Who Does GDPR Apply To? A Practical Guide For UK Businesses

If you run a small business, startup, or online store in the UK, chances are you’ve heard of the GDPR - but figuring out exactly “who does GDPR apply to” (and what it means for your business) can feel like unravelling a complicated puzzle. Whether you’re selling products online, offering services, or even just collecting email addresses for marketing, understanding GDPR obligations from day one is key. Let’s break down the essentials so you can focus on growing your business safely - knowing your legal foundations are sorted.

In this practical guide, we’ll answer the big question: who does GDPR apply to, how does it work after Brexit, and what steps should all UK businesses take to stay compliant? Keep reading to discover everything you need to know - without the legal jargon.

What Is The GDPR And Why Does It Matter?

The GDPR (General Data Protection Regulation) is a set of data protection rules that affects millions of businesses - not just in the UK and EU, but around the world. It covers how organisations collect, use, store, and share personal data about individuals. It’s backed up by the Data Protection Act 2018 here in the UK, which mirrors many of the GDPR’s requirements - so even post-Brexit, the key protections (often called UK GDPR) remain firmly in place.

Why does this matter? If you mishandle personal data, you risk fines, legal claims, and reputational damage. But more importantly, getting privacy right will build customer trust and help your business stand out for all the right reasons.

Who Does GDPR Apply To?

Let’s answer the big question head-on: Who does GDPR apply to? In short - nearly all UK businesses that process any personal data. It doesn’t matter if you’re a sole trader, limited company, e-commerce store, side hustle, or even a non-profit. If you collect, store, or handle information about individuals, GDPR likely applies to you.

Here’s a breakdown of when GDPR applies:

• Your business is based in the UK and processes personal data (about staff, suppliers, or customers) - this is always within scope of UK GDPR.
• Your business is based outside the UK but offers goods or services to (or monitors) people inside the UK - UK GDPR still applies. This catches many overseas e-commerce businesses and apps targeting UK customers.
• The data is about an identified or identifiable person (including name, contact details, IP address, etc.), and it’s processed as part of your professional or commercial activities - not just incidental handling.

Even small businesses and one-person startups are included. The main exceptions are for purely personal, household activities (like your personal address book).

Want to check if your specific business activities bring GDPR into play? See our guide: Does Business Structure Matter For GDPR?

What Counts As “Personal Data” Under GDPR?

Personal data under GDPR is defined very broadly. It includes any information that can identify a living individual, on its own or combined with other data.

• Names (customers, staff, suppliers)
• Email addresses (even work emails)
• Phone numbers
• Postal addresses
• Online identifiers (cookies, IP addresses, device IDs)
• Date of birth or age
• Payment details
• Photos and videos where people are recognisable
• Special category data (health info, ethnicity, religious beliefs, etc.) - stricter rules apply

If you “process” (which includes collecting, storing, analysing, or sharing) any of these, then GDPR is relevant to your business. Even things like CCTV footage or staff records are covered.

Check out: Are Work Email Addresses Considered Personal Data Under GDPR? for more detail.

Controllers, Processors, And Third Parties: Which One Are You?

GDPR splits organisations into two key roles:

• Data Controllers: Decide why and how personal data is processed (most small businesses, online shops, or service providers are controllers).
• Data Processors: Handle data on behalf of a controller (for example, a company providing payroll or marketing services to another business).

Most business owners will be “controllers” for their customers’ or employees’ data. If you outsource tasks (like email marketing, cloud storage, or payment processing), those suppliers are often “processors”. Both have legal duties under GDPR - but controllers carry ultimate responsibility for compliance.

Working with overseas contractors or cloud software? Make sure you understand your controller vs processor obligations and have proper contracts in place.

Does Brexit Change Who The GDPR Applies To?

Great question! After Brexit, the UK implemented its own version of the GDPR - known as “UK GDPR”, along with the Data Protection Act 2018.

• If you’re based in the UK and only process UK citizens’ data, you follow UK GDPR.
• If you offer goods/services (or monitor people) in the EU, you may also need to comply with the EU GDPR - even if your business is UK-based. For many online businesses, this means double obligations.

Key takeaway? Almost all UK businesses still need to comply with GDPR rules. And if you have international customers, you may need to understand both UK and EU regimes.

Common Scenarios: When Does GDPR Apply?

