GDPR Procedures: UK Requirements Explained

If your business handles any personal data – from customer emails and payment details to staff records – you’re already in the scope of UK GDPR and the Data Protection Act 2018.

The good news? You don’t need a huge legal team to comply. What you do need are simple, repeatable GDPR procedures that fit how your business actually works.

In this guide, we’ll break down GDPR procedures into clear steps you can implement right away, so you’re protected from day one and set up to scale with confidence.

What Is GDPR And Why Your Business Needs Procedures

GDPR (as retained in UK law) sets out how organisations must collect, use, share and secure personal data. It’s built on principles like lawfulness, transparency, minimisation, and accountability. If you process personal data, you must demonstrate you’ve thought about privacy at every stage – and have procedures to back that up.

Why procedures matter:

• They turn legal duties into day-to-day actions your team can follow.
• They help you prove compliance to the ICO (the UK regulator) if asked.
• They reduce risk and cost by preventing mistakes and inconsistent practices.
• They scale – as your business grows or hires new staff, the rules are already clear.

At a minimum, small businesses should document how they collect data, handle rights requests, manage vendors, secure systems, and respond to incidents. These are your core GDPR procedures – practical, repeatable, and tailored to your operations.

Map Your Data: Records Of Processing And Lawful Bases

Before you draft any policy, get clear on what personal data you hold and why. This is your foundation.

1) Build Your Data Inventory (RoPA)

Create and maintain a Record of Processing Activities (RoPA). For each activity (e.g. onboarding customers, payroll, marketing), note:

• What personal data you collect (e.g. names, emails, payment info).
• Where it comes from and where it goes (systems, processors, third countries).
• Your purpose and lawful basis (e.g. contract, consent, legitimate interests).
• How long you keep it (retention period) and how you securely delete it.
• Security controls in place (access, encryption, backups).

Be specific. “Marketing list” is less useful than “Newsletter sign-ups via website form, stored in Mailchimp, used for monthly product updates, data minimised to email address, unsubscribes processed via link.”

2) Choose The Right Lawful Basis

Each processing purpose needs a lawful basis. Common options:

• Contract: necessary to perform or take steps at someone’s request.
• Legal obligation: required by law (e.g. tax, employment).
• Legitimate interests: your genuine business needs balanced against privacy rights.
• Consent: freely given, informed, specific and easy to withdraw.

Document your basis and justification (particularly for legitimate interests). This ensures consistency across your team and communications.

Core GDPR Procedures Every Small Business Should Have

Think of these as your “privacy playbook”. You don’t need heavy manuals – concise, clear procedures your team will actually follow are far better.

Privacy Notices And Transparency

• Maintain an up-to-date website and in-product privacy notice explaining what you collect, why, lawful bases, who you share data with, retention, and rights.
• Use layered notices: a short summary up-front with links to longer detail.
• Ensure notices align with your actual practices (and your RoPA).

Most businesses publish a user-friendly Privacy Policy and mirror it in onboarding or sign-up flows.

Data Subject Rights (DSARs)

• Have a step-by-step process to verify identity, log requests, assign owners, and respond within one month.
• Cover access, rectification, erasure, restriction, portability, objection and marketing preferences.
• Train staff to recognise requests that arrive via email, social media or customer support.

Timeframes are strict, so a simple workflow and tracking log are essential. It’s worth bookmarking guidance on DSAR deadlines so your team can act fast.

Consent And Preferences

• Use plain language, avoid pre-ticked boxes, and separate consent from T&Cs.
• Provide simple, always-available opt-outs (e.g., email unsubscribe link).
• Record what was consented to, when, and how (for auditability).

Data Retention And Deletion

• Assign a retention period to each data set in your RoPA.
• Automate deletion or anonymisation where possible and document exceptions.
• Apply secure disposal procedures to backups and paper records.

Unsure how long to keep specific records? Review practical guidance on data retention periods and align it with your sector and legal obligations.

Security And Access Control

• Limit access on a need-to-know basis, enforce strong passwords/MFA, and log access.
• Encrypt data in transit and at rest where appropriate, and patch systems regularly.
• Vet cloud tools for security features and data location, and keep an asset register.

