Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business, “privacy law” can feel like something only big tech companies need to worry about.
But the reality is that most SMEs handle personal data every day - customer enquiries, online orders, employee records, CCTV footage, marketing lists, and even just email addresses in your inbox.
The good news is you don’t need a huge compliance department to get this right. With a few clear steps, you can build a practical privacy law checklist that protects your customers, your team, and your business from day one.
Below, we’ll break down what UK privacy law means in practice, which rules apply to small businesses, and the key actions you should take to stay compliant as you grow.
What Does “Privacy Law” Mean In The UK (And Why It Matters For SMEs)?
When people talk about privacy law in the UK, they’re usually referring to the rules that apply when your business collects, uses, stores, shares, or deletes personal data.
In plain English, privacy law is about:
- Being transparent about what data you collect and why
- Only using data in fair, lawful ways
- Keeping data secure
- Respecting people’s rights over their information
For small businesses, getting privacy law right is about more than avoiding fines (although that’s part of it). It can also:
- build trust with customers (especially online customers)
- reduce the risk of disputes and complaints
- make it easier to work with suppliers and partners who ask for compliance assurances
- protect your reputation if something goes wrong (like a lost laptop, phishing email, or accidental data leak)
Just as importantly: privacy compliance is often easier and cheaper to set up early, rather than trying to retrofit processes after you’ve grown.
What Counts As Personal Data For A Small Business?
Under UK data protection rules, personal data is information that relates to an identified or identifiable living person.
In a small business, that commonly includes:
- names, email addresses, phone numbers
- delivery addresses and billing addresses
- order history and customer account details
- IP addresses and online identifiers (often through cookies)
- photos and video (including CCTV)
- employee HR records (performance, payroll, sick leave)
Special Category Data (Handle With Extra Care)
Some types of data are treated as more sensitive and come with extra rules (often called special category data). Examples include:
- health information
- biometric data (e.g. fingerprints, facial recognition)
- religious beliefs
- racial or ethnic origin
- sexual orientation
Many SMEs don’t intentionally collect this, but it can creep in - for example, if you store medical notes for staff absences, or collect dietary requirements for events, or store equality monitoring data.
If you suspect your business collects anything in this category, it’s worth getting tailored advice so you set it up safely.
Which UK Privacy Laws Apply To Small Businesses?
Most UK privacy law obligations for businesses come from these key rules:
1) UK GDPR And The Data Protection Act 2018
The UK GDPR (and the Data Protection Act 2018) set the core standards for how businesses must process personal data.
This is where you’ll see the big concepts like:
- lawful bases for processing (e.g. contract, legal obligation, legitimate interests, consent)
- data minimisation (only collect what you need)
- storage limitation (don’t keep data forever “just in case”)
- security requirements
- individual rights (like access and deletion requests)
Most small businesses should also have a clear Privacy Policy that explains what they do with personal data in a simple, readable way.
2) PECR (Privacy And Electronic Communications Regulations)
PECR sits alongside UK GDPR and mainly affects:
- marketing messages (email, SMS, certain types of calls)
- cookies and similar tracking technologies on your website
If you run an online store or even a simple brochure website, cookies can be a big compliance area. In practice, many SMEs need both a Cookie Policy and a cookie banner that accurately reflects how cookies are used.
3) Common Law Privacy And Confidentiality
Separate to data protection legislation, privacy issues can also arise under broader legal principles - for example, misuse of private information or confidentiality obligations (especially where sensitive business/customer information is involved).
This is one reason why it’s smart to treat privacy compliance as part of your “legal foundations”, not just a box-ticking exercise.
4) Sector-Specific Rules (Sometimes)
Depending on what you do, you may have extra privacy obligations. For example:
- health and wellness businesses handling health data
- education providers handling children’s data
- financial services and regulated industries
If you’re unsure, it’s usually best to confirm early - especially before you launch a new product, app, membership model, or marketing campaign.
A Step-By-Step Privacy Law Checklist For Small Businesses
If you’re looking for a practical way to approach privacy law compliance, these steps are a strong starting point.
