Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Is GDPR, And Does My UK Business Need To Comply?
- What Counts As Personal Data Under GDPR?
- Why Is It Important To Comply To GDPR?
Step-By-Step Guide: How To Comply To GDPR In Your UK Business
- 1. Audit The Data You Collect And Use
- 2. Identify Your Lawful Basis For Processing
- 3. Draft And Publish A GDPR-Compliant Privacy Policy
- 4. Update Your Consent Processes And Marketing Practices
- 5. Secure Your Data And Manage Breaches
- 6. Honour Data Subject Rights
- 7. Review And Update Your Contracts With Suppliers
- 8. Train Your Team And Build A Privacy Culture
- Common GDPR Mistakes UK Businesses Make (And How To Avoid Them)
- What Happens If You Don’t Comply With GDPR?
- Do You Need A Data Protection Officer?
- Key Takeaways: How To Comply To GDPR In Your UK Business
- Need Help With GDPR Compliance Or Have Questions?
If your business handles customer or employee data - whether you’re selling online, running a high street shop, or handling bookings and mailing lists - you’ll have heard about the GDPR. But what does it really mean to “comply to GDPR,” and what practical steps do you need to take to keep your business safe and your customers’ trust intact?
The topic can sound daunting, full of data protection jargon and legal pitfalls. But don’t stress - with the right knowledge and a step-by-step approach, getting your GDPR compliance in place is a straightforward way to protect and future-proof your business. In this practical guide, we’ll walk you through what GDPR means for UK businesses, why compliance matters, and the key steps you need to take. Let’s get started.
What Is GDPR, And Does My UK Business Need To Comply?
The General Data Protection Regulation (GDPR) is a set of privacy laws that give individuals control over their personal data - and make businesses responsible for protecting that data. Since Brexit, the UK has adopted its own version, known as the UK GDPR, alongside the Data Protection Act 2018.
Practically speaking, if your business collects, stores, or uses information that can identify a living person - like names, emails, addresses, or payment details - GDPR compliance is not optional. It applies to almost every business in the UK, from sole traders to growing companies. Even if you’re a one-person online startup, you still need to comply to GDPR if you handle customer, client, or employee data.
Failing to comply can lead to regulatory investigations, customer disputes, and hefty fines. But more than that, following GDPR boosts trust with your clients and gives you a professional edge.
If you’re unsure whether your business is covered, check out our What You Need To Know About GDPR guide.
What Counts As Personal Data Under GDPR?
Personal data under GDPR is any information that can identify an individual directly or indirectly. Some everyday business examples include:
- Customer and supplier names and contact details
- Email addresses (even work emails)
- Employee personnel files and payroll data
- IP addresses or device identifiers
- CCTV footage, photos, and audio recordings of staff or visitors
- Online order histories, delivery addresses, and payment details
GDPR also covers “special category” data - sensitive details like health information or ethnicity - which require stronger protection. If you handle this kind of data (for example, in health, education, or recruitment sectors) you’ll need to take extra care.
If you’re processing any of the above, it’s vital to comply to GDPR by following the right procedures and keeping records of your compliance.
Why Is It Important To Comply To GDPR?
GDPR isn’t just about avoiding fines (although the UK Information Commissioner’s Office - ICO - can levy penalties up to £17.5 million or 4% of annual turnover). It’s also about:
- Building customer confidence. People want to know their data is safe and handled fairly.
- Preventing reputational damage. A data breach or privacy complaint can quickly harm your brand.
- Enabling business growth. Many larger customers and partners will require you to be GDPR compliant before working together.
- Fulfilling your legal obligations. Under the Data Protection Act 2018 and UK GDPR, all businesses must follow certain rules when processing personal data.
Getting GDPR right from day one is part of building strong legal foundations for your business - just like having the right contracts or registering your company with HMRC.
Step-By-Step Guide: How To Comply To GDPR In Your UK Business
So, what does practical GDPR compliance actually involve? Here’s a clear, stepwise process you can follow to ensure your business is on the right track.
1. Audit The Data You Collect And Use
Start by mapping out what personal data your business handles, why you need it, where you store it, and who has access to it.
Ask yourself:
- What personal information do we collect from customers, staff, or suppliers?
- How do we collect it (website forms, email, payment systems, etc)?
- Where is it stored - in cloud apps, spreadsheets, or filing cabinets?
- Who inside (or outside) the business uses or can access the data?
- Do we share data with any third parties (e.g., payroll providers, marketing platforms)?
This data audit is the foundation for all other GDPR action. If you need a hands-on guide, see our Essential Guide To Data Protection And Security Compliance Under UK GDPR.
2. Identify Your Lawful Basis For Processing
GDPR says you must have a “lawful basis” for any personal data you process. The most common bases for small businesses are:
- Consent: The customer or employee has given clear permission (e.g., ticked a marketing opt-in box)
- Contract: You need the data to fulfil a contract (such as sending goods after an order)
- Legal obligation: You must process the data to comply with a law (like payroll reporting)
- Legitimate interests: You’re using the data in ways people would reasonably expect (like fraud prevention or business analytics)
Whenever you collect data, you must be clear about which basis applies, and record your decisions.
3. Draft And Publish A GDPR-Compliant Privacy Policy
All UK businesses that process personal data are required to have a clear, up-to-date Privacy Policy explaining:
- What information you collect
- How and why you use it
- Who you share it with (including suppliers or cloud apps)
- How long you keep it
- What rights individuals have over their data
- How people can contact you about data
Make your policy visible - for example, link it in your website footer and in any sign-up forms. Avoid copy-pasting from templates without tailoring; policies must match your real business practices. If you need help, our GDPR Privacy Policy solution is a good place to start.