Let’s make this practical. Here are examples where GDPR will likely apply to a UK business owner:

• Running an online store (ecommerce): You collect customer names, addresses, and payment details during checkout. GDPR applies.
• Using a newsletter sign-up form: Even if you’re only capturing email addresses for marketing, GDPR applies.
• Operating CCTV in your shop: Any recorded footage of individuals is personal data. You’ll need to comply with GDPR (and CCTV compliance laws).
• Employing staff or contractors: Employee names, contact details, and payroll info are all personal data.
• Using a CRM or storing client records on cloud software: These usually involve storing or processing customer data - GDPR applies.
• Processing children’s data: Stricter rules apply, especially under the “Children’s Code” (age-appropriate design requirements).

For more on compliance steps in common business situations, visit: Essential Guide To Data Protection And Security Compliance Under UK GDPR.

Are There Any Exemptions Or Special Cases?

GDPR does not apply to data used purely for personal/household activities (for example, storing friends’ phone numbers in your private mobile). But almost any business or professional use will come under GDPR’s scope.

Some additional exemptions may apply for:

• Law enforcement or national security activities (rare for private businesses)
• Limited journalism, academic, or artistic content - but only with strict conditions
• Truly anonymous data (where individuals cannot be identified in any way)

These exemptions are narrow, so in most practical cases for small business owners, GDPR compliance is required.

What Are Your GDPR Responsibilities As A UK Business?

If GDPR applies to your business, you need to follow a series of principles and rules when handling personal data. These include:

• Collecting personal data only when necessary and for a clear, lawful purpose
• Being transparent with individuals (e.g., providing a Privacy Policy) about how you use their data
• Making sure data is accurate and kept up to date
• Ensuring data is kept secure (using encryption, limiting access, etc.)
• Letting people access, correct, or delete their data when requested
• Not transferring data outside the UK/EU without proper safeguards
• Reporting certain data breaches to the ICO (Information Commissioner’s Office) within 72 hours

For a handy list of steps, see: 5 Quick Tips For GDPR Compliance.

Remember: failure to comply can lead to fines of up to £17.5 million (or 4% of global turnover), plus hefty investigation costs and reputational damage.

What Legal Documents Do You Need For GDPR Compliance?

Getting your documents right is a crucial part of GDPR compliance. The essentials include:

• Privacy Policy: Clearly explains to customers, staff, and suppliers how their data is used, stored, and shared. This is required by law on any website or app that collects data. See our guide to Privacy and Cookie Policies for more info.
• Data Processing Agreements: When you share data with other companies (like marketing platforms, CRM providers, or payroll outsourcers), contractually set out data protection duties. Get help drafting a GDPR-compliant processing agreement.
• Data Breach Response Plan: Having a written plan to respond to data breaches is now an essential legal requirement. For guidance, see our step-by-step guide to writing a Data Breach Response Plan.
• Records of Processing Activities: Larger businesses (or those handling sensitive data) must keep detailed records of all data processing activities.

Avoid using generic templates - legal documents should be tailored to your specific business and reviewed regularly as you grow.

How Can You Make Sure You’re Compliant?

For most UK businesses, getting started with GDPR compliance involves these key steps:

1. Audit what personal data you actually collect, store, and process (customers, staff, website users, suppliers, etc.).
2. Pinpoint your lawful basis for processing each type of data (consent, contract, legal obligation, legitimate interest, etc.).
3. Draft or update your Privacy Policy to clearly explain your data practices.
4. Review all your third-party suppliers and make sure you have GDPR-compliant contracts in place.
5. Train your team (even if small) in basic data security and privacy awareness.
6. Have a data breach response plan and know your obligations for notifying the ICO and affected individuals.
7. Regularly check and update your practices as laws, technology, and your business evolve.

If in doubt, a legal expert can help you map out your obligations and set up the right documentation - before problems arise.

Key Takeaways: Who Does GDPR Apply To?

• GDPR applies to nearly all UK businesses that process any personal data about individuals, regardless of your size or structure.
• Personal data includes any information that identifies an individual, from names and emails to IP addresses and photos.
• You are likely a “controller” for data you collect about customers, employees, and suppliers - carrying primary legal responsibility.
• Post-Brexit, UK GDPR largely mirrors EU GDPR - but if you serve EU customers, you may need dual compliance.
• Key documents for compliance include a tailored Privacy Policy, Data Processing Agreements, and a Data Breach Response Plan.
• Neglecting GDPR risks heavy fines and loss of customer trust - so get your data protection basics right from the start.
• Seek tailored advice if you’re unsure - a little legal help now will protect your business as it grows.

If you’d like help reviewing your GDPR compliance or setting up your privacy documents, our friendly legal team is here to help. Reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.