Step 1: Map What Personal Data You Collect
Start simple. Create a list of:
- what personal data you collect (customers, staff, suppliers)
- where it comes from (website forms, email enquiries, in-person, payment provider)
- where you store it (CRM, spreadsheets, email, cloud storage, paper files)
- who you share it with (accountants, couriers, booking platforms, IT providers)
- how long you keep it
This “data map” becomes the backbone of your privacy compliance because it helps you spot risks you didn’t realise you had (like old mailing lists, shared logins, or staff downloading customer data onto personal devices).
Step 2: Choose The Right Lawful Basis For Each Activity
Under UK GDPR, you must have a lawful basis every time you process personal data. Common examples for small businesses include:
- Contract: you need the data to supply the product/service (e.g. delivery address)
- Legal obligation: tax and payroll record keeping
- Legitimate interests: reasonable business activities (only where it doesn’t override people’s rights)
- Consent: often relevant for certain marketing and non-essential cookies
Picking the wrong basis (or relying on consent when you don’t need it) can create avoidable compliance issues later - particularly when someone withdraws consent or asks why you collected information.
Step 3: Put Your Key Documents In Place
Most SMEs will need at least the following:
- a clear Privacy Policy (including required information and rights)
- a Cookie Policy if your website uses cookies beyond the strictly necessary
- terms with suppliers/service providers who handle personal data on your behalf (often called “processors”)
If you’re working with third parties (like email marketing providers, booking systems, cloud storage, payment processors, outsourced HR), your contracts should reflect data protection responsibilities. In many cases, a dedicated agreement or schedule is needed, like a Data Processing Agreement.
Templates can be tempting, but privacy documents need to match what your business actually does - otherwise your paperwork can create risk rather than reduce it.
Step 4: Build Security Into Your Day-To-Day Operations
Privacy law isn’t only about policies - it’s also about how you run your business.
Reasonable security measures for many SMEs include:
- strong passwords and multi-factor authentication
- staff access controls (only access what they need)
- encryption on laptops and mobile devices
- secure backups
- clear processes for onboarding/offboarding staff
- training staff to spot phishing and scams
If your team uses work systems on personal phones or laptops, that can create real GDPR risk. Many businesses manage this with an internal Acceptable Use Policy so expectations are clear and enforceable.
Step 5: Know How To Handle Data Subject Requests
Individuals have rights over their data, including the right to:
- access their data (often called a “subject access request”)
- correct inaccurate data
- delete data (in some circumstances)
- object to certain processing
You don’t need to panic about these - but you do need a process. A simple internal checklist can help you respond on time, verify identity, and avoid disclosing someone else’s information by mistake.
Step 6: Have A Plan If Something Goes Wrong
Data incidents happen even to careful businesses - a misdirected email, a stolen device, an employee using the wrong “CC”, or a hacked account.
What matters is how quickly you respond and whether you can show you took reasonable steps.
Many SMEs benefit from having a written incident process (even a short one) so you can:
- contain the breach
- assess the risk to individuals
- decide whether you need to notify the ICO and/or affected individuals
- document what happened and what you changed to prevent it recurring
In the UK, if a personal data breach is likely to result in a risk to people’s rights and freedoms, you generally need to notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to individuals, you’ll also usually need to inform those individuals without undue delay.
If you want a structured approach rather than starting from scratch, a bundled compliance solution like a GDPR package can be a practical way to cover your core documents and processes.
Privacy Law And Marketing: Email Lists, Cookies, And Consent
Marketing is where many small businesses accidentally trip up on privacy law - not because they’re trying to do the wrong thing, but because the rules differ depending on who you’re marketing to and how you’re doing it.
Email And SMS Marketing
When sending marketing emails or texts, you’ll usually need to think about:
- PECR rules (when consent is needed, and when the “soft opt-in” might apply)
- UK GDPR transparency (telling people how you’ll use their data)
- unsubscribe/opt-out mechanisms (these should be clear and functional)
As a general rule, don’t assume that because you have someone’s email address, you can automatically market to them forever. Your sign-up wording, your privacy information, and your customer relationship all matter.
