SecurSentry
Topic hub

UK GDPR for small business, in plain English

UK GDPR is the data protection law that applies to almost every business that handles personal data, whatever its size. The good news for a small firm: it comes down to a handful of records and habits, not a legal department. This guide explains what you actually need in place, and links every SecurSentry guide on the topic.

Updated June 2026 3 guides in this hub ≈ 23 min to read it all

The short version

What does UK GDPR actually require of a small business?

UK GDPR is the data protection law that governs how you collect, use and look after personal data, and it applies to your business whatever its size. It sits alongside the Data Protection Act 2018 and is overseen by the ICO, the UK’s data protection regulator. There is no general small-business exemption, so if you hold information that can identify a person (a customer list, staff records, enquiries from a web form) you are in scope. For the full plain-English walk-through, start with GDPR for small businesses.

The part that surprises owners is how reasonable it is in practice. The law is built on a few principles: be clear with people about what you do with their data, only collect what you need, keep it accurate and secure, hold it no longer than necessary, and be able to account for all of that. None of it asks a small firm to behave like a bank. It asks you to know what you hold and treat it with a bit of care.

It also scales to your risk. A two-person studio with a customer mailing list has far less to do than a firm processing health records all day. So the honest answer to “what do I have to do?” is: the basics, done properly, and a couple of plans kept ready. The rest of this guide is those basics.

What you actually need in place

Strip away the jargon and UK GDPR for a small business comes down to this short list. Our GDPR starter pack walks through each one as something you can draft yourself.

Put these in place and you have done the substance of UK GDPR. The point was never the paperwork; it is that you genuinely know what you hold and look after it.

Do you need a DPO, or a DPIA?

Two acronyms worry small-business owners more than they should. A Data Protection Officer is a formal role the law only makes mandatory in narrow cases: public authorities, and businesses whose core work is large-scale monitoring of people or large-scale handling of sensitive data. Most small firms need someone responsible for data protection, but not a statutory DPO. Our guide on whether you need a DPO walks through the test.

A Data Protection Impact Assessment is a risk assessment you run before a genuinely high-risk project, such as significant staff monitoring or using AI to make decisions about people. Ordinary processing does not need one, but you should screen new projects so you spot the moment one does. We cover that in do you need a DPIA?

Everything on UK GDPR

Every guide, in one place

Start wherever your question is. Each guide is a short, plain-English read, and they build on each other as you go.

UK GDPR is one door into the same work

The security that GDPR expects is the everyday security work customers ask about too. Do it once and write it down, and the same effort answers a questionnaire, supports a certification, and keeps personal data safe. We're building SecurSentry around exactly that.

Frequently asked questions

Does GDPR apply to small businesses in the UK?

Yes. UK GDPR applies to almost any organisation that handles personal data about individuals, regardless of size, and there is no general small-business exemption. If you hold names, email addresses, or anything else that can identify a person, you have obligations. The reassurance is that for most small firms those obligations are proportionate to what you actually do with data.

What does a small business actually need to do for GDPR?

The core set is short: a clear privacy notice, a simple record of the personal data you hold and why, a lawful basis for each use, appropriate security, sensible retention, and a ready plan for handling subject access requests and data breaches. Most of these are documents you can draft yourself; a few are ongoing habits.

Do I need a Data Protection Officer for my small business?

Probably not. A DPO is legally required only for public authorities, organisations whose core activities involve large-scale, regular and systematic monitoring of individuals, or those processing special category or criminal-offence data on a large scale. Most small businesses fall outside all three, though you should still give someone clear internal responsibility for data protection.

How does GDPR connect to Cyber Essentials?

UK GDPR requires 'appropriate' security for personal data but doesn't prescribe exactly how. Cyber Essentials gives you a concrete, recognised set of basics, like access control, patching and secure configuration, that directly support the security part of GDPR. Doing one makes the other easier to evidence, which is why the work carries across.

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.