← All guides
GDPR & data9 min read

GDPR for Small Businesses: What You Actually Need to Do

The honest reality of GDPR for small businesses

GDPR generates more anxiety than almost any other regulation for small business owners. Much of that anxiety is disproportionate. For most small businesses, compliance is straightforward.

What law applies?

  • UK GDPR — the UK's version of the EU regulation, retained after Brexit
  • Data Protection Act 2018 — supplements UK GDPR

The Information Commissioner's Office (ICO) is the UK regulator at ico.org.uk.

Do you need to register with the ICO?

Almost certainly yes. Most organisations processing personal data must pay the data protection fee.

  • £40/year — micro-organisations (turnover under £632,000 or fewer than 10 staff)
  • £60/year — small/medium organisations
  • £2,900/year — large organisations

Register at ico.org.uk/registration. Fines for non-registration are typically £400–£4,000 for small businesses.

What is personal data?

Any information relating to an identified or identifiable living individual. Broader than most people expect — includes names, email addresses, phone numbers, IP addresses, photos, customer purchase history, employee records, and CCTV footage.

The six lawful bases

You must have a lawful basis for processing personal data. Most small businesses use:

Contract — you need the data to fulfil a contract. Example: you need a customer's address to deliver their order.

Legitimate interests — you have a legitimate reason that doesn't override the individual's rights. Covers fraud prevention, direct marketing to existing customers, network security.

Consent — required for most email marketing to new contacts. Must be actively given (no pre-ticked boxes) and easy to withdraw.

Legal obligation — required by law. Example: keeping payroll records for HMRC.

What you must tell people

Provide a privacy notice when you collect data, covering: who you are, what data you collect, why, how long you keep it, who you share it with, and individuals' rights. Put it on your website linked from any form.

Individual rights

Right of access — provide a copy of data within one month. Free.

Right to erasure — delete data when no longer needed or consent withdrawn.

Right to rectification — correct inaccurate data.

Right to object — to processing based on legitimate interests or direct marketing.

Email marketing rules

  • Need consent for marketing to new contacts
  • Can use soft opt-in (legitimate interests) for existing customers about similar products
  • Always include an unsubscribe link
  • Remove unsubscribers promptly
  • Don't buy email lists

CCTV

Display clear signage, have a CCTV policy, retain footage only as long as necessary (typically 30 days), register with the ICO.

Data breaches

Report to the ICO within 72 hours if likely to risk individuals' rights. If high risk, also inform affected individuals directly. Keep a breach log.

The practical checklist

  1. Register with the ICO (ico.org.uk/registration) — £40, takes 20 minutes
  2. Write a privacy notice and put it on your website
  3. Audit what personal data you hold and why
  4. Ensure you have a lawful basis for each type of processing
  5. Check your email marketing practices
  6. Have a process for subject access requests
  7. Know what to do in a data breach

UK GDPR is subject to ongoing updates. ClearPath can answer specific questions about your situation.

Have a specific question?

ClearPath can give you a personalised answer for your situation — free, no card required.

Ask ClearPath free

More guides

Planning

The Complete Guide to Change of Use in England and Wales

Business rates

Small Business Rate Relief: Do You Qualify?

Employment & PAYE

Hiring Your First Employee in the UK: Everything You Need to Do

ClearPath

General guidance only — not legal advice. Covers England & Wales.

All guides