The GDPR Starter Pack Every Small Business Needs
You don't need a legal department to get GDPR right — you need a handful of documents and habits. Here is the practical starter pack, in plain English.
The short version
- GDPR for a small business comes down to five things: a clear privacy notice, a simple record of the data you hold, a lawful basis for using it, basic security, and a plan for breaches and requests.
- There's no small-business exemption — UK GDPR applies whatever your size — but most of the starter pack is documents you can draft in a focused afternoon, not a major project.
- Your security work isn't separate. The everyday controls you'd do for Cyber Essentials are the same ones that keep personal data safe, so you're often further along than you think.
- Write the breach and request plan before you need it. Where a breach meets the threshold, the ICO expects to hear without undue delay and, where feasible, within 72 hours — that's not the moment to start improvising.
If you run a small business in the UK, GDPR can feel like a wall of obligations written for someone with a compliance team. It isn’t. For most small organisations it comes down to a practical set of documents and habits you can genuinely build yourself: a privacy notice, a simple record of the data you hold, a lawful basis, basic security, and a plan for breaches and requests. No fear, no jargon. And if you already take reasonable care with your customers’ details, you’ve started. The job is turning that into something you can point to.
What GDPR actually asks of a small business, in plain English
GDPR asks you to be clear about the personal data you hold, have a good reason for using it, keep it reasonably secure, and respect people’s rights over it — and to be able to show you do these things.
The General Data Protection Regulation (GDPR) became part of UK law after Brexit. The version that applies in Britain is UK GDPR, which sits alongside the Data Protection Act 2018, with the ICO (the Information Commissioner’s Office) as regulator. There’s a common myth that small businesses are off the hook. They aren’t. The ICO is clear there’s no general small-business exemption — if you hold personal data (names, emails, staff files, customer lists), UK GDPR applies to you.
But “applies to you” doesn’t mean “buries you.” For a typical small business the law’s principles translate into the five-piece starter pack below. Several pieces are documents you can write in an afternoon. The rest are habits one named owner can hold. (For the fuller picture, including when you might need a Data Protection Officer, our guide to GDPR for small businesses covers it in detail.)
The privacy notice — your front-facing document
A privacy notice is the public-facing document that tells people what personal data you collect, why, how long you keep it, who you share it with, and what rights they have.
This is the one piece of the starter pack the world actually sees, usually the “Privacy Policy” page on your website. The ICO is explicit that every business, however small, needs one, written in simple, open language so people know exactly where they stand.
At minimum it should cover: who you are and how to contact you about data; what you collect and where it comes from; why you use it and your lawful basis for each (more below); how long you keep it and who you share it with; and people’s rights, including the right to access their data and, where consent is your basis, to withdraw it.
The ICO even offers a free privacy notice generator for small organisations, which is a sensible place to start. The important thing is that the finished notice describes what your business actually does. A template promising practices you don’t follow is worse than none. Give it to people when you first collect their details, and keep it easy to find afterwards.
TEMPLATE, THEN TAILOR
A good GDPR policy template gets the structure right so you're not staring at a blank page, but every line still has to be true for your organisation. Treat the template as scaffolding, then walk through your real systems and make each statement match reality. That tailoring is the part that protects you.
Knowing what data you hold (a simple record)
A simple record of the personal data you hold — what it is, why you have it, where it lives, how long you keep it, and who you share it with — is the quiet backbone that makes every other GDPR task easier.
You can’t write an honest privacy notice, answer a data request, or assess a breach if you don’t know what you’re holding. This record (often called a Record of Processing Activities, or ROPA) needn’t be elaborate. A single spreadsheet is fine. Start with your biggest categories and work outwards:
- Customers — contact details, orders, payment records.
- Employees — HR files, payroll, emergency contacts.
- Marketing — mailing lists, enquiry forms.
- Suppliers — third parties who handle data on your behalf.
For each, note why you hold it, where it’s stored, how long you keep it, and who you share it with. A full formal ROPA is strictly required mainly for higher-risk processing, but a simple version is strongly advisable regardless. It turns every later task from guesswork into a lookup.
You can’t protect, justify, or honestly describe data you haven’t first mapped. The record is dull to make and invaluable to have.
Lawful basis — why you are allowed to use the data
A lawful basis is the legal reason you’re allowed to use a particular set of personal data — and UK GDPR gives you six to choose from, with most small businesses relying on just two or three.
