GDPR Procedures For UK SMEs: Step-By-Step Compliance Checklist

If you run a small business in the UK, there’s a good chance you handle personal data every day - customer emails, staff records, mailing lists, enquiries through your website, CCTV footage, or even just delivery details.

That’s where GDPR procedures come in. They’re the practical steps and routines your business follows to collect, use, store, share and delete personal data lawfully, safely and consistently.

The good news is that GDPR compliance doesn’t have to be complicated (or expensive) if you build a sensible set of processes and keep them up to date as you grow.

This guide walks you through a practical, small-business-friendly approach to GDPR procedures, based on the UK GDPR and the Data Protection Act 2018.

This article is general information only and isn’t legal advice. If you want advice on your specific circumstances, get in touch with a lawyer.

What Do “GDPR Procedures” Mean For A Small Business?

In plain English, GDPR procedures are your business’ repeatable “how we do things” rules for personal data.

They’re different from a policy that sits in a folder and never gets opened. Good GDPR procedures are used in real life - by you, your team, and any contractors who handle data on your behalf.

Why Procedures Matter (Not Just Paperwork)

Even if you have a Privacy Policy on your website, you can still run into trouble if your day-to-day handling of data doesn’t match what you’re telling people, or if your team isn’t following a consistent approach.

Solid procedures help you:

• reduce the risk of data breaches and accidental disclosures
• respond faster to customer requests (like access or deletion requests)
• prove compliance if you ever need to show what you did and why
• avoid operational chaos as you grow and more people handle data

What Counts As “Personal Data”?

Personal data is any information that identifies someone (directly or indirectly). Common examples for SMEs include:

• names, email addresses, phone numbers
• delivery addresses
• IP addresses and online identifiers (depending on context)
• staff HR records, sickness records, payroll details
• CCTV footage where people can be identified

Some data is “special category” (more sensitive) - like health data - and needs extra care.

A Step-By-Step GDPR Procedures Checklist (That You Can Actually Implement)

If GDPR feels overwhelming, you’re not alone. The easiest way to approach it is to build your GDPR procedures in a logical order - starting with what data you have, then how you use it, and finally how you protect it.

Step 1: Map What Personal Data You Collect (And Why)

Start with a simple “data map” (you can do this in a spreadsheet). List:

• What data you collect (e.g. contact forms, customer orders, employee files)
• Where it comes from (website, email, phone, in-person, referral)
• Why you collect it (purpose)
• Where it’s stored (CRM, email inbox, cloud drive, paper files)
• Who you share it with (accountants, payroll providers, couriers, hosting providers)
• How long you keep it (your retention period)

This step alone usually highlights quick wins - like duplicated storage, unnecessary data collection, or unclear retention.

Step 2: Decide Your Lawful Basis For Each Use

Under the UK GDPR, you need a lawful basis for processing personal data. Common lawful bases for SMEs are:

• Contract (e.g. you need a customer’s address to deliver what they bought)
• Legal obligation (e.g. payroll records and tax requirements)
• Legitimate interests (e.g. basic business operations, fraud prevention - but you must balance this against the individual’s rights)
• Consent (often used for email marketing, cookies, or optional communications)

A practical GDPR procedure here is: for every data category, record the lawful basis you’re relying on and apply it consistently. If your purpose (or lawful basis) changes, update your documentation and notices.

Step 3: Update Your External Notices (So People Know What You’re Doing)

Your GDPR procedures should match what you tell customers, leads, and website visitors.

Most SMEs need a clear Privacy Policy explaining:

• what data you collect and why
• your lawful bases
• who you share data with (including service providers)
• international transfers (if relevant)
• how long you keep information
• individual rights (access, correction, deletion, objection, etc.)
• how to contact you and how to complain

If you use cookies or tracking tools, you’ll also need to think about cookie compliance under PECR (Privacy and Electronic Communications Regulations), which often works alongside GDPR.

Step 4: Create A Retention And Deletion Routine

A common mistake is keeping everything forever “just in case”. GDPR expects you to keep personal data no longer than necessary for the purpose you collected it.

Your procedure should set:

• retention periods (how long you keep each category)
• review points (e.g. every quarter, every 6 months)
• secure deletion steps (including backups where appropriate)

For a practical approach to retention, it helps to align with operational realities (like accounting and HR obligations) while still being disciplined. If you’re unsure what’s reasonable, your internal process should be to document your reasoning and apply it consistently. The same thinking applies to data retention generally - there isn’t one universal number for every business.

Step 5: Put Security Measures In Place (And Make Them Routine)

Security isn’t just an IT issue - it’s a GDPR procedures issue, because most data incidents happen through day-to-day habits (weak passwords, forwarding emails to personal accounts, lost devices, accidental sharing).

Build a simple “minimum standard” your business follows:

• use strong passwords and multi-factor authentication where available
• limit access to personal data (only those who need it)
• encrypt laptops and phones, and use screen locks
• avoid storing personal data in personal inboxes or unmanaged devices
• have a clear process for leavers (remove access promptly)
• check your cloud storage settings and sharing permissions

If you use cloud tools, don’t assume they’re automatically compliant just because they’re popular. Your GDPR procedure should include periodic checks of your configuration, permissions, and access controls. This comes up a lot with file storage - and it’s why SMEs often ask questions about cloud storage compliance.

