GDPR Compliance for Small Businesses: A Plain-English Practical Guide

TL;DR:

• UK GDPR applies to any UK business processing personal data — not just large organisations
• Core requirements are a privacy policy, lawful basis for data collection, 72-hour ICO breach notification, and honouring individual data rights
• ICO fines can reach £17.5 million or 4% of global turnover — but practical compliance is achievable without a legal team

UK GDPR is the version of the EU’s General Data Protection Regulation that applies in Britain following Brexit. It came into force alongside the Data Protection Act 2018 and remains the framework UK businesses must comply with. Many small business owners assume it only applies to large organisations or those handling health data. It doesn’t. If you collect names, email addresses, or any information that identifies individuals — customers, prospects, staff — UK GDPR applies to you.

The law isn’t designed to punish small businesses that are making a genuine effort. Most ICO enforcement targets organisations that have been wilfully negligent or suffered significant breaches through obvious failures. But the requirements are real, and the compliance steps are far more manageable than the legal language suggests.

Who UK GDPR applies to

If you run a UK business and you collect, store, or use personal data — names, email addresses, IP addresses, purchase history, anything that can identify a person — UK GDPR applies. That covers virtually every business with a website, an email list, or employees.

If you sell to or collect data from people in the EU, you also need to consider EU GDPR, which largely mirrors UK GDPR but is enforced by the relevant EU supervisory authority rather than the ICO.

Not sure if you have EU visitors? Check your analytics platform — Google Analytics will show visitor locations. If you see EU countries, EU GDPR applies too.

The key requirements in plain English

Privacy policy. You need a clear, plain-language privacy policy that tells people what data you collect, why you collect it, how long you keep it, who you share it with, and how they can exercise their rights. It must be easy to find — typically linked in your website footer.

Lawful basis for processing. For every type of data you collect, you need a legal reason. The most common for small businesses: consent (the person actively agreed — a checked checkbox, not pre-ticked), contract (you need the data to fulfil an order), or legitimate interests (a balancing test where your business need outweighs the person’s privacy interest).

Cookie consent. If your website uses cookies beyond strictly necessary ones — analytics, advertising, embedded content — you must show a consent banner and only set non-essential cookies after the person accepts. Pre-ticked boxes or consent buried in terms don’t count. The ICO has been increasingly active on this.

Data subject rights. Individuals can exercise rights over their personal data. You must be able to respond within one month to access requests (providing a copy of all data you hold on them), erasure requests (deleting their data when there’s no legitimate reason to keep it), correction requests, and portability requests.

Breach notification. If you suffer a personal data breach, you must notify the ICO within 72 hours of discovering it. If the breach is likely to result in high risk to individuals, you must notify them directly too. Missing this window is one of the most common reasons for ICO enforcement action against small businesses.

Data Processing Agreements. If you use third-party services that process personal data on your behalf — email marketing platforms, CRM tools, cloud storage — you need a Data Processing Agreement (DPA) in place with each of them. Most major platforms (Mailchimp, HubSpot, Google, AWS) provide standard DPAs you can accept in their settings.

Practical compliance steps

Start by mapping what personal data you collect — list every form, tool, and service that handles customer or prospect data. Then review your privacy policy: does it cover what you actually collect? Tools like Iubenda or Termly generate compliant policies for small businesses.

Audit your cookie banner — most website builders have GDPR-compatible plugins. Sign DPAs with your main tools by checking the privacy settings in your email, CRM, and analytics platforms. And create a simple process for handling data requests — a dedicated email address and a 30-minute process is sufficient for most small businesses.

Low-cost compliance tools

Iubenda generates privacy policies, cookie policies, and consent banners. Plans start around £20–25/year and are widely used by UK small businesses.

Termly is similar to Iubenda, with a free tier that covers basic privacy policy generation. Cookie consent banner included.

Cookiebot scans your website for cookies and generates a compliant consent management platform. Free up to 100 pages.

For most small businesses under 10 employees with straightforward data practices, these tools plus a one-time legal review — many UK solicitors offer fixed-fee GDPR health checks for under £500 — will get you to a compliant position.

What ICO fines actually look like

UK GDPR maximum fines are £17.5 million or 4% of global turnover — deliberately scaled to large organisations. Small business enforcement typically involves warnings and corrective orders for first-time violations, smaller fines proportionate to business size and severity, and a focus on businesses that failed to take reasonable steps.

The largest ICO fines (British Airways: £20 million, Marriott: £18.4 million) were for large-scale, systematic failures. A small business with a reasonable privacy policy, proper consent mechanisms, and a plan if something goes wrong is in a very different position.

To be honest, the ICO’s stated approach is to help small businesses comply, not to make examples of them. But you do need to be making a genuine effort.

Bottom line

UK GDPR compliance for a small business is primarily about three things: having an honest privacy policy, getting proper consent before collecting data, and having a plan if something goes wrong. Use Iubenda or Termly to generate compliant documents, sign the DPAs for your key tools, and create a simple process for responding to data requests. That gets you most of the way there without a legal team.