Who Does the UK GDPR Apply To?

If your business handles any information about people - from customer email addresses to CCTV footage in your shop - you’re almost certainly dealing with “personal data” under UK law. That means the UK GDPR likely applies to you.

Don’t stress - once you understand who the UK GDPR applies to and what it requires, you can put sensible, business-friendly systems in place. This guide explains the scope in plain English, so you know when UK GDPR bites, where the boundaries are, and what to do next to stay compliant and protect your business.

What Is The UK GDPR And Who Does It Apply To?

The UK General Data Protection Regulation (UK GDPR), alongside the Data Protection Act 2018, sets rules for how organisations collect, use, store and share personal data. It applies to two main types of organisations:

• Data controllers – businesses that decide why and how personal data is processed (for example, a retailer deciding to collect customer emails for marketing).
• Data processors – businesses that process personal data on behalf of a controller (for example, a cloud CRM provider or outsourced payroll service).

Crucially, the UK GDPR applies to organisations:

• Established in the UK – if you have a UK presence (office, branch, or regular business activities), the UK GDPR generally applies to your processing, wherever it takes place.
• Outside the UK but targeting people in the UK – even without a UK presence, if you offer goods or services to people in the UK or monitor their behaviour in the UK (e.g. via cookies/analytics), the UK GDPR can still apply to those activities.

In other words, the UK GDPR applies to most UK-based small businesses and many overseas businesses that sell to or track UK users online. If you’re wondering how this interacts with B2B marketing and address books, it’s worth clarifying when UK GDPR applies to business contacts as well - many business contact details are still personal data if they identify an individual.

What Counts As Personal Data (And What Doesn’t)?

“Personal data” is any information relating to an identified or identifiable person. It includes obvious things like names and email addresses, but it also extends to:

• Online identifiers (IP addresses, device IDs, cookie IDs)
• Location data or customer profiles
• Photos, CCTV footage, audio recordings
• Customer support notes tied to an individual

If you can single out a person - directly or indirectly - it’s likely personal data.

Special category data (sensitive data) is subject to extra safeguards. This includes health data, biometrics (like fingerprints used for access control), religious beliefs and similar categories. If your workplace uses biometric attendance systems, for example, you’ll need to comply with strict UK GDPR rules and employment law when handling that data.

What isn’t personal data? Information about a company that doesn’t identify any person (e.g. a generic company email like info@company.com used by multiple people) may fall outside UK GDPR. However, the line is narrower than many think - personal corporate emails like firstname.lastname@company.com typically are personal data.

When The UK GDPR Applies To Common Small Business Activities

The UK GDPR applies whenever you “process” personal data - which includes collecting, storing, using, sharing, analysing or deleting it. Below are everyday scenarios where small businesses often engage UK GDPR duties.

Marketing And Sales

• Email marketing lists – Collecting and using subscriber details is processing personal data. You’ll need a lawful basis (often consent for newsletters, or legitimate interests for certain B2B outreach, assessed case by case). Make sure you have a clear Privacy Policy and opt-out options, and note that the Privacy and Electronic Communications Regulations (PECR) also apply to electronic marketing.
• Website tracking – Cookies and analytics can identify users. You’ll generally need a Cookie Policy and a compliant consent mechanism; practical tips on cookie banners are essential if you use non-essential cookies.
• Cold calls – Calls that involve personal data bring UK GDPR into play for transparency and data rights. For recorded calls, also see our guide to GDPR and business calls.

Customer Operations

• Orders and fulfilment – Names, addresses and payment details are personal data. You must secure them, use them only for legitimate purposes, and respect retention limits.
• Customer support – Any case notes that identify a person are in scope. Keep them accurate, limited to what’s needed, and delete them when no longer necessary.

HR And Workplace Data

• Hiring – CVs, interviews, references and right-to-work checks all involve personal data. Only collect what you need and keep it safe.
• Employee records – Payroll and performance records fall squarely within UK GDPR and employment law. Have clear internal policies, access controls and retention schedules.

Suppliers And B2B Contacts

• Personal corporate emails (e.g. jane@biz.com) and phone numbers are personal data. You’ll need a lawful basis when storing and using them, and you must honour opt-outs from marketing.

Your Legal Bases, Roles And Responsibilities

Every processing activity must have a lawful basis. The most common for small businesses are:

• Consent – The individual agrees clearly (e.g. newsletter sign-up). Must be freely given, informed and easy to withdraw.
• Contract – Processing necessary to perform a contract with the individual (e.g. shipping a customer order).
• Legal obligation – Required by law (e.g. tax or employment reporting).
• Legitimate interests – Your genuine business interests, balanced against the individual’s rights (document your assessment).

Controller vs processor obligations:

• Controllers set purposes and are primarily responsible for compliance, transparency, responding to rights, and choosing processors carefully.
• Processors must only act on a controller’s documented instructions, keep data secure, assist with rights requests and breaches, and maintain records.

When you use vendors (e.g. cloud tools, outsourced support) that process personal data for you, you must have a written Data Processing Agreement with required clauses. Many platforms provide standard terms, but you’re still accountable for vetting security, international transfers and sub-processors.

Core UK GDPR Duties: A Practical Checklist

Once you know the UK GDPR applies to your business, focus on a few foundations that will keep you compliant and efficient as you scale.

1) Be Transparent

• Publish a clear, accessible Privacy Policy explaining what you collect, why, lawful bases, sharing, international transfers, retention and rights.
• For websites/apps, add a Cookie Policy and a consent mechanism where required.

2) Limit What You Collect

• Collect only what you need for specified purposes (data minimisation), and keep it accurate and up to date.
• Define retention periods and purge data that’s no longer necessary; this is covered in our guide to data retention.

