Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your business collects customer emails, takes online bookings, runs staff payroll, or uses analytics on your website, you’re handling personal data. That means UK data protection law applies to you - and someone needs to be in charge of making sure you’re compliant.
That “someone” is often a privacy manager. You don’t have to be a big tech firm to benefit from the role. For many SMEs, appointing a privacy manager is the most efficient way to stay on top of legal duties, prevent breaches, and build customer trust.
In this guide, we’ll explain what a privacy manager does, how the role differs from a Data Protection Officer (DPO), and the practical steps to set it up in your team - so you’re protected from day one.
What Is A Privacy Manager And Do Small Businesses Need One?
A privacy manager is the person responsible for overseeing how your business collects, uses, stores, and shares personal data. Think of it as your internal lead for data protection - coordinating policies, training, supplier checks, breach response and day‑to‑day compliance.
UK law (the UK GDPR and Data Protection Act 2018) doesn’t require every business to have a privacy manager. However, you are legally required to comply with those laws. For most small businesses, appointing a privacy manager is a simple way to make sure those duties are met in practice.
The role can be part‑time and combined with another function (for example, operations, HR, IT or legal). What matters is that someone has clear responsibility for privacy risk, and the authority to implement improvements.
When deciding if you need one now, ask:
- Do we collect or process a meaningful amount of customer data (emails, names, bookings, payment details, IDs)?
- Do we run direct marketing or use cookies/analytics on our website?
- Do we use third‑party software providers to process data (CRMs, email tools, payroll, cloud storage)?
- Have we received a subject access request (SAR) or a data incident in the last year?
- Are we hiring or managing staff, including sensitive HR data?
If you’re nodding along, a privacy manager will pay for itself in reduced risk, smoother processes and customer confidence.
UK Legal Duties A Privacy Manager Oversees
At a high level, the privacy manager makes sure your business meets the core requirements of the UK GDPR and related regulations. In plain English, that typically includes:
Lawful, Fair And Transparent Processing
You must have a lawful basis for processing personal data (for example, performing a contract, legitimate interests, consent). The privacy manager makes sure your notices are clear and up to date, often by maintaining a customer‑facing Privacy Policy.
Purpose Limitation And Data Minimisation
Only collect what you need, for clear purposes, and don’t keep it longer than necessary. This ties directly into data mapping and a retention schedule (more on that below).
Accuracy And Security
Keep data accurate and implement appropriate security measures. Depending on your setup, that could mean access controls, encryption, MFA, staff training and secure disposal practices.
Individual Rights
People have rights over their data (access, deletion, rectification, objection and more). The privacy manager sets up processes to respond within legal timeframes and tracks outcomes.
Accountability And Documentation
Demonstrating compliance is a legal duty. That often involves Records of Processing Activities (RoPA), Data Protection Impact Assessments (DPIAs) for higher‑risk projects, supplier due diligence, and internal policies.
Marketing And Cookies (PECR)
In addition to the GDPR, the Privacy and Electronic Communications Regulations (PECR) regulate email/SMS marketing and the use of cookies/trackers. Your privacy manager will coordinate consent mechanisms and publish a clear Cookie Policy.
Core Responsibilities In A Small Business
Here’s what a privacy manager typically takes ownership of in an SME environment.
1) Data Mapping And Risk Assessment
- Identify what personal data you collect (customers, prospects, employees, suppliers) and why.
- Document where data flows - forms, website, CRM, payment processors, cloud storage, spreadsheets, email lists.
- Flag higher‑risk activities and consider if a DPIA is required (for example, large‑scale monitoring, new tech, children’s data).
2) Policies, Notices And Records
- Maintain your external notices (Privacy Policy and Cookie Policy) and internal playbooks (data retention, access control, breach response).
- Keep a simple Record of Processing to evidence what data you have, where, why and on what lawful basis.
- Align retention rules with your operations - and apply them consistently.
As part of this work, many businesses create a retention schedule using the guidance in how long you should keep personal data.
3) Supplier And Platform Management
- Check that third‑party processors (email tools, survey platforms, cloud hosts, payroll providers) meet your security and privacy standards.
- Put in place a Data Processing Agreement (DPA) with each processor covering confidentiality, security, sub‑processors and international transfers.
- Review where data is stored (UK, EEA, or other countries) and ensure transfer safeguards are in place.
4) Rights Requests (SARs) And Complaints
- Set up a simple, trackable process for receiving and verifying requests.
- Collect data from systems, review for third‑party information, and respond within the statutory deadline.
- Keep a log of requests and decisions.
It’s helpful to standardise your approach using practical resources like subject access request templates.
5) Breach And Incident Response
- Train your team to spot and escalate issues quickly (mis‑sent emails, lost devices, suspicious logins).
- Follow a clear response process, including assessment of risk, containment, remediation and ICO notifications if needed.
- Record all incidents - even near misses - to spot patterns.
A written Data Breach Response Plan is essential so your team knows exactly what to do under pressure.
6) Training, Culture And BYOD
- Provide short, regular training - phish‑spotting, password hygiene, handling SARs, using BCC correctly.
- Set sensible rules for remote work and personal devices. If staff use their own phones or laptops, review the risks highlighted in work phones vs BYOD under GDPR.
- Embed privacy in onboarding and performance expectations.
How To Set Up The Role In Your Team
Ready to put a privacy manager in place? Here’s a straightforward rollout plan you can follow.
Step 1: Define Scope And Authority
Decide who will own the function (existing employee or new hire). Give them a clear remit, time allocation, and direct access to leadership when decisions are needed (for example, pausing a risky launch until a DPIA is complete).
Step 2: Run A Short Privacy Audit
Start with a pragmatic audit focused on your key data flows:
- Website and apps (forms, cookies, analytics, re‑marketing)
- Sales and CRM (leads, email lists, attribution tools)
- Customer support (tickets, chat tools, recordings)
- Payments and invoicing (card processors, accounting software)
- HR and recruitment (onboarding, payroll, health data)
- Vendors and platforms (hosting, backups, file sharing)
Capture “what data, why, where, who can access, how long” for each area. This becomes your living RoPA.
Step 3: Get Your Core Documents In Place
Most small businesses need a short, practical document set tailored to their operations. Typically, that includes:
- A public‑facing Privacy Policy aligned with your actual processing
- A Cookie Policy with clear explanations of cookies/trackers and choices
- Internal retention rules, access control and breach response procedures
- Template Data Processing Agreement for suppliers
If you share personal data with other controllers (for example, a franchise partner or joint marketing partner), you’ll also want the right governance in place, which may include appropriate contracts, technical restrictions and role clarity.
Step 4: Fix Your High‑Impact Risks First
Prioritise the changes that reduce the biggest risks quickly:
- Switch on MFA for admin accounts and critical apps
- Reduce over‑collection on forms (only ask for what you need)
- Set sensible default retention rules (auto‑delete or archive)
- Tighten vendor access and remove unused accounts
- Roll out basic staff training (15–20 minutes) and quick‑reference guides
Step 5: Establish Ongoing Routines
Privacy is not a one‑off project. Build a light, recurring cadence:
- Quarterly supplier reviews and permission clean‑ups
- Quarterly checks on SARs, complaints and incidents
- Annual policy refresh and a short all‑staff refresher
- Project “gates” - run a DPIA before launches with new tracking, profiling or sensitive data
Step 6: Marketing And Cookies Done Right
Make sure your privacy manager has sign‑off on email/SMS campaigns, analytics tools, and new marketing partners. Balance legitimate interests and consent appropriately, and keep a record of your assessment. For cookie consent, ensure your banners align with your settings and disclosures, and that users can reject non‑essential cookies as easily as accept them.
Step 7: Prepare For Rights Requests And Deletion
Timeframes matter. Establish a route for verifying identity, collecting data from systems, and redacting third‑party information. Create internal guidance (with screenshots) so the process isn’t only in one person’s head. Many SMEs document a simple playbook based on SAR templates and a retention schedule consistent with data retention rules.
Privacy Manager Vs Data Protection Officer (DPO)
It’s easy to mix these up, but they’re not the same thing.
When A DPO Is Mandatory
Under the UK GDPR, appointing a formal DPO is only mandatory for certain organisations - for example, public authorities, or businesses that regularly and systematically monitor individuals on a large scale, or process special category data on a large scale. Most small businesses do not meet these thresholds.
Where A Privacy Manager Fits
A privacy manager is a practical, internal role your business creates to manage compliance. There’s no statutory job description; you decide the scope. They report into your leadership team and coordinate privacy day to day.
Can One Person Do Both?
If you’re legally required to have a DPO, that role has independence requirements and must avoid conflicts of interest. Many SMEs that don’t need a DPO opt for a privacy manager instead, often supported by external legal counsel for complex matters or DPIAs. If you’re unsure whether you need a DPO, it’s wise to get tailored advice.
Key Takeaways
- Appointing a privacy manager gives clear ownership of data protection and helps your small business comply with the UK GDPR and the Data Protection Act 2018 in a practical, day‑to‑day way.
- The role typically covers data mapping, policies and notices, supplier due diligence, rights request handling, breach response and staff training - all with a focus on reducing risk and building trust.
- Put the basics in place early: a transparent Privacy Policy, a clear Cookie Policy, supplier contracts like a Data Processing Agreement, and a written Data Breach Response Plan.
- Standardise your approach to rights requests using practical tools such as SAR templates, and align deletion with a schedule grounded in data retention periods.
- Train your team and set sensible rules for remote work and personal devices; review the risks called out in BYOD GDPR traps.
- You probably don’t need a formal DPO, but you do need someone with the time and authority to own privacy. Getting your legal foundations right now will save you headaches later.
If you’d like help setting up your privacy function - from drafting policies and DPAs to designing a pragmatic compliance plan - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.