If you rely on cloud storage, make sure your setup and controls are appropriate – especially if your team uses popular tools like Google Workspace or Drive. It’s smart to sanity check whether a tool is configured in a way that is actually privacy-friendly for your use case, not just by default.

Third-Party Processors And Sharing

• Sign a robust Data Processing Agreement with each processor covering security, sub-processors, audit rights and deletion.
• Document when you act as controller-to-controller and, if applicable, use a clear Data Sharing Agreement.
• Assess international transfers (e.g., SCCs or IDTA) and keep transfer risk assessments on file.

Incident And Breach Responses

• Maintain a practical incident playbook with roles, triage criteria and communication steps.
• Investigate and record all incidents, and notify the ICO within 72 hours where required.
• Notify affected individuals where there’s a high risk to their rights and freedoms.

A concise, tested Data Breach Response Plan will save time and reduce the impact if something goes wrong.

Marketing, Cookies And PECR

• For direct marketing, comply with PECR rules (e.g., opt-in for most email/SMS to individuals).
• Use a compliant cookie banner and only drop non-essential cookies with consent.
• Keep a record of consent choices and provide an easy way to change them later.

Make sure your site includes a clear Cookie Policy and an implementation that matches your banner and tracking settings.

DPIAs For Higher-Risk Processing

• Run Data Protection Impact Assessments when processing is likely to be high risk (e.g., large-scale monitoring, special category data).
• Document mitigations and design changes you implement as a result.

Training And Governance

• Give induction and refresher training on privacy basics, phishing, and rights handling.
• Assign a senior person to oversee compliance and report regularly to leadership.

Step-By-Step: Building Your GDPR Compliance Program

Step 1: Kick-Off And Scope

Nominate a lead (it can be you) and set a 60–90 day plan. List the systems and data you use across sales, marketing, product, HR and finance.

Step 2: Data Mapping And Gap Analysis

Complete your RoPA, identify lawful bases, and spot any red flags (missing notices, uncontrolled access, unclear retention). Prioritise high-risk gaps first – for example, marketing consent workflows and access control issues usually rise to the top.

Step 3: Draft Core Documents

• External: Privacy notice, cookie content and banner language, DSAR instructions.
• Internal: DSAR handling SOP, retention schedule, security policy, incident plan.
• Vendor: DPAs, data sharing terms, transfer clauses and due diligence checklist.

If you want a streamlined set of tailored templates, a curated GDPR Package can fast-track this stage and reduce rework.

Step 4: Implement And Train

Update your website and product flows, switch on MFA, update access permissions, and implement deletion scripts or reminders. Train your team on the new procedures (even a 30–45 minute session helps).

Step 5: Test And Improve

• Run a tabletop exercise of a DSAR or a minor breach.
• Check that your DSAR workflow meets the one-month deadline and identity checks are documented.
• Spot check consent logs and unsubscribe flows.

Step 6: Monitor And Review

Schedule a quarterly privacy review: update your RoPA, audit third-party tools, and review incidents and DSARs to spot patterns. Add privacy checks to your product or vendor onboarding process so it becomes business-as-usual.

Common Pitfalls And How To Avoid Them

Using Consent When You Don’t Need It

Consent is only one lawful basis – and it must be freely given and easy to withdraw. If data is necessary for a contract (e.g., delivery address), use “contract” rather than manufacturing consent gates that frustrate users and are hard to manage.

Unclear Retention And “Data Creep”

Holding data “just in case” increases risk. Tie retention to a purpose, automate deletion, and keep a log. This is one of the most common areas where small businesses drift out of compliance over time.

Processor Agreements Missing Key Clauses

Generic vendor T&Cs rarely cover your needs. Make sure your processors sign a robust DPA with security, sub-processor approval, assistance with rights requests, and deletion on exit. Without it, you may be on the hook if something goes wrong.

Cookie Banners That Don’t Match Reality

If your banner says “only essential cookies” until consent, make sure marketing pixels are actually disabled until users accept. It’s a small technical detail that’s easy to miss – and an easy win to fix. Align the banner behaviour with your tracking setup.

