UK GDPR is the data protection law that applies to almost every business that handles personal data, whatever its size. The good news for a small firm: it comes down to a handful of records and habits, not a legal department. This guide explains what you actually need in place, and links every SecurSentry guide on the topic.
UK GDPR is the data protection law that governs how you collect, use and look after personal data, and it applies to your business whatever its size. It sits alongside the Data Protection Act 2018 and is overseen by the ICO, the UK’s data protection regulator. There is no general small-business exemption, so if you hold information that can identify a person (a customer list, staff records, enquiries from a web form) you are in scope. For the full plain-English walk-through, start with GDPR for small businesses.
The part that surprises owners is how reasonable it is in practice. The law is built on a few principles: be clear with people about what you do with their data, only collect what you need, keep it accurate and secure, hold it no longer than necessary, and be able to account for all of that. None of it asks a small firm to behave like a bank. It asks you to know what you hold and treat it with a bit of care.
It also scales to your risk. A two-person studio with a customer mailing list has far less to do than a firm processing health records all day. So the honest answer to “what do I have to do?” is: the basics, done properly, and a couple of plans kept ready. The rest of this guide is those basics.
Strip away the jargon and UK GDPR for a small business comes down to this short list. Our GDPR starter pack walks through each one as something you can draft yourself.
Put these in place and you have done the substance of UK GDPR. The point was never the paperwork; it is that you genuinely know what you hold and look after it.
Two acronyms worry small-business owners more than they should. A Data Protection Officer is a formal role the law only makes mandatory in narrow cases: public authorities, and businesses whose core work is large-scale monitoring of people or large-scale handling of sensitive data. Most small firms need someone responsible for data protection, but not a statutory DPO. Our guide on whether you need a DPO walks through the test.
A Data Protection Impact Assessment is a risk assessment you run before a genuinely high-risk project, such as significant staff monitoring or using AI to make decisions about people. Ordinary processing does not need one, but you should screen new projects so you spot the moment one does. We cover that in do you need a DPIA?
Start wherever your question is. Each guide is a short, plain-English read, and they build on each other as you go.
Start here
When someone asks, or something goes wrong
The security that GDPR expects is the everyday security work customers ask about too. Do it once and write it down, and the same effort answers a questionnaire, supports a certification, and keeps personal data safe. We're building SecurSentry around exactly that.
Yes. UK GDPR applies to almost any organisation that handles personal data about individuals, regardless of size, and there is no general small-business exemption. If you hold names, email addresses, or anything else that can identify a person, you have obligations. The reassurance is that for most small firms those obligations are proportionate to what you actually do with data.
The core set is short: a clear privacy notice, a simple record of the personal data you hold and why, a lawful basis for each use, appropriate security, sensible retention, and a ready plan for handling subject access requests and data breaches. Most of these are documents you can draft yourself; a few are ongoing habits.
Probably not. A DPO is legally required only for public authorities, organisations whose core activities involve large-scale, regular and systematic monitoring of individuals, or those processing special category or criminal-offence data on a large scale. Most small businesses fall outside all three, though you should still give someone clear internal responsibility for data protection.
UK GDPR requires 'appropriate' security for personal data but doesn't prescribe exactly how. Cyber Essentials gives you a concrete, recognised set of basics, like access control, patching and secure configuration, that directly support the security part of GDPR. Doing one makes the other easier to evidence, which is why the work carries across.