How GDPR Affects Businesses in the UK

byAlex Solo11 December 20259 min read

Business Set Up Startups Regulatory Compliance Data & Privacy

Contents

What Is GDPR (And Does It Still Apply In The UK)?
When Does GDPR Affect A Small Business?
What Are Your Core GDPR Duties?
What Documents And Policies Do You Need In Place?
How GDPR Affects Common Business Activities
What Happens If You Get It Wrong?
Step-By-Step GDPR Compliance Checklist For Small Businesses
Key Takeaways

If your business collects customer details, uses email marketing, runs a website with cookies, or stores data in the cloud, GDPR affects you. The good news? With a clear plan and the right documents, compliance is achievable - and it can build trust with your customers from day one.

This guide breaks down how GDPR applies to small UK businesses, what you actually need to do, and the essential policies and processes that keep you protected as you grow.

Yes - GDPR still applies in the UK. After Brexit, the EU GDPR was retained and adapted into UK law as the “UK GDPR,” alongside the Data Protection Act 2018 (DPA 2018). Together, they govern how businesses collect, use, store and share personal data.

In practice, your responsibilities remain largely the same: be transparent, collect only what you need, use data lawfully, keep it secure, and respect people’s rights. If you offer goods or services to people in the EU as well as the UK, you may also need to consider the EU GDPR separately - but most UK-only small businesses focus on UK GDPR and the DPA 2018.

GDPR affects your business whenever you process “personal data” - any information that identifies (or could identify) a person. That includes obvious details like names and emails, as well as IP addresses, device IDs and even customer support notes tied to a person.

Typical situations where GDPR applies to small businesses include:

Collecting customer details through a contact form, booking system or checkout.
Running email marketing, CRM databases or loyalty programs.
Using website analytics, advertising pixels or other cookies that track users.
Storing files in cloud tools that contain staff or customer information.
Working with third-party providers (e.g. marketing agencies, software vendors) who process personal data on your behalf.
Handling employee and applicant data during recruitment and HR management.

If you do any of the above, GDPR applies - and it’s important to get your legal foundations in place before you scale.

Think of GDPR as a set of principles that shape how you handle personal data. Your main duties fall into these areas.

Lawful Basis And Purpose Limitation

You must have a lawful reason to process data (e.g. consent, contract, legitimate interests, legal obligation). Be clear about why you’re collecting it and don’t use it for incompatible new purposes later without a fresh lawful basis.

Transparency And Notices

Tell people what you’re doing with their data in clear, accessible language. This typically lives in your website/app notices and your customer- and employee-facing privacy information.

Data Minimisation And Retention

Only collect the data you actually need. Keep it accurate, and don’t keep it longer than necessary. Set realistic retention periods and implement a schedule for secure deletion or anonymisation.

Security And Confidentiality

Put in place appropriate technical and organisational measures (access controls, encryption, staff training, vendor due diligence). If you suffer a qualifying personal data breach, you may need to notify the ICO within 72 hours and, in some cases, affected individuals.

Respect Data Subject Rights

Individuals have rights to access, rectify, erase, restrict, object, and port their data. You need processes and timelines to handle requests lawfully, and a way to verify the requester’s identity.

Manage Your Processors

If a third party processes personal data for you (a “processor”), GDPR requires a written contract with specific clauses, and you must ensure they meet appropriate security standards.

Document Your Compliance

Maintain records of processing (what you collect, why, where it goes, who you share it with), conduct risk assessments where needed (DPIAs), and appoint a Data Protection Officer if legally required (most small businesses don’t need one, but many appoint a privacy lead internally).

International Transfers

If personal data leaves the UK (e.g. to a cloud provider in the US), you need a lawful transfer mechanism (such as the UK International Data Transfer Agreement or an adequacy decision) and to assess transfer risks.

What Documents And Policies Do You Need In Place?

Your documents are the backbone of GDPR compliance. They explain your approach, set rules for vendors and staff, and help you evidence compliance if the ICO asks.

Privacy Policy: A clear, UK GDPR-compliant privacy notice for customers, website users and, where relevant, employees. It should explain what you collect, why, who you share it with, how long you keep it, and their rights.
Data Processing Agreement (DPA): A mandatory contract with any supplier that processes personal data for you (hosting, email platforms, marketing agencies, IT support). It sets out security standards and GDPR-required clauses.
Data Sharing Agreement: If you share data with another controller (e.g. a strategic partner) for each party’s independent purposes, a sharing agreement clarifies roles and legal responsibilities.
Data Breach Response Plan: A practical playbook for spotting, assessing and reporting incidents within tight legal timeframes.
Cookie Policy and cookie controls: Explain what cookies you use and why, and let users manage non-essential cookies via a compliant banner and preference centre.

Behind the scenes, you should also have internal procedures for subject access requests, data retention and deletion, security reviews, and vendor onboarding - these operational processes are just as important as the public-facing documents.

Marketing, Cookies And Analytics

Marketing is where GDPR interacts with the Privacy and Electronic Communications Regulations (PECR). In simple terms, you need a lawful basis under GDPR for processing data, and you must also follow PECR rules on electronic marketing and cookies.

