GDPR has a reputation for being big, bureaucratic, and built for large companies. For a small business, that reputation does more harm than the regulation does. The law asks you to handle people's personal data responsibly and to be able to show that you do. Most of the work is sensible and proportionate, and something you can largely put in place once and then maintain.

This guide explains what the UK GDPR actually requires of a small business, what you can safely keep light, and where to start.

Does GDPR apply to my business?

Almost certainly, yes. If you hold information that identifies living people, whether customers, leads, employees, or suppliers, you're processing personal data and the UK GDPR applies. There's no small-business exemption, and your size makes very little difference to the basic obligations.

Two things are worth knowing. Since Brexit, the rules that apply in the UK are the UK GDPR alongside the Data Protection Act 2018, and the regulator is the Information Commissioner's Office (ICO). And most organisations that process personal data must pay the ICO's annual data protection fee unless they qualify for an exemption. For a small business the fee is modest, but not paying it when you should is an easy thing to get caught on.

What GDPR actually asks of you

Underneath the jargon, the UK GDPR comes down to a handful of practical obligations. None of them require enterprise tooling.

Know what personal data you hold

You can't protect or account for data you haven't mapped. Write down what personal data you collect, where it lives, why you have it, who you share it with, and how long you keep it. For most small businesses this is a single short record, not a major project. It's also the foundation everything else rests on, including your privacy notice and your ability to answer requests.

Have a lawful basis for using it

Every use of personal data needs a lawful basis. There are six to choose from: consent, contract, legal obligation, vital interests, public task, and legitimate interests. You don't need consent for everything; running payroll relies on legal obligation and contract, not a consent box. Choosing the right basis up front saves a lot of confusion later, and some bases, such as legitimate interests, ask you to weigh your needs against people's interests first.

If you handle more sensitive information, such as health, ethnicity, or beliefs, that's special category data, and you need an additional condition on top of your lawful basis. Most small businesses touch this less than they fear, but it's worth checking.

Tell people what you do with their data

People have a right to know how you use their information, and a privacy notice is how you tell them. It should be written in plain language and cover what you collect, why, who you share it with, how long you keep it, and the rights people have. A privacy notice nobody can understand doesn't meet the standard, however long it is.

Respect people's rights

Individuals can ask to see the data you hold about them, have mistakes corrected, object to certain uses, and in some cases have their data deleted. The most common request you'll receive is for access, often called a subject access request, and you generally have one month to respond. Knowing in advance how you'd find and return someone's data turns a stressful scramble into a routine task.

Keep the data secure

The UK GDPR expects security appropriate to the risk, not perfection. For most small businesses that means the same proportionate foundations that protect the rest of the business: multi-factor authentication, managed devices, sensible access control, and backups. If you want a starting point, our security foundations checklist covers the basics.

Manage the suppliers who touch your data

When another company processes personal data on your behalf, such as your cloud tools, your payroll provider, or your email platform, they act as your processors, and you're expected to have the right contract terms in place with them. In practice the major providers offer these terms as standard, so the job is to know who your processors are and to check the terms exist, not to negotiate each one from scratch.

Be ready for a breach

If personal data is lost or exposed in a way that is likely to put people at risk, you may need to report it to the ICO within 72 hours, and tell the affected people if the risk is high. Not every incident meets that threshold, but you should know who decides, and how, before anything happens. A simple written process is enough.

Do I need a Data Protection Officer?

Probably not as a legal requirement. A formal DPO is only mandatory in specific cases, mainly where your core activities involve large-scale monitoring of people or large-scale handling of sensitive data. Most small businesses fall outside that. What every business does need is clear ownership: someone whose job it is to keep privacy on track. If you'd rather that sat with an experienced outsider than land on a founder or office manager, our DPO service provides a named, qualified person to hold it.

How much is enough?

This is the question that matters most, and the one the scary version of GDPR never answers. The standard is proportionate to your size and the risk you carry. A ten-person company doesn't need the privacy programme of a bank, and building one wastes money you could spend on the things that actually reduce risk.

The headline fines are large, but for a small business the realistic consequences are more ordinary: a complaint to the ICO you can't answer well, a customer asking for evidence you don't have, or a deal that stalls on a due diligence questionnaire. Getting the basics right, and being able to show your work, protects you against all three.

Where to start

If you do nothing else, do these, in order:

1. Map the personal data you hold, and why you hold it.
2. Confirm your lawful basis for each main use.
3. Write a privacy notice people can actually read.
4. Decide how you would handle an access request and a breach.
5. Check your suppliers' contract terms and your security basics.

Done in that order, GDPR stops being a cloud over the business and becomes a short, finite piece of work. If you'd like help putting it in place, or simply want to know whether you're doing enough, our GDPR compliance service maps your data, writes the policies and notices you need, and leaves you able to demonstrate compliance to anyone who asks.