Website Cookies And Tracking
If your website uses analytics tools, advertising pixels, retargeting, embedded videos, or social media plugins, you may be collecting data through cookies.
For many small businesses, cookie compliance comes down to:
- only placing non-essential cookies after appropriate consent (where required)
- giving users clear information about what cookies do
- keeping records/settings consistent with what your banner says
In practice, consent is generally required for cookies that aren’t strictly necessary for your site to work (for example, many analytics and advertising cookies). “Strictly necessary” cookies can usually be set without consent, but you should still explain them in your cookie information.
This is where having a proper Cookie Policy and an accurate cookie banner matters - because it’s not only a legal issue, it’s also a trust issue for customers who are increasingly privacy-aware.
Privacy Law In The Workplace: Monitoring, CCTV, And Staff Data
Privacy law doesn’t only apply to customers. If you employ staff (or even engage contractors), you’re almost certainly processing personal data.
Some common “small business” scenarios include:
- keeping payroll, bank details, and tax information
- recording sickness and leave
- managing performance and disciplinary issues
- monitoring business systems for security
- using CCTV for safety or theft prevention
CCTV And Audio Recording
CCTV can be lawful, but it needs to be used carefully. If you’re installing cameras, you should be able to explain:
- why you need CCTV (your purpose)
- where cameras will be placed (and where they won’t)
- how long footage is retained
- who can access the footage
- how you notify people (signage and privacy information)
Audio recording is generally higher risk than video and can trigger extra concerns about intrusiveness. If you’re considering this, it’s worth reading up on CCTV with audio before you go ahead.
Even without audio, you should make sure you’ve thought through the legal and practical side of workplace cameras - cameras in the workplace can be legitimate, but only if you implement them in a fair and proportionate way.
Monitoring Emails, Internet Use, And Devices
Many small businesses want to protect themselves against data leaks, misuse of systems, or cyber threats. Some level of monitoring can be lawful, but you should be transparent and proportionate.
In practice, that means you’ll usually need:
- a clear policy explaining what monitoring happens and why
- to avoid “blanket surveillance” where less intrusive options work
- to keep monitoring data secure and only accessible to authorised people
Depending on what you monitor and how intrusive it is, you may also need to carry out a documented assessment (for example, a Legitimate Interests Assessment and/or a Data Protection Impact Assessment) before you start.
If you’re unsure where the lines are, the topic of monitoring employees’ computers is a good place to start - it’s a common issue for SMEs and one that can cause employee relations problems if handled poorly.
Recording Calls And Conversations
If your business records calls (for training, quality assurance, or dispute resolution), you need to think about privacy law, transparency, and (in some cases) electronic communications rules.
There’s no one-size-fits-all answer, but you should be able to justify recording, inform people appropriately, and store recordings securely. You should also consider whether consent is needed in your specific setup and make sure you’re not using recordings for incompatible purposes without a proper lawful basis.
If you’re thinking about recording conversations (including in-person), take a look at recording conversations so you understand the risks before you rely on recordings operationally.
Key Takeaways
- Privacy law applies to most small businesses because you’ll almost always handle personal data (customers, staff, suppliers, or website visitors).
- UK GDPR and the Data Protection Act 2018 are the main rules for data protection, and PECR often applies to marketing and cookies.
- Start with a data map so you clearly understand what data you collect, where it’s stored, who you share it with, and how long you keep it.
- Make sure you have the right documents in place (like a Privacy Policy, Cookie Policy, and appropriate supplier data terms) so what you do in practice matches what you say publicly.
- Security and internal policies matter - privacy compliance isn’t just paperwork, it’s also day-to-day processes, access controls, and staff training.
- Workplace privacy needs careful handling, especially for CCTV, monitoring, and recording, because the rules require fairness, transparency, and proportionality.
- If you’re unsure, get advice early - privacy compliance is much easier to build in from the start than fix after a complaint or breach.
If you’d like help getting your privacy compliance sorted (whether it’s a Privacy Policy, Cookie Policy, data processing terms, or setting up your internal processes), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
