Mention GDPR to most small business owners and you will see a look of mild dread. The good news is that the core rules are actually quite sensible — and most small businesses are already doing most of it without realising. Let us answer the questions we hear most often.

This article is general information, not legal advice. Employment and data rules change, so always check the latest guidance on GOV.UK or the Information Commissioner's Office (ICO) website, or speak to a qualified adviser.

Does UK GDPR really apply to my tiny business?

Almost certainly yes. UK GDPR (the version of GDPR that applies in the UK following Brexit, sitting alongside the Data Protection Act 2018) covers any organisation that processes personal data. Personal data means any information that can identify a living person — names, email addresses, phone numbers, IP addresses, and more. If you have a customer list, send marketing emails, or employ anyone, you are processing personal data.

What is a lawful basis and why does it matter?

Before you process personal data, you need a valid reason — the law calls this a lawful basis. There are six to choose from. The most relevant for small businesses are:

  • Contract — you need the data to fulfil or prepare a contract with the person (for example, you need a customer's address to deliver their order)
  • Legitimate interests — you have a genuine business reason that does not override the individual's rights (for example, keeping a record of past customers for fraud prevention)
  • Consent — the person has freely given, specific, informed agreement (for example, signing up to a marketing newsletter)
  • Legal obligation — you must process the data to comply with a law (for example, keeping payroll records for HMRC)

You need to decide your lawful basis before you start processing, and you should document it. Consent is not always the right choice — if you process data under contract or legal obligation, you do not need to ask for consent as well.

What personal data do I hold about staff?

Probably more than you think. Employee data includes names, addresses, bank details, National Insurance numbers, emergency contacts, health information, right to work documents, and performance records. This data needs the same protection as customer data. If you are building your HR processes, our guide on right to work checks touches on how to store those records securely.

Do I need to register with the ICO?

Most organisations that process personal data must pay a data protection fee to the ICO. There are some exemptions — for example, certain not-for-profit organisations and some very small businesses that only process data for core business purposes — but many small businesses do need to register. The fee is modest and the process is straightforward online. Check the ICO's self-assessment tool at ico.org.uk to find out if you need to register and what tier applies to you.

What rights do individuals have over their data?

UK GDPR gives people a set of rights. As a small business, you are most likely to encounter:

  • Right of access — anyone can ask to see the personal data you hold about them (a Subject Access Request or SAR). You generally have one month to respond.
  • Right to erasure — sometimes called the right to be forgotten. Individuals can ask you to delete their data in certain circumstances, though this is not absolute.
  • Right to rectification — if data is inaccurate, they can ask you to correct it.
  • Right to object — individuals can object to processing based on legitimate interests, including direct marketing.

Have a simple process ready for handling these requests. The ICO has template letters and guidance on its website.

UK GDPR is not about paperwork for its own sake — it is about treating people's information with the same respect you would want shown to yours.

How do I keep data safe?

You do not need enterprise-grade security. Reasonable steps for a small business include:

  • Using strong, unique passwords and enabling two-factor authentication on email and cloud accounts
  • Keeping software and devices updated
  • Only sharing data with staff who genuinely need it
  • Using encrypted storage or secure cloud services rather than unprotected spreadsheets
  • Having a clear policy for what happens to data when a device is lost or an employee leaves

What counts as a data breach, and what do I do?

A data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes sending an email to the wrong person, losing a USB stick, or a cyberattack.

Not every breach needs to be reported. If the breach is unlikely to result in a risk to individuals' rights and freedoms, you only need to document it internally. If it does pose a risk, you must report it to the ICO within 72 hours of becoming aware. If it poses a high risk, you must also notify the affected individuals directly. When in doubt, report — the ICO is generally more understanding with organisations that report promptly and honestly.

Practical Steps to Take Now

  1. Map out what personal data you hold, where it is stored, and why you have it
  2. Confirm your lawful basis for each type of processing and write it down
  3. Check whether you need to register with the ICO and pay the data protection fee
  4. Review how you store and protect data (passwords, access controls, backups)
  5. Create a simple process for handling Subject Access Requests and other rights requests
  6. Train anyone in your business who handles personal data — even basic awareness helps
  7. Set up a simple internal log for recording any data breaches, however minor