UK GDPR: What Small Businesses Need To Know And How To Create A Policy

If you run a small business, you probably handle personal data every day - customer enquiries, online orders, mailing lists, staff files, supplier contacts, and more.

That’s exactly why GDPR matters in the UK. Even if you’re not a “tech company”, data protection rules can still apply to you, and getting them wrong can create real risk - from customer complaints to regulatory action and reputational damage.

The good news is that GDPR compliance doesn’t have to be overwhelming. With the right systems and a practical GDPR policy, you can protect your business from day one and build trust with customers as you grow.

What Is The “GDPR Act” In The UK (And What Laws Apply)?

In the UK, people often say “GDPR Act” as shorthand for the data protection rules businesses have to follow. Strictly speaking, there isn’t a single “GDPR Act” - GDPR is a regulation, and in the UK the key rules come from a combined legal framework including:

• UK GDPR (the UK’s version of the General Data Protection Regulation, applying after Brexit)
• Data Protection Act 2018 (the key UK Act that sits alongside UK GDPR and fills in important details)
• Privacy and Electronic Communications Regulations (PECR) (rules on marketing texts/emails/calls and website cookies)

Put simply, these obligations are about how your business collects, uses, stores, shares, and deletes personal data.

Personal data is information that identifies someone directly or indirectly. Common examples in small businesses include:

• Names, email addresses, phone numbers
• Delivery addresses and billing details
• Customer service messages
• Employee HR records
• CCTV footage (where people can be identified)
• Online identifiers such as IP addresses (depending on context)

Some categories are more sensitive (for example health data), and those trigger extra duties.

It’s also worth noting that a good GDPR policy isn’t just a “tick-box” document - it’s part of demonstrating accountability if anyone (including the ICO, the UK regulator) asks what you’re doing to comply.

Does The GDPR Act Apply To Small Businesses?

In most cases, yes. The GDPR rules aren’t only for big companies - they apply to any organisation processing personal data, regardless of size.

So if you do any of the following, you should assume UK GDPR applies:

• Run a website with contact forms or online checkout
• Keep a customer list or CRM
• Send marketing emails (even occasional newsletters)
• Hire staff and keep HR/payroll records
• Use cloud tools to store business contacts and documents
• Record calls, take bookings, or keep enquiry logs

Controller vs Processor (Why This Matters In Practice)

One of the most useful ways to understand your responsibilities under the UK GDPR is to identify whether you are acting as a:

• Data controller - you decide why and how personal data is used (most small businesses are controllers for their customers and staff data).
• Data processor - you process personal data on behalf of someone else (for example, if you provide services to clients and only use data according to their instructions).

This matters because controllers carry the main legal responsibility for compliance, and processors must follow controller instructions and have appropriate security in place.

In many B2B relationships, you’ll also need a Data Processing Agreement in place where one party processes data for the other.

Do You Need To Register With The ICO?

Many small businesses need to pay the ICO data protection fee (and some businesses may be exempt depending on what they do with personal data). This is separate from having a GDPR policy, but it often comes up at the same time when you’re getting your compliance sorted.

If you’re unsure, it’s worth checking your position, because not paying the fee when it applies can create unnecessary compliance risk.

What Does The GDPR Act Require? Key Principles Small Businesses Should Know

The UK GDPR framework is built around a set of principles. You don’t need to memorise legal wording - but you do need to build your business practices around them.

1. Lawfulness, Fairness, And Transparency

You need a valid legal basis to process personal data, and you must be clear with people about what you’re doing with it. This is where a strong Privacy Policy becomes essential - especially if you collect data through your website, bookings, or online sales.

For many businesses, legal bases commonly include:

• Contract (you need the data to provide a product/service)
• Legal obligation (for example payroll and tax records)
• Legitimate interests (a common one for customer relationship management, balanced against individuals’ rights)
• Consent (often relevant for marketing, but you need it to be valid and properly recorded)

2. Purpose Limitation

Only use personal data for the purpose you collected it for (or a compatible purpose). If you collect an email to send an invoice, you can’t automatically add it to a marketing list unless you’re allowed to do so.

3. Data Minimisation

Collect what you actually need - not “just in case”. This is especially important with forms. If you don’t need someone’s date of birth, don’t ask for it.

4. Accuracy

Take reasonable steps to keep data up to date. In practice, that means having a way to correct customer records when they tell you something has changed.

5. Storage Limitation (Retention)

You shouldn’t keep personal data forever. You need sensible retention periods and a plan for deletion. A practical starting point is to define how long you’ll keep customer enquiries, inactive customer accounts, and old HR records.

A lot of small business owners build their retention rules into their GDPR policy - and it can help to think through data retention periods early, rather than scrambling later.

6. Integrity And Confidentiality (Security)

You must protect personal data with appropriate technical and organisational security. What’s “appropriate” depends on your business, but common steps include:

• Strong passwords and multi-factor authentication
• Access controls (only staff who need data can access it)
• Encryption for laptops/devices where possible
• Policies preventing insecure sharing of data
• Staff training and clear procedures

If your team uses personal devices for work (or you allow it informally), be careful - that can create GDPR exposure if you don’t have the right rules in place. Many businesses address this through workplace policies and clear data-handling expectations, particularly where there’s BYOD risk (for example, messages and attachments containing customer data). Issues like these often overlap with BYOD GDPR traps.

7. Accountability

Accountability is the “prove it” principle: you must not only comply, but also be able to demonstrate compliance. This is where having a written GDPR policy, keeping basic records, and documenting decisions becomes valuable.

What Is A GDPR Policy (And Do You Need One)?

A GDPR policy is an internal document that explains how your business handles personal data and what your staff (or contractors) must do to keep data secure and compliant.

