Who Does GDPR Apply To?

byAlex Solo4 November 20259 min read

Business Set Up Regulatory Compliance Data & Privacy

Contents

What Is UK GDPR And Does It Still Apply After Brexit?
Who Does GDPR Affect In Practice?
Does GDPR Apply To B2B, Sole Traders And Charities?
Marketing, Websites And Cookies: When GDPR Applies
Employees, CCTV And Internal Data: Employer Duties Under GDPR
What Documents And Processes Should You Have In Place?
Key Takeaways

If your business touches personal data in any way - even if it’s just a simple mailing list or staff contact details - the UK’s data protection rules apply. But how far does this go in practice, and who does GDPR affect day to day?

In this guide, we’ll break down exactly which businesses are caught by UK GDPR, what “personal data” really covers, and the actions you should take to stay compliant without overcomplicating things. The good news: with a clear plan and the right documents, you can handle privacy obligations confidently from day one.

Yes - GDPR still applies in the UK. After Brexit, the UK retained a version of the EU General Data Protection Regulation (GDPR), known as the UK GDPR, which sits alongside the Data Protection Act 2018. Together, these laws set out how organisations must handle personal data about individuals in the UK.

In plain English, UK GDPR requires you to process personal data fairly, transparently and securely, for defined purposes, and only keep it for as long as you need it. It also gives people rights over their data (like the right to access and correct it) and imposes duties on organisations to respect those rights.

Key principles you’ll work with include:

Lawfulness, fairness and transparency - tell people what you’re doing and have a lawful basis (consent, contract, legal obligation, legitimate interests, etc.).
Purpose limitation - collect data for clear, specific purposes and don’t repurpose it without a good reason.
Data minimisation - collect only what you genuinely need.
Accuracy - keep data up to date.
Storage limitation - don’t keep data longer than necessary.
Integrity and confidentiality - keep data secure with appropriate technical and organisational measures.
Accountability - be able to demonstrate how you comply (policies, records, training).

These aren’t just “big company” rules - they apply to most UK businesses, regardless of size, sector or whether you trade online or offline.

UK GDPR focuses on organisations that “process” personal data. Processing is a broad term; if you collect, store, use, disclose or delete personal data about identifiable individuals, you’re processing. If that’s you, UK GDPR likely applies.

There are two main roles under GDPR:

Data controllers decide why and how personal data is processed. Most small businesses are controllers for customer and employee data.
Data processors act on a controller’s instructions (for example, a payroll provider or cloud CRM you use). If you provide services to other businesses that involve handling their customer data, you may be a processor too.

Importantly, this isn’t limited to digital data. Paper records that form part of a structured filing system are also in scope.

What about overseas activity? UK GDPR can apply to organisations outside the UK if they offer goods or services to UK individuals or monitor their behaviour (for example, through targeted online advertising). If you’re UK-based, and you use overseas vendors to handle data, you remain responsible for ensuring appropriate safeguards are in place.

Typical UK small businesses caught by UK GDPR include:

Online shops, service businesses and platforms capturing customer details and payment information
Professional services firms storing client records and ID verification documents
Hospitality and leisure venues running booking systems, loyalty programs and CCTV
Trades and local services collecting leads via web forms or at events
Recruiters and agencies processing CVs and candidate information

If you’re touching personal data about customers, leads, website visitors, suppliers’ staff or your own employees, you should assume UK GDPR applies and set up the right controls.

Absolutely. UK GDPR is about personal data, not company size or profit status.

B2B businesses still process personal data - think named contacts at client organisations, email addresses like firstname.lastname@company.com, direct lines and mobile numbers. That’s all in scope, even if the relationship is business-to-business.
Sole traders and micro businesses must comply if they process personal data in the course of business. There’s no general exemption just because you’re small.
Charities and not-for-profits are also bound by the same principles. While the ICO fee position may differ in certain cases, the obligations to process lawfully and securely remain.

There are some limited exemptions (for example, strictly personal or household activity). But most commercial activity - even on a small scale - brings you squarely within UK GDPR.

If your operations include recording or analyzing calls with customers or prospects, it’s wise to revisit how UK GDPR applies to business calls, including transparency and retention.

Marketing is where many small businesses first encounter GDPR. Here’s how the pieces fit together:

Email And SMS Marketing

Marketing rules are a combination of UK GDPR and the Privacy and Electronic Communications Regulations (PECR). In short, you need a lawful basis for processing personal data under UK GDPR, and you must also comply with PECR’s specific consent rules for electronic marketing messages.

For many small businesses, the soft opt-in can be helpful. It lets you market similar products to existing customers if you collected their details during a sale (or sale negotiations), gave them a clear opt-out at the time, and include an opt-out in every message. Otherwise, you generally need prior consent to send direct marketing via email or SMS to individuals.

Whatever your approach, you should be able to point to a lawful basis (often consent or legitimate interests), record your decision-making, and provide easy unsubscribe links. It’s also worth brushing up on the broader email marketing laws that sit alongside GDPR.

Websites, Cookies And Analytics

Cookies and similar tech are regulated by PECR and UK GDPR. In practice, most non-essential cookies (like analytics, advertising and social media pixels) require consent before they’re set. That means a clear, granular consent mechanism and no dropping non-essential cookies until the user says yes.

