Many small-business owners assume the UK GDPR is something only large corporations need to worry about. It is not. The rules apply based on whether you handle personal data — not on how big you are — which means a sole trader with a spreadsheet of customer emails is covered just as much as a multinational. The good news is that for a small business, compliance is far less daunting than the acronym suggests, and most of it is plain common sense.
This is general information, not legal advice. Data protection rules and fees change, so confirm the current position with the ICO or a qualified adviser before acting.
What the UK GDPR is
The UK GDPR, alongside the Data Protection Act 2018, is the law governing how organisations handle personal data — any information that can identify a living person. That includes obvious things like names, addresses and emails, and less obvious ones like IP addresses, photos and online identifiers.
If you collect, store, use or share any of that, you are processing personal data, and the law applies. The regulator is the Information Commissioner's Office (ICO), whose guidance is the authoritative reference for UK businesses and is written to be usable by non-specialists.
The principles everything flows from
Rather than a list of rules to memorise, the UK GDPR is built on a handful of principles. Get these right and most of the detail follows. Personal data must be:
- Lawful, fair and transparent — you have a valid reason, and people know what you are doing.
- Used for specified purposes — collected for clear reasons, not repurposed without thought.
- Adequate but limited — only what you actually need (data minimisation).
- Accurate — kept up to date and corrected when wrong.
- Kept no longer than necessary — deleted when the purpose is done.
- Secure — protected against loss, theft and unauthorised access.
There is also a seventh principle — accountability — which simply means you must be able to show you are doing all of the above. For a small business that mostly means keeping sensible records of what you hold and why.

You need a lawful basis
A principle worth its own section: you cannot use personal data without a lawful basis. The UK GDPR sets out six, and for most small businesses the common ones are:
- Consent — the person has clearly opted in.
- Contract — you need the data to deliver something they asked for.
- Legal obligation — the law requires you to process it.
- Legitimate interests — you have a genuine business reason that does not override the person's rights.
You pick the basis that genuinely fits each purpose and record it. Marketing has extra rules on top, through the Privacy and Electronic Communications Regulations (PECR). If you set tracking technologies, understanding what a browser cookie is helps you see why consent often applies, and if you are building a mailing list our guide to growing an email list covers doing it the compliant way.
The rights you have to honour
Individuals have rights over their data, and you must be ready to respond when they exercise them. The ones a small business meets most often:
| Right | What it means in practice |
|---|---|
| Be informed | A clear, accessible privacy notice |
| Access | Provide a copy of their data on request |
| Rectification | Correct inaccurate data |
| Erasure | Delete data when there is no good reason to keep it |
| Object | Stop processing in certain cases, including marketing |
| Portability | Provide data in a reusable format in some cases |
Most requests must be handled free of charge and within one month. The right to object to direct marketing is absolute — when someone opts out, you must stop. In practice this means your systems need to actually find a person's data and act on it, which is much easier if you have not scattered it across a dozen places.
Practical steps for a small business
You do not need a data protection officer or a legal department. A handful of actions cover most of the ground:
- Map your data. List what personal data you hold, where it lives, why, and your lawful basis. You cannot protect or justify what you have not catalogued.
- Write a privacy notice in plain language and put it where you collect data — your website, your sign-up forms.
- Minimise. Stop collecting data you do not use. Less data is less risk and less work.
- Secure it. Strong, unique passwords, two-factor authentication, encryption and restricted access. Treating this as part of your wider cybersecurity keeps it from being an afterthought.
- Set retention periods. Decide how long you keep things and delete them when the time is up.
- Have a breach plan. Know how you would contain and report an incident.
- Check whether you owe the ICO fee. Most organisations processing personal data must pay an annual data protection fee unless exempt.
What to do if it goes wrong
A personal data breach is any security incident that leads to data being lost, stolen, altered or exposed. If a breach is likely to risk people's rights and freedoms, you must report it to the ICO without undue delay, and generally within 72 hours of becoming aware of it. If the risk to individuals is high, you may also have to tell the people affected.
Even breaches you decide not to report should be logged internally, with what happened and why you judged it low-risk. Having a simple plan in advance turns a panicked scramble into a manageable process.
Treating data protection as part of running a credible, trustworthy business — rather than a box to tick — is increasingly a commercial advantage. For a practical perspective on where the lines fall when you use customer data, the London consultancy CM Beyer offers a clear breakdown of what is and is not allowed under UK data-protection rules, framing compliance as part of earning long-term customer trust. That framing is worth borrowing: the businesses that handle data respectfully tend to keep their customers' confidence, which is worth far more than the cost of doing it properly.
The bottom line
The UK GDPR applies to your small business if you handle personal data — which almost every business does. But compliance is not a mystery: follow the principles, have a lawful basis for what you do, respect people's rights, secure the data, collect less of it, and delete what you no longer need. Pay the ICO fee if it applies, and have a simple breach plan ready. Do that, and you will not only stay on the right side of the regulator — you will run a business your customers can trust with their information.
Frequently asked questions
Does GDPR really apply to my tiny business?
Almost certainly. The UK GDPR applies based on whether you process personal data, not on your size. Even a sole trader holding a list of customer emails is processing personal data and must comply.
Do I need to pay a fee to the ICO?
Most organisations that process personal data must pay the Information Commissioner's Office a data protection fee, though some are exempt. Check your status and the current fee tiers on the ICO website.
What is a lawful basis?
It is the legal justification for using someone's personal data. The UK GDPR sets out six, including consent and legitimate interests. You must identify and record the right basis for each purpose before you process the data.
What should I do if there is a data breach?
Contain it, assess the risk, and if it is likely to risk people's rights, report it to the ICO without undue delay and generally within 72 hours. Keep a record of all breaches, even those you do not report.
Join in — free. Comments on Daily Junction are for members, so real names stay rare and bots stay out.
One field. We email you a 6-digit code — no password needed. Your comment is kept while you do it.
Under 13? You’ll need a parent’s OK first — it takes them one click.