What GDPR Documents And Policies Should SMEs Have In Place?

Once your procedures are clear, you’ll usually need a few key documents to support them. The exact list depends on your business model (ecommerce, professional services, clinic, SaaS, etc.), but here are the common essentials.

1) Privacy Policy (External)

This is customer-facing and should reflect what you actually do. For many small businesses, this is the first place regulators and customers look.

2) Data Processing Agreements (When You Use Suppliers)

If another business processes personal data on your behalf - for example, a payroll provider, email marketing platform, customer support tool, or hosting provider - you’ll typically need a written agreement in place with the right GDPR clauses (often called a data processing agreement).

A practical procedure is: don’t give suppliers access to personal data until the right terms are agreed. This often sits inside (or alongside) a Data Processing Agreement.

3) Internal Acceptable Use And Security Rules

Even if you only have a small team, it’s worth setting clear boundaries around devices, passwords, downloads, sharing, and using personal accounts for work.

This is where an Acceptable Use Policy can support your GDPR procedures and help you set expectations with staff and contractors.

4) A Documented Compliance Pack (So You Can Show Your Work)

GDPR includes an “accountability” principle - it’s not enough to comply, you should be able to demonstrate compliance.

For SMEs, that doesn’t mean a mountain of paperwork. It means having your core documents organised and up to date. Many businesses bundle this into a practical compliance set, like a GDPR package, so the essential parts don’t fall through the cracks.

How Do You Train Your Team To Follow GDPR Procedures?

You can have the best documents in the world, but if your team doesn’t follow them, you’ll still be exposed.

Your goal isn’t to turn your staff into data protection experts. It’s to make sure they understand the basics and know what to do in common situations.

Build GDPR Into Your Onboarding

A simple onboarding checklist can cover:

• what personal data they’ll handle
• where it should be stored (and where it shouldn’t)
• how to recognise phishing and suspicious emails
• how to share files safely
• who to report concerns to

Give Staff A “When In Doubt” Escalation Route

A very workable GDPR procedure for SMEs is: if someone isn’t sure, they pause and ask.

This prevents quick “helpful” decisions that become serious problems later - like emailing the wrong attachment, sharing customer lists, or responding incorrectly to a data rights request.

Limit Access By Role (Even In Small Teams)

Not everyone needs access to everything.

For example, your customer service team might need order information, but not full payment records. Your marketing team might need email lists, but not customer complaints or HR files.

Role-based access is one of the simplest and most effective GDPR procedures for reducing risk.

How To Handle Data Breaches And Data Subject Requests (Without Panicking)

Two areas tend to cause the most stress for SMEs:

• what to do if something goes wrong (a data breach), and
• what to do if someone exercises their rights (like an access request).

Both are manageable if you have a plan.

GDPR Procedure: Data Breach Response (Step-By-Step)

A personal data breach can include loss, unauthorised access, accidental disclosure, or destruction of personal data. Think: a laptop is stolen, an email goes to the wrong person, or a shared folder is accidentally made public.

Your GDPR procedures should include a clear response workflow, such as:

1. Contain the issue (remove access, recall emails where possible, change passwords).
2. Assess what data was involved and who is affected.
3. Evaluate risk to individuals (financial harm, identity theft, distress, exposure of sensitive info).
4. Decide whether you need to notify the ICO (the UK regulator) within 72 hours.
5. Decide whether you need to notify affected individuals (especially where there’s a high risk).
6. Document everything - what happened, what you did, and what you changed.
7. Prevent recurrence (update training, access controls, processes).

This is much easier when you’ve already prepared a Data Breach Response Plan that fits how your business actually operates.

GDPR Procedure: Handling Subject Access Requests (SARs)

Individuals have the right to request access to their personal data (a “subject access request” or SAR). They can also ask you to correct data, delete it (in some cases), or stop certain types of processing.

Your procedure should cover:

• How requests are received (email, website form, social media message, in person).
• Who is responsible for logging and handling requests.
• Identity checks (so you don’t disclose data to the wrong person).
• Timeframes (you must respond without undue delay and generally within one month, although the deadline can pause while you verify identity, and extensions may apply for complex or numerous requests).
• Where to search (email inboxes, CRM, folders, archived systems).
• What exemptions might apply (this can be technical, so get advice if needed).

As a small business, the practical key is having a consistent way to log requests and track deadlines, so nothing gets missed when things get busy.

Key Takeaways

• GDPR procedures are the repeatable, real-world steps your business follows to handle personal data lawfully and securely - not just a set of documents.
• Start with a data map so you know what you collect, where it’s stored, who you share it with, and why you need it.
• Make sure every use of personal data has a clear lawful basis under the UK GDPR, and document that basis so you can apply it consistently.
• Put clear documentation in place (like a Privacy Policy and the right supplier terms) so what you do matches what you tell people.
• Build retention and deletion routines to avoid keeping data forever, and reduce risk as you scale.
• Train your team with simple, practical rules and an escalation process, so small mistakes don’t turn into serious data incidents.
• Have a data breach response procedure and a process for handling subject access requests so you can respond quickly and confidently if issues arise.

If you would like help putting GDPR procedures in place for your small business, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.