Under UK GDPR, every use of personal data needs a lawful basis: a documented justification for processing it. Article 6 sets out six:
- Consent — the person has clearly agreed.
- Contract — you need the data to deliver something they’ve asked for.
- Legal obligation — the law requires you to process it.
- Vital interests — to protect someone’s life.
- Public task — for an official function with a basis in law.
- Legitimate interests — your genuine business interest, balanced against the person’s rights.
In practice, most small businesses lean on contract (a delivery address to fulfil an order), legal obligation (payroll records for tax), and legitimate interests (a relevant update to existing customers). Consent matters most for marketing to people who aren’t yet your customers.
The work here isn’t choosing. It’s writing it down. The ICO expects you to determine your lawful basis before you start processing and to record which basis applies to each purpose. That’s an afternoon’s job, and once done it slots straight into your privacy notice and data record, closing one of the quietest gaps in small-business GDPR.
Keeping data secure — the overlap with Cyber Essentials
GDPR requires “appropriate” security for personal data without prescribing the exact controls — and the everyday basics in Cyber Essentials are precisely the controls that satisfy it.
This is where many small businesses don’t realise how far along they already are. GDPR’s security principle asks for measures “appropriate” to the risk but deliberately doesn’t hand you a checklist, and the practical answer is the basics you’d put in place anyway. The controls behind Cyber Essentials, the UK government-backed scheme covering the fundamentals, map almost directly onto the security GDPR expects:
- Access control — only the right people reach personal data, with multi-factor authentication (a second login step beyond a password) on the accounts that matter.
- Keeping software updated — patching known weaknesses before they’re exploited.
- Secure configuration — devices and cloud services set up safely, not left on defaults.
- Malware protection and a properly configured firewall.
Do these, and you’re not running two separate programmes. Your security work is your GDPR security work. That’s the honest efficiency at the heart of the starter pack. And remember: saying your data is secure and being secure are two different things. The controls above are how you move from the first to the second.
Breaches and requests — having a plan before you need one
A breach-and-request plan is a short, written procedure for the two moments you can’t improvise under pressure: a personal data breach, and someone asking for their data.
These two events share a feature: they arrive without warning and both run on a clock. The time to decide who does what is now, calmly, not in the middle of one.
For a breach: if personal data is lost, stolen, or accidentally disclosed and the risk to people meets the threshold, you may need to tell the ICO without undue delay, and where feasible within 72 hours of becoming aware. The ICO is reassuring for small organisations here. You don’t need every detail straight away, just to let them know before the 72 hours are up, with more to follow. So write a one-page procedure naming who’s told first, who decides whether it’s reportable, who contacts the ICO, and who tells affected people. That single page is the difference between a controlled response and a scramble.
For a request: anyone, whether a customer, a former employee, or a prospect, can ask to see the personal data you hold about them. This is a Subject Access Request, and you generally have one calendar month to respond, free of charge. (For a complex request, or several from the same person, that month can be extended by up to a further two, but plan around the one-month default.) A simple process makes it routine rather than alarming: who receives it, where to look, how to collate it, a template reply. Our walkthrough on how to handle a subject access request takes you through it step by step.
WRITE IT WHILE IT'S BORING
Both plans are easy to draft when nothing is going wrong and almost impossible to draft well when something is. An hour now writing two short procedures buys you a clear head at exactly the moment you'll need one most. Mark any gaps honestly: a known gap with a plan beats an unknown one every time.
Putting the starter pack together
Build the five pieces in order — privacy notice and lawful basis first, then your data record, then security basics, then the breach-and-request plan — because each draws on the same picture of what you hold and why.
You don’t have to do it all at once. The goal isn’t a perfect, audit-proof binder by Friday — it’s an honest, working starter pack you can stand behind and improve over time. Lead with the progress you’ve made, mark the gaps plainly, and close them one focused session at a time.
SecurSentry is launching soon to help UK SMEs build genuine, evidence-backed compliance. It maps the documents and controls you actually need, and pulls your privacy notice, data record, lawful basis and breach plan into one joined-up programme. We’re putting together a downloadable GDPR starter pack for the businesses on our list. Join the waitlist to get it first when we open.
This article is general information, not legal or compliance advice. Your obligations depend on your specific circumstances. If you’re unsure about your position, seek qualified guidance from a data protection professional or solicitor.