3) Keep Data Secure

• Use appropriate technical and organisational measures: access controls, encryption at rest/in transit, MFA, staff training, vendor due diligence and incident response.
• Document how you’ll handle incidents with a practical data breach response plan.

4) Manage Third-Party Processors

• Map your tools and providers (CRM, marketing, payroll, hosting). Put a Data Processing Agreement in place and check where data is stored.
• Be mindful of international transfers; ensure appropriate safeguards if data leaves the UK.

5) Respect Data Subject Rights

• Individuals can access, correct, delete, restrict, object to processing and port their data, among other rights.
• Set a process to handle a subject access request within the standard one-month timeframe; see timelines in our guide to SAR deadlines and consider lawful SAR exemptions where appropriate.

6) Use Cookies Compliantly

• Non-essential cookies (analytics/advertising) generally require prior consent under PECR. Ensure your banner doesn’t “nudge” users and that it honours choices.
• Give users a simple way to change or withdraw consent - and audit your site to ensure it behaves as promised.

Does The UK GDPR Apply To Sole Traders, Startups And Clubs?

Yes, the UK GDPR applies based on activity, not size. If a sole trader or small startup processes personal data (think customer enquiries, email lists, bookings, CCTV or employee data), UK GDPR obligations apply. There’s no blanket exemption just because you’re small or non-profit. Some obligations scale with risk - for example, you might not need a Data Protection Officer unless your activities trigger specific thresholds - but the general principles still apply.

For community groups or clubs, handling member details, event photos or mailing lists is processing personal data, so transparency, lawful basis, security and rights all matter here too.

UK GDPR Vs EU GDPR: Which One Applies?

Since Brexit, the UK GDPR governs processing related to the UK, while the EU GDPR applies in the EEA. Some businesses are subject to both, depending on where they operate and whom they target.

• UK-only operations targeting UK residents – generally UK GDPR only.
• UK business offering services to EU residents – EU GDPR may also apply to those EU-facing activities, possibly requiring an EU representative.
• EU business targeting UK residents – UK GDPR may apply to its UK-facing activities, possibly requiring a UK representative.

If you operate across borders, map your data flows and assess where each regime applies. Many practical steps (privacy notices, security, rights handling) will align across both frameworks, but there are differences in representatives, transfer rules and regulators.

Common GDPR Myths That Catch Small Businesses Out

We often hear the same misconceptions. Here’s what the law actually says:

• “It’s B2B, so GDPR doesn’t apply.” Not true. If information identifies a person (like a named business email or direct line), it’s personal data. See the nuances of UK GDPR and business contacts.
• “We only use Google Analytics, so no consent needed.” Analytics cookies are typically non-essential and often require consent under PECR, separate from GDPR. Use a compliant banner and Cookie Policy.
• “We can keep data forever ‘just in case’.” No. You need defined retention periods and secure deletion plans - start with a sensible retention schedule aligned to your purposes and read up on data retention.
• “Templates are enough for our processors.” You must ensure required clauses are in place and the vendor’s practices are appropriate. A proper Data Processing Agreement and due diligence are key.
• “We’ll worry about rights requests if they happen.” You have one month to respond in most cases, so you need a playbook now - from identity checks to locating data and deciding on exemptions. Start with a repeatable SAR process.

What Happens If You Get It Wrong?

Non-compliance risks include:

• Regulatory action – The ICO can investigate and issue fines (up to the higher of £17.5m or 4% of global annual turnover for the most serious infringements), plus enforcement notices.
• Claims and complaints – Individuals can complain or seek compensation for misuse of their data.
• Reputational damage – Data breaches and poor privacy practices erode trust quickly, especially for small brands.

The good news: most small businesses can get compliant with practical, proportionate steps. Start with mapping your data, tighten security and transparency, and formalise relationships with your vendors. Having a tested data breach response plan will also reduce the impact if something goes wrong.

Essential Documents And Policies To Put In Place

To embed compliance into your day-to-day, prioritise these documents:

• Privacy Policy – A clear public notice describing your processing in line with UK GDPR. Use a business-appropriate Privacy Policy tailored to your operations.
• Cookie Policy and Banner – If you use non-essential cookies, your Cookie Policy and consent banner must reflect what actually runs on your site.
• Data Processing Agreement – With each vendor that processes personal data for you, use a compliant Data Processing Agreement.
• Internal Data Protection Policy – Guidance for staff on handling data, access control, incident reporting and retention.
• SAR Playbook – A step-by-step process for handling data subject requests, drawing on best practice for deadlines and exemptions.
• Data Breach Response Plan – Roles, timelines and communications for incidents - adopt a practical response plan and test it.

Avoid relying on generic templates or drafting complex privacy documents yourself - these need to reflect your unique data flows, tools and risks to be effective and enforceable.

Key Takeaways

• The UK GDPR applies to most UK businesses that process personal data and to many overseas businesses targeting UK residents or monitoring their behaviour.
• Personal data is any information that identifies a person (including business emails tied to an individual). Special category data needs extra safeguards.
• As a controller or processor, you must have a lawful basis for each activity, be transparent, limit data collection, keep it secure and respect individual rights.
• Get core foundations in place: a clear Privacy Policy, compliant cookies setup, robust security, and a Data Processing Agreement with your vendors.
• Plan for rights requests and incidents with a repeatable SAR process and a tested data breach response plan.
• Set sensible retention periods and delete data you no longer need to reduce risk and demonstrate accountability.

If you’d like help working out whether the UK GDPR applies to your business and putting the right documents and processes in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.