Who Must Comply With UK GDPR?

If your business touches customer data in any way - from taking bookings to running an email list - the UK GDPR likely applies to you.

The rules aren’t just for tech giants. Most small businesses need to comply, too. The good news? With a clear plan, compliance is manageable and will actually build trust with your customers.

In this guide, we’ll break down who must conform with the UK GDPR, what it means in practice, and the practical steps you can take to get compliant and stay protected from day one.

Does The UK GDPR Apply To My Business?

In most cases, yes. The UK GDPR applies if your business processes “personal data” - any information that can identify an individual - and you’re either:

• Established in the UK and processing personal data in the context of that establishment; or
• Outside the UK, but you offer goods or services to UK-based individuals or monitor their behaviour (for example, through analytics or app tracking).

It covers limited companies, sole traders, partnerships, charities, clubs and any organisation that touches personal data in the UK. This includes online-only businesses and micro businesses. There is no blanket exemption for small firms.

A common question is whether the UK GDPR applies to business contacts. It depends whether the contact details identify a person (like a name or direct email). If so, UK GDPR applies. For more detail on this line, it’s worth reviewing when the UK GDPR applies to business contacts.

The UK GDPR sits alongside the Data Protection Act 2018, which adds UK-specific rules (for example, around law enforcement data and some exemptions). You should also be aware of PECR - the Privacy and Electronic Communications Regulations - which govern electronic marketing and cookies (we’ll cover this below).

Controllers, Processors And Personal Data: What You Need To Know

To understand whether you must conform with the UK GDPR, it helps to be clear about a few key terms.

What Counts As Personal Data?

Personal data means any information that identifies a living individual. It includes obvious data like names, emails and phone numbers, but also less obvious data like device IDs, cookie identifiers, IP addresses (when linked to a user), and customer support recordings. “Special category” data (like health information) and criminal offence data have extra protections.

Are You A Controller Or A Processor?

• Controller: You decide why and how personal data is processed. Most small businesses are controllers for their customer and employee data.
• Processor: You process personal data on someone else’s instructions (for example, a payroll provider acting for a client, or a fulfilment partner handling customer addresses for dispatch).

Some businesses act as both, depending on the activity. For example, you’re a controller for your own CRM. If you provide order fulfilment for another retailer and follow their instructions, you may be their processor for that activity.

Why does the distinction matter? Controllers carry the main compliance duties (lawful basis, transparency, responding to individual rights). Processors have their own obligations (following instructions, keeping data secure, assisting controllers). The contract between the parties must include certain UK GDPR clauses.

Your Core UK GDPR Duties (In Plain English)

If you’re a controller, you must follow the UK GDPR’s core principles and be able to demonstrate you’ve done so (the “accountability” principle). Here’s what that looks like in practice.

1) Identify A Lawful Basis For Each Processing Activity

For each use of personal data (e.g. taking orders, sending shipping updates, running analytics), decide the lawful basis - such as consent, contract, legal obligation, legitimate interests, vital interests, or public task (for public bodies). Choose carefully and document your reasoning.

2) Be Transparent

Tell people what you’re doing with their data in clear, plain English. This is typically done through a prominent, up-to-date Privacy Policy and layered notices where needed (e.g. checkout messaging, employee onboarding).

3) Collect Only What You Need (Data Minimisation)

Don’t collect more data than is necessary for your purpose, and don’t keep it “just in case”. If you don’t need date of birth to provide your service, don’t ask for it.

4) Keep Data Accurate And Up To Date

Build in ways to update data - for example, account settings for customers or clear processes to correct records.

5) Set Retention Periods And Delete Or Anonymise On Time

Decide how long you need each type of data and stick to it. Your policy should explain your data retention periods in practical terms.

6) Keep Data Secure

Take appropriate technical and organisational measures - encryption, access controls, staff training, vendor due diligence, and incident response plans. Security should be proportionate to the risks.

7) Respect Individual Rights

People have rights over their data (access, rectification, erasure, restriction, portability, objection and rights related to automated decision-making). You’ll need a process to receive, verify, and respond to these requests - including tracking subject access request deadlines.