Slow DSAR Responses

Rights requests can arrive in any inbox. Train your team to recognise them and forward to the privacy lead immediately. Keep a simple tracker so you never miss the one-month window established in SAR deadline rules.

Assuming Popular Tools Are Automatically Compliant

Well-known cloud platforms can be used compliantly, but only if configured correctly. Check data locations, sharing settings, admin controls, and retention options. A quick internal audit can uncover easy configuration wins that improve your privacy posture overnight.

Essential Documents And Policies To Put In Place

Here’s a practical checklist of documents most small businesses should have as part of their GDPR procedures. Keep them short, accurate, and accessible to your team.

Public-Facing

• Privacy Notice/Policy (website and in-product) – use a clear, plain-English Privacy Policy.
• Cookie Banner Content + Site Cookie Inventory – supported by a Cookie Policy.
• Marketing Preferences/Unsubscribe Instructions – visible and easy to use.

Internal Procedures

• Records of Processing Activities (RoPA) and Data Map.
• DSAR Handling Procedure and Log (with ID checks and template responses).
• Retention Schedule tied to each processing activity and system.
• Security Policy (access, MFA, encryption, incident triage).
• Incident/Breach Response – ideally a tested Data Breach Response Plan.

Third Parties

• Signed Data Processing Agreement with each processor.
• Controller-to-Controller Data Sharing Agreement where appropriate.
• International Transfer Terms (e.g., SCCs/IDTA) and transfer risk assessments.

When To Get Extra Help

• If you process special category data at scale or conduct systematic monitoring, you may need a formal DPIA and additional safeguards.
• If you’re launching AI features, rolling out extensive analytics, or shifting to new cloud tools, it’s sensible to run a quick privacy review first.
• If you’ve had a security incident, act fast – record your investigation, and take advice on notifications and remediation steps.

If putting all the above together feels like a lot, that’s completely normal. A focused privacy sprint with tailored templates – for example, a GDPR Package – can get you compliant quickly without over-engineering the process.

GDPR Procedures FAQs For Small Businesses

Do We Need Consent For All Email Marketing?

Not always. PECR usually requires opt-in consent for emails/SMS to individuals, but there’s a “soft opt-in” for existing customers in specific cases. Whatever route you take, record the basis and provide an easy opt-out in every message.

How Fast Do We Need To Respond To DSARs?

Within one month of receipt in most cases. Complex requests can be extended by two further months, but you need to tell the individual within the first month and explain why. A clear procedure – and a log – makes this manageable.

Who Needs A Data Protection Officer (DPO)?

DPOs are mandatory only for certain organisations (e.g., public authorities or businesses conducting large-scale monitoring or processing of special category data). Most small businesses don’t need a formal DPO, but should still assign a privacy lead to coordinate compliance.

Do We Have To Report Every Breach To The ICO?

No. Only breaches that risk individuals’ rights and freedoms must be reported, and typically within 72 hours of becoming aware. You should still keep an internal record of all incidents and your decisions.

How Do We Handle Cookies Correctly?

Block non-essential cookies by default, ask for consent with a clear banner, and only drop those cookies after consent. Keep your cookie inventory up to date and reflect it in your Cookie Policy.

Key Takeaways

• Start with a simple data map (RoPA) so you know what you hold, why, and for how long – this underpins every other GDPR procedure.
• Put core procedures in writing: privacy notices, DSAR handling, retention and deletion, vendor management, security controls and breach response.
• Use the right legal tools – a clear Privacy Policy, strong DPA, and a tested Data Breach Response Plan are essential.
• Respect rights and deadlines – have a DSAR workflow and keep an eye on the one‑month timeline using practical guidance on SAR deadlines.
• Get your marketing and cookies in order – build consent and preference management into your systems and support it with a clear Cookie Policy.
• Make it business-as-usual – train your team, review quarterly, and treat privacy as an ongoing process rather than a one-off project.

If you’d like tailored help setting up GDPR procedures, drafting documents, or sense‑checking your approach, our team is here to help. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.