Make sure your cookie banners are configured correctly, and back them up with a transparent Cookie Policy and a comprehensive Privacy Policy explaining your data use in plain English.

Privacy Notice On Your Site

UK GDPR requires you to tell people how you use their data. The easiest way is a clear, accessible Privacy Policy on your site and in-app. It should cover your purposes, lawful bases, categories of data, who you share it with (including processors), retention, international transfers, and people’s rights.

UK GDPR isn’t only about customers. As an employer, you process a lot of staff data - right from recruitment through onboarding, payroll and beyond. That can include IDs, emergency contacts, health information, performance data and more.

Key actions for employers include:

Give staff a privacy notice explaining how you use their data, including any monitoring (email, internet use, time tracking, CCTV with or without audio, etc.).
Limit access to HR and payroll information to those who need it and keep it secure.
Use appropriate contracts with any payroll, HR or IT providers that process data for you - a robust Data Processing Agreement is essential.
Set clear retention periods for HR files and stick to them.
Have a process for responding to data rights requests, including access, correction and deletion where applicable.

Data subject access requests (DSARs) are common. You typically have one month to respond, so it’s worth preparing a playbook and understanding the SAR deadlines and exemptions upfront.

If you operate CCTV on your premises, remember that images of identifiable individuals are personal data. Signage, limited retention and strict access controls are key, and audio recording raises additional risks that need careful justification.

What Documents And Processes Should You Have In Place?

Once you understand who GDPR affects, the next step is practical compliance. These documents and processes help you demonstrate accountability and reduce risk.

Core Policies And Notices

Privacy Policy on your website/app, plus tailored internal privacy notices for employees, candidates and contractors. Your Privacy Policy should match your actual practices - avoid boilerplate that doesn’t reflect reality.
Cookie and Marketing Language aligned with your tech stack. If you use analytics or ad pixels, ensure your consent mechanism and messaging are accurate and that non-essential cookies don’t fire before consent.

Data Processing Agreement with each vendor that processes personal data on your behalf (cloud software, payment processors, marketing platforms, IT support). A compliant Data Processing Agreement sets out security, sub-processing, breach notification, and assistance with data rights.
Data Sharing Agreement where you share personal data with another controller (for example, a partner organisation running a joint initiative). A clear Data Sharing Agreement defines roles, purposes, and legal bases.

Records, Risk Assessments And Training

Records of Processing (a RoPA) describing your key data flows, lawful bases and retention. This is the backbone of your compliance program and helps you answer customer and regulator questions quickly.
Data Protection Impact Assessments (DPIAs) for higher-risk activities - for example, deploying new tracking technologies, large-scale processing of sensitive data, or employee monitoring.
Security Measures proportionate to your risk profile: access controls, encryption, multi-factor authentication, backups, vendor management and incident response plans.
Breach Response Plan so you can triage incidents fast, limit damage and decide if you need to notify the ICO and affected individuals within the required timescales.
Staff Training so your team recognises phishing, handles data carefully and knows how to escalate issues.

International Transfers

If you use tools that store data outside the UK (which is common with SaaS platforms), you’ll need an appropriate transfer mechanism, such as UK adequacy decisions or the International Data Transfer Agreement (IDTA). Always check where your vendors host data and document your safeguards.

Do You Need To Pay The ICO Fee?

Most UK organisations that process personal data must either pay the ICO data protection fee or confirm an exemption. The amount depends on your size and turnover. It’s quick to check and important to get right - start with the basics on the ICO fee and exemptions so you’re covered.

Marketing Compliance Checklist

Map your channels (email, SMS, calls, postal) and decide the lawful basis for each.
Use a consent capture flow that’s easy to understand and avoids pre-ticked boxes.
Where appropriate, apply the soft opt-in for similar products to existing customers.
Maintain suppression lists and respect opt-outs promptly.
Align your process with applicable email marketing laws and keep screenshots/records of your sign-up flows.

If this is starting to feel like a lot, don’t stress - you can phase it in. Begin with your privacy notice, vendor contracts and cookie compliance, then build out your records, training and DPIAs as you grow. The important thing is to show you’re thinking about privacy and taking sensible steps.

Key Takeaways

UK GDPR applies to most UK businesses that process personal data - including B2B companies, sole traders and charities. If you handle customer, lead, supplier or employee information, assume you’re in scope.
You’re likely a controller for your own customer and staff data, and you may be a processor for clients if you handle data on their behalf. Understand your role, because your duties differ.
Marketing and websites bring extra rules via PECR. Get consent right, consider the soft opt-in for existing customers, and make sure your cookie banners don’t deploy non-essential cookies until someone opts in.
As an employer, you process significant staff data. Provide clear privacy notices, lock down HR systems, and prepare for DSARs with a plan that hits the SAR deadlines.
Put your legal foundations in place early: a transparent Privacy Policy, solid vendor contracts (including a Data Processing Agreement), appropriate data sharing terms, records of processing and a practical breach response plan.
Check whether you need to pay the ICO fee or qualify for an exemption, and document your decision either way.
Start simple and build up - prioritise the highest risks first (public-facing data collection, vendors and security), then expand your compliance toolkit as your business grows.

If you’d like help tailoring your privacy compliance to your business, our team can get you protected from day one. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call