Email and SMS marketing to individuals typically requires consent unless the “soft opt-in” applies (existing customers, similar products, opt-out offered at the time of collection and in every message). See how the soft opt-in works under the UK’s soft opt-in rules.
Non-essential cookies (analytics, advertising) require prior consent. That means no dropping non-essential cookies until a user has made an informed choice. Ensure your cookie banners are clear, granular and not misleading.
Your lawful basis for marketing and analytics should be consistent with your messaging and tools. If you rely on consent, keep records and honour withdrawals quickly.

Get the basics right - give people genuine control, be upfront and avoid dark patterns - and your marketing program will be both compliant and trusted.

HR, Recruitment And Staff Data

GDPR applies to employee and applicant data too. You’ll typically rely on “legitimate interests” or “legal obligation” rather than consent in an HR context, but you still need to be transparent and minimise collection.

Have a privacy notice for applicants and staff, set realistic retention periods, and restrict access to sensitive data. Many small businesses overlook the back end: think through how long you keep CVs, interview notes and leavers’ files. Here’s a practical look at how long to keep ex-employee records under GDPR.

Cloud Tools And International Transfers

Most SMEs use cloud storage, CRMs and collaboration tools that may store data overseas. That’s fine - you just need the right transfer safeguards and vendor due diligence. Assess security certifications, access controls, sub-processors and breach history, and sign appropriate transfer terms.

If you’re wondering about common platforms, here’s a deeper look at whether Google Drive is GDPR compliant for UK businesses and what to check before you commit.

AI And New Technologies

Whether you’re piloting chatbots, summarising documents, or generating marketing drafts, AI tools often involve personal data. Map what goes in and what might come out. Disable training on your prompts where possible, restrict access, and avoid pasting in confidential or customer-identifying information unless your contract and risk assessment allow it.

If you’re trialling generative tools, this overview of ChatGPT and GDPR steps for UK companies is a helpful starting point.

What Happens If You Get It Wrong?

The ICO can issue warnings, enforcement notices and fines for serious breaches. Larger penalties grab headlines, but for small businesses the bigger risk is often operational disruption, contractual fallout with clients, and reputational damage if customers lose trust.

Common pitfalls include:

Dropping non-essential cookies before consent or without a proper opt-out.
Running email campaigns without a valid lawful basis or opt-out mechanism.
Using vendors without a written DPA or adequate transfer safeguards.
Retaining data indefinitely with no purge process.
Not having a plan to handle access or deletion requests within the legal timeframe.
Underestimating security basics (weak passwords, no MFA, excessive staff access).

The fix is straightforward: take a practical, documented approach to privacy. Regulators look favourably on organisations that can show they planned, trained staff and took reasonable steps - even if something goes wrong.

1) Map Your Data

List what personal data you collect, where it comes from, where it goes (systems and suppliers), who has access, and how long you keep it. This becomes your record of processing and highlights gaps to fix.

2) Choose Lawful Bases And Update Notices

Decide your lawful basis for each processing activity (contract, legitimate interests, consent, etc.). Update your customer- and website-facing notices accordingly and keep internal notes on your decisions.

3) Sort Your Website And Marketing

Implement consent-based cookie controls for analytics and ads; provide an accurate Cookie Policy and a compliant banner.
Check email and SMS campaigns against PECR and GDPR; if relying on the soft opt-in, ensure your capture and unsubscribe flows meet the email marketing laws.

4) Lock In Your Vendor Contracts

Identify all suppliers that process personal data and ensure you have a signed Data Processing Agreement with GDPR-required clauses. For controller-to-controller sharing, use a Data Sharing Agreement to clarify responsibilities.

5) Put Security Measures In Place

Adopt multi-factor authentication, least-privilege access, encryption where appropriate, and regular patching. Train staff on phishing and handling personal data securely. Prepare a tested Data Breach Response Plan and keep logs of incidents and near misses.

6) Define Retention And Deletion

Create a retention schedule that sets deletion or anonymisation timeframes for key data sets (customers, prospects, staff, applicants). Automate where possible and document exceptions.

7) Build A Rights Request Process

Set up a simple workflow for subject access, rectification, erasure and objection requests. Decide how you’ll verify identity, locate data across systems, apply exemptions, and respond within legal deadlines.

8) Review International Transfers

Check where your data is stored and accessed. If data leaves the UK, put appropriate transfer tools in place and assess any residual risks.

9) Keep It Live

Privacy isn’t set-and-forget. Review your notices, cookie settings, vendor list and retention schedule at least annually, and whenever you change systems or launch a new product or campaign.

Key Takeaways

UK GDPR and the Data Protection Act 2018 apply to most small businesses that collect or use personal data - from customer emails to website analytics.
Your core duties are transparency, lawful use, data minimisation, security, documented processes, and respect for individual rights.
Have the right documents in place: a clear Privacy Policy, cookie controls and a Cookie Policy, signed DPAs with processors, and a practical breach plan.
Marketing and cookies bring PECR into play: get consent for non-essential cookies and use the soft opt-in correctly if you rely on it for email marketing.
Cloud tools and AI are fine with the right safeguards: do vendor due diligence, use transfer tools for overseas storage, and avoid pasting personal or confidential data into tools that don’t allow it.
Document what you do and keep privacy “live” - reviews, training and updates show you take compliance seriously and help you scale confidently.

If you’d like tailored help setting up your GDPR compliance (from policies to vendor agreements and cookie controls), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call