8) Use Compliant Contracts With Vendors

If a supplier processes personal data for you (e.g. email platform, cloud provider, outsourced support), you must have a UK GDPR-compliant Data Processing Agreement in place that covers mandatory clauses, including security, sub-processors and assistance with rights requests.

9) Consider DPIAs And DPOs Where Required

If you plan “high-risk” processing (like large-scale profiling, or processing special category data), you may need a Data Protection Impact Assessment (DPIA). Some organisations must appoint a Data Protection Officer (DPO). Many small businesses won’t need a DPO, but the requirement is worth checking based on your activities.

10) Know When To Report Data Breaches

If you suffer a personal data breach that risks harm to individuals (e.g. loss of confidentiality or availability), you may need to report it to the ICO within 72 hours and possibly to affected individuals. Keep an incident response plan ready.

Special Cases: Overseas Businesses, Micro Businesses And Industry Nuances

UK GDPR can apply even if you’re not physically in the UK. If you’re based overseas but you target UK customers (pricing in GBP, shipping to the UK, UK-focused ads), or monitor the behaviour of people in the UK, you’re likely in scope. You may also need to appoint a UK representative if you don’t have a UK establishment.

Micro and small businesses are still caught. While the practical approach can be proportionate to your size and risk, the obligations don’t disappear. For example, a single-person ecommerce store collecting names and emails for orders must still identify lawful bases, provide transparency and secure data.

Industry nuances matter, too:

• Health, biometric or other special category data triggers stricter rules.
• Children’s data involves extra transparency and consent standards.
• Financial services, regulated health providers and schools have additional sector requirements beyond UK GDPR.

If your processing is complex, large-scale, or involves sensitive data, get tailored advice before you go live - it’s far easier to build compliant processes now than to retrofit them later.

Documents, Contracts And Practical Steps To Get Compliant

Let’s translate “who must conform with the UK GDPR” into actions you can take this month. Here’s a pragmatic checklist for small businesses.

Map Your Data

• List what data you collect (customers, prospects, employees, suppliers), how you collect it, why you need it, where you store it, who you share it with, and how long you keep it.
• For each activity, identify your lawful basis and any special category data.

Write Or Update Your External Notices

• Publish a clear, accessible Privacy Policy covering the who/what/why/where/how of your data practices.
• Use short “just in time” notices at collection points (e.g. sign-up forms) to highlight key points.

Put The Right Contracts In Place

• Have a controller–processor Data Processing Agreement with each vendor that processes data for you.
• Document any controller–controller data sharing in a clear agreement that sets responsibilities.

Sort Cookies And Marketing

• For non-essential cookies and similar technologies, you generally need prior consent under PECR. Make sure your cookie banners are clear, granular and non-deceptive.
• Check your email/SMS marketing flows against PECR’s consent or soft opt-in rules, and always offer an easy opt-out.

Prepare For Individual Rights Requests

• Set up a central process (and inbox) for rights requests, with training for staff on verifying identity and logging deadlines. Keep a playbook that covers subject access request deadlines, scope and exemptions.

Define Retention And Deletion

• Create and enforce a retention schedule that aligns with your legal and business needs. If you’re unsure what “reasonable” looks like, start with clear, documented data retention periods per data type and system.

Secure Your Systems

• Adopt sensible security measures: MFA, least-privilege access, encryption at rest/in transit, regular updates, vendor risk management and staff training.
• Document an incident response plan and run tabletop exercises.

Document Your Decisions (Accountability)

• Keep a central record of processing activities, lawful bases and assessments (including DPIAs where relevant). This shows your compliance if the ICO ever asks.

Helpful Extras For Common Scenarios

• Customer service calls and recordings: If you record phone calls, make sure your team knows the UK GDPR and PECR rules for voice data and consent.
• Retention of CCTV and access logs: Set specific retention periods and restrict access to trained staff.

International Transfers, AI Tools And Cloud Services

Many small businesses use overseas tools or store data in the cloud. That’s fine - but you must ensure lawful international transfers and