4. Update Your Consent Processes And Marketing Practices
GDPR has strict rules about obtaining, managing, and recording consent, especially for marketing. To comply to GDPR:
- Use “opt-in” checkboxes (not pre-ticked) for email marketing or special offers
- Let people withdraw consent easily at any time
- Keep a record of who gave consent, when, and how
- Avoid adding people to mailing lists without permission (even existing customers, unless you meet the “soft opt-in” rules)
Review your customer journey - from website forms to phone orders - to make sure you’re requesting consent transparently.
For more tips, see our guide on sending marketing emails legally.
5. Secure Your Data And Manage Breaches
GDPR requires you to take “appropriate technical and organisational measures” to protect personal data. That means:
- Use strong passwords and two-factor authentication for accounts
- Encrypt sensitive data where possible
- Limit access to data only to people who need it for their job
- Train staff to recognise phishing and handle data carefully
- Have policies for data retention and secure disposal
If you suffer a data breach (for example, information is lost or sent to the wrong person), you may need to notify the ICO within 72 hours and, in some cases, inform affected individuals. Having a Data Breach Response Plan is essential.
6. Honour Data Subject Rights
Individuals (customers, staff, etc) have key rights under GDPR, including:
- The right to access their data
- The right to correct inaccuracies
- The right to request deletion (“right to be forgotten”)
- The right to restrict or object to processing
- The right to data portability (receive a copy in a useable format)
Make sure you have clear procedures for handling data requests, and respond within one month. Our subject access request guide has practical steps to follow.
7. Review And Update Your Contracts With Suppliers
If you use external suppliers or cloud services that handle personal data (such as website hosts, email platforms, payroll providers, or CRM software), you must have contracts in place to ensure their compliance with GDPR too. These are commonly called Data Processing Agreements.
Check that every supplier who processes data for you contractually commits to following GDPR standards, securing data, and notifying you of breaches. This protects both you and your customers.
8. Train Your Team And Build A Privacy Culture
Compliance isn’t just paperwork - it’s about creating a privacy-aware workplace. Take time to:
- Train staff on privacy basics and GDPR responsibilities
- Make clear what data they can access and why
- Encourage reporting of risks or suspected breaches straight away
- Review your policies and procedures regularly in line with business changes
Building privacy into your day-to-day operations makes ongoing compliance simple - and everyone is on the same page.
Common GDPR Mistakes UK Businesses Make (And How To Avoid Them)
While most business owners want to comply to GDPR, it’s easy to make accidental errors. Some frequent pitfalls include:
- Using a generic Privacy Policy that doesn’t actually match your business
- Forgetting to get proper consent for marketing or storing evidence of it
- Leaving personal data on unsecured devices or cloud platforms
- Responding to data requests late or incompletely
- Failing to update contracts with third-party suppliers when new tech is introduced
- Not knowing what data you actually hold
The good news? Most mistakes are preventable with the right setup and support. Our checklist and compliance pack (GDPR Compliance Pack) can help you cover all the bases.
What Happens If You Don’t Comply With GDPR?
Non-compliance isn’t just risky - it can have serious consequences for small businesses, including:
- Regulatory action: The ICO can investigate, issue warnings, or require you to change your practices
- Fines: Penalties can reach up to £17.5 million or 4% of annual turnover (whichever is higher)
- Compensation claims: Individuals affected by your data failings can seek compensation
- Loss of customer trust: News of a breach or an ICO fine can damage your reputation
- Contractual problems: Some business partners will terminate contracts if you breach GDPR terms
The best protection? Get your data protection setup sorted before problems arise - that way you’re protected from day one.
Do You Need A Data Protection Officer?
Not every small business is legally required to appoint a dedicated Data Protection Officer (DPO). Typically, you only must have a DPO if your core activities involve large-scale, regular monitoring of individuals (e.g. tracking online activity) or processing special category data.
However, even if you don’t need a DPO, you should always designate someone responsible for GDPR compliance in your business. This person will keep policies up to date, respond to data requests, and make sure your practices are current.
Key Takeaways: How To Comply To GDPR In Your UK Business
- GDPR compliance is legally required for almost every UK business that handles personal data - no matter how small.
- Start with a clear audit of the data you collect, why you need it, and how you use and store it.
- Always have a lawful basis for processing data, and keep full records of your decisions.
- Draft and publicise a clear, GDPR-compliant Privacy Policy tailored to your practical business activities.
- Get explicit consent for marketing, and make it easy for people to opt out at any time.
- Keep personal data secure with strong technical and organisational safeguards, and have a process for breaches.
- Respect data rights - including requests for access, correction, or deletion - and respond within one month.
- Review supply contracts and Data Processing Agreements to make sure your partners are GDPR compliant too.
- Train your staff so that a privacy culture is embedded from day one.
- If unsure on compliance steps, seek specialist legal advice to make sure you’re covered.
Need Help With GDPR Compliance Or Have Questions?
Complying with GDPR doesn’t have to be overwhelming - but getting it right is essential. If you’d like tailored help to comply to GDPR, draft privacy documents, update your contracts, or handle a data breach, the Sprintlaw team is here for you.
You can reach us for a free, no-obligation chat at 08081347754 or by emailing team@sprintlaw.co.uk. We’ll help you protect your business, customers, and reputation - so you can get on with running your business, worry-free.
