businesses that process personal data of individuals in the UK or EU, regardless of size. There's no exemption for small businesses, sole traders or startups.

You must comply with GDPR if your business:

• Collects customer names, email addresses or phone numbers
• Stores employee records
• Processes payment information
• Sends marketing emails
• Uses website analytics that track visitors

What size company must comply with GDPR?

There's no minimum company size for GDPR compliance. A one-person business has the same obligations as a large corporation.

The only difference is scale. Small businesses typically hold less data, so compliance is simpler. But the core requirements apply equally to everyone.

What counts as personal data under GDPR?

Personal data is any information that can identify a living individual, either directly or when combined with other information. If you can link data back to a specific person, it's personal data.

Examples of personal data in small businesses

Small businesses typically handle these types of personal data:

• Customer information: names, addresses, email addresses, phone numbers
• Payment details: bank account numbers, card details
• Employee records: payroll information, emergency contacts, performance reviews
• Marketing lists: email subscribers, customer preferences
• Website data: IP addresses, cookies that track user behaviour

Sensitive personal data vs. regular personal data

Different types of personal data require different levels of protection under GDPR.

Some personal data needs extra protection. Sensitive personal data (also called special category data) includes:

• Health information
• Racial or ethnic origin
• Religious beliefs
• Trade union membership
• Biometric data (for example, fingerprints)
• Sexual orientation

If you process sensitive personal data, you need a specific legal basis and stronger security measures.

Key GDPR principles for small businesses

GDPR is built on seven principles that guide how you should handle personal data. Understanding these helps you make good decisions when situations aren't clear-cut.

• Lawfulness, fairness and transparency: Only collect data for legitimate reasons and be open about what you do with it.
• Purpose limitation: Only use data for the specific purpose you collected it for.
• Data minimisation: Only collect the data you actually need.
• Accuracy: Keep personal data accurate and up to date.
• Storage limitation: Don't keep data longer than necessary. Establishing a formal data retention policy can be a significant undertaking; one business reported it took about a month of engineering work valued at £10,000–£15,000.
• Security: Protect data against unauthorised access, loss or damage.
• Accountability: Be able to demonstrate your compliance.

These principles should guide every decision you make about personal data in your business.

Customer rights under GDPR

Individuals have specific rights over their personal data. Your business must be ready to respond when customers exercise these rights, as the process can be time-consuming; in some sectors, handling a single request can take up to two months due to large data volumes.

Right to access

Individuals can ask what personal data you hold about them. You must:

• Respond within one month.
• Provide a copy of their data free of charge.
• Explain how you use their data and who you share it with.

Right to erasure

Customers can ask you to delete their personal data. You must comply unless:

• you need the data to fulfil a contract
• you're legally required to keep it (such as for tax records)
• you have another valid legal basis to retain it

Right to data portability

Individuals can request their data in a format they can take to another provider. This applies when:

• you collected the data based on consent or contract
• the data is processed automatically (not paper records)

Provide the data in a commonly used format like CSV or JSON.

How to comply with GDPR

GDPR compliance requires you to handle personal data lawfully, transparently and securely. Follow these seven steps to make your small business compliant.

1. Audit what personal data you hold. Start by mapping all the personal data your business collects and processes. Identify every product, service and process that handles personal data. Document what data you collect, where it's stored and who can access it. Note how long you keep each type of data.
2. Establish your legal basis for processing data. You can only collect and use personal data if you have a valid legal reason. The most common legal bases for small businesses are consent (the individual has given clear permission for a specific purpose), contract (you need the data to fulfil a contract with the customer), legitimate interest (you have a genuine business reason that doesn't override the individual's rights), and legal obligation (you're required by law to process the data). Document which legal basis applies to each type of data you process.
3. Update your privacy notices and customer contracts. Review and update your documentation to meet GDPR requirements. Your privacy notice should clearly explain what data you collect, why you collect it, how long you keep it and individuals' rights. Customer contracts should include data protection clauses where you process data on behalf of others. Website policies need updating for cookie notices and any online data collection forms. Write all notices in clear, simple terms without legal jargon. This may involve outside help, as one small firm noted that updating its terms and conditions cost around £2,000.
4. Implement data security measures. Keep all personal data securely stored and protected from unauthorised access. Store personal data in systems with appropriate access controls. Protect sensitive data both in transit and at rest through encryption. Limit who can view and edit personal data through access management. If transferring data outside the UK, ensure appropriate safeguards are in place (such as Standard Contractual Clauses or adequacy decisions).
5. Assign data protection responsibility. Someone in your business should take ownership of data protection. Designate a responsible person—this doesn't need to be a formal Data Protection Officer (DPO) for most small businesses, though some choose to outsource this role; for example, one business hired an external DPO on a retainer fee for £83 a month. You only need a DPO if you process large amounts of sensitive data or monitor individuals on a large scale. Make sure staff understand their data protection responsibilities through training. Check the Information Commissioner's Office (ICO) guidance on Data Protection Officers to see if you need one.
6. Set up processes for customer rights requests. Individuals can exercise their GDPR rights at any time. Prepare your business to respond by creating a response process—know who handles requests and how to verify the requester's identity. Respond to most requests within one month. Document all requests and your responses. You can't charge a fee for most requests. Common requests include accessing data, correcting errors and deleting records.
7. Create a data breach response plan. A data breach is any security incident that affects personal data. Have a plan ready before something goes wrong. Train staff to recognise and report potential breaches. Determine what data was affected and the potential harm to individuals. Notify the ICO within 72 hours if the breach poses a risk to individuals' rights. Tell individuals directly if the breach is likely to cause them harm. Keep records of all breaches, even those you don't report.

What are the penalties for GDPR non-compliance?

GDPR fines can reach up to £17.5 million or 4% of annual turnover (whichever is higher) for the most serious violations. However, the ICO takes a proportionate approach with small businesses.

The ICO considers several factors when deciding penalties:

• Severity: How serious was the breach and how many people were affected?
• Intent: Was it deliberate, negligent or accidental?
• Response: Did you report it promptly and take steps to fix it?
• History: Have you had previous compliance issues?

For small businesses, the ICO typically focuses on helping you improve rather than imposing maximum fines. Most enforcement actions start with warnings and guidance.

The bigger risks for small businesses are often:

• Reputation damage: Customers losing trust after a data breach
• Lost business: Larger clients requiring proof of compliance
• Operational disruption: Time spent responding to complaints and investigations

Taking compliance seriously protects your business from these risks.

GDPR resources for small businesses and advisors

These resources provide detailed GDPR guidance for small businesses and their advisors.

For small businesses:

The ICO and FSB provide comprehensive guidance specifically designed for small business needs.

• ICO guide to UK GDPR: Comprehensive official guidance from the UK regulator.
• FSB GDPR compliance guide: Practical guidance tailored for small businesses.

For accountants and advisors:

Professional bodies offer technical resources to help advisors guide their clients through compliance.

• ICAEW data protection resource centre: Technical guidance for advising clients on compliance.

Talk to your accountant or legal advisor about your specific compliance requirements.

Making GDPR compliance manageable

GDPR compliance is manageable when you break it into steps. Most small businesses can handle compliance themselves.

Start with the basics: know what data you hold, why you have it and how you protect it. Build good habits into your daily operations rather than treating compliance as a one-off project.

The right tools make compliance easier to maintain. Cloud-based accounting platforms like Xero include data security features such as access controls, audit trails and secure data storage. Get one month free and see how the right software supports your compliance efforts.

FAQs on small business GDPR compliance

Common questions about GDPR compliance for small businesses.

Do I need a Data Protection Officer for my small business?

Most small businesses don't need a formal Data Protection Officer. You only need one if you process large amounts of sensitive data or systematically monitor individuals on a large scale.

How much does GDPR compliance cost for a small business?

GDPR compliance is mainly a time investment for small businesses. Costs may include staff training, updating privacy notices and potentially software for secure data management. For example, one micro business paid £120 a month to an IT supplier for services that included annual audits and process improvements, but many small businesses can achieve compliance without significant expense.

What happens if I accidentally breach GDPR?

The ICO takes a proportionate approach to accidental breaches. If you report promptly, cooperate fully and take steps to prevent future incidents, you're unlikely to face significant penalties. Document what happened and what you did to fix it.

Does GDPR apply if all my customers are in the UK?

Yes, UK GDPR applies to all businesses processing personal data of UK residents. The UK adopted GDPR into domestic law before Brexit, so the requirements are essentially the same as EU GDPR.

Can I use cloud-based software and still be GDPR compliant?

Yes, cloud-based software can support GDPR compliance when you choose providers with appropriate security measures. Check that your provider has a data processing agreement, adequate security certifications and stores data in approved locations.