Even if you’re a sole trader, it’s still useful to have a written GDPR policy because it forces you to make decisions upfront, such as:

• What data you collect
• Why you collect it (your lawful bases)
• Where you store it
• Who can access it
• How long you keep it
• What happens if there’s a data breach

It also helps you train staff consistently and respond faster if something goes wrong.

GDPR Policy vs Privacy Policy (Don’t Mix These Up)

This is a common confusion:

• Privacy Policy = an external notice for customers/website users explaining what you do with their data.
• GDPR policy = an internal document setting rules and procedures for your team.

Most small businesses need both. If you only have an external policy, but no internal process, it’s easy for reality to drift away from what you promised customers.

How To Create A GDPR Policy For Your Small Business (Step-By-Step)

If you want a GDPR policy that actually helps your business (not just a dusty document), focus on clarity and practicality. Here’s a step-by-step process that works for most small businesses.

Step 1: Map The Personal Data You Handle

Start with a simple “data map”. List:

• What personal data you collect (customers, prospects, staff, suppliers)
• Where it comes from (website forms, email, social media, phone, in-person)
• Where it is stored (email inboxes, spreadsheets, accounting software, cloud drives)
• Who it is shared with (payment providers, couriers, accountants, HR platforms)
• Whether it leaves the UK (international cloud hosting or overseas contractors)

This step is often where business owners realise they’re holding more personal data than they thought - and it’s spread across more tools than expected.

Step 2: Identify Your Lawful Bases And Explain Them Simply

For each main activity, note the lawful basis in plain English. Your GDPR policy should reflect how you actually operate.

For example:

• Order fulfilment: contract
• Invoices and tax records: legal obligation
• Customer support: legitimate interests (and contract where relevant)
• Marketing emails: consent or PECR soft opt-in (depending on the scenario)

If you’re not sure which basis applies, it’s worth getting legal advice - picking the wrong one can cause problems later, especially if someone challenges your marketing or data use practices.

Step 3: Set Clear Rules On Access And Security

Your GDPR policy should state who can access personal data and how they should handle it. This is where practical rules help, such as:

• Staff must not download customer lists onto personal devices
• Only authorised team members can access HR folders
• Passwords must be strong and not shared
• Personal data should not be sent via unsecured channels

If your staff use work systems, spell out what’s permitted. For many employers, this sits alongside an Acceptable Use Policy so your team understands the boundaries on devices, email accounts, and online tools.

Step 4: Decide Your Retention Periods And Deletion Process

A GDPR policy should include a retention section that covers:

• How long you keep enquiry data (especially where no sale is made)
• How long you keep inactive customer records
• How long you keep marketing lists after someone unsubscribes
• HR record retention and secure disposal

Be realistic. If you say “we delete everything after 30 days” but never do, your policy becomes a liability rather than protection.

Step 5: Build A Simple Data Breach Plan (Before You Need It)

A data breach isn’t only a hacker breaking in. For small businesses, breaches often look like:

• Sending an email with personal data to the wrong recipient
• Losing a laptop or phone with customer information
• Staff accidentally sharing access to a folder
• Falling for a phishing email

Your GDPR policy should set out a basic breach procedure:

• Who must be told internally, and immediately
• How you contain the breach (reset passwords, revoke access, recover devices)
• How you assess risk to individuals
• Whether you need to report to the ICO (you must report without undue delay and, where feasible, within 72 hours of becoming aware of it, if it’s likely to result in a risk to individuals)
• Whether you need to notify affected individuals (generally where there’s a high risk)
• How you document what happened and what you changed to prevent repeat issues

Many businesses formalise this with a Data Breach Response Plan so you’re not trying to make decisions under pressure.

Step 6: Address Third Parties And International Transfers

Most small businesses rely on third parties - cloud storage, email marketing tools, payment providers, booking systems, accountants, and more.

Your GDPR policy should reflect how you manage these relationships, including:

• Only using reputable providers with appropriate security
• Checking where data is hosted and whether it is transferred overseas
• Having processor terms or a DPA where required

Even day-to-day tools matter here. For example, if you store client files in a cloud drive, you should be confident your setup supports your compliance obligations (permissions, access, sharing controls). This is why many small businesses sanity-check whether their storage tools are suitable from a GDPR perspective, including questions like cloud storage GDPR compliance.

Step 7: Train Your Team And Keep The Policy Alive

A GDPR policy only works if your team follows it. Build a simple onboarding process:

• Give staff the policy and have them acknowledge it
• Run basic training (even a short session) on handling personal data
• Refresh it when you introduce new systems or services

If you use AI tools in your workflow, also be cautious about what information gets entered into them. Some businesses cover this in internal policies so staff don’t paste sensitive personal data into tools without approval. Data protection and AI is a fast-moving area, and it often helps to think through your approach early, including the practical steps around AI and GDPR privacy.

Key Takeaways

• The UK “GDPR Act” obligations usually refer to UK GDPR plus the Data Protection Act 2018 (and often PECR for marketing and cookies).
• Small businesses are not exempt - if you process personal data (customers, enquiries, employees), GDPR compliance likely applies to you.
• A practical GDPR policy is an internal rulebook that helps you handle data safely, train your team, and demonstrate accountability.
• Your GDPR policy should cover data mapping, lawful bases, security controls, retention/deletion, breach response, and third-party management.
• Having the right documents in place (like a Data Processing Agreement and a breach response plan) can significantly reduce your risk if something goes wrong.
• Don’t rely on generic templates - your GDPR policy should match how your business actually operates, and it’s worth getting legal help to tailor it properly.

If you’d like help putting together a GDPR policy and getting your data protection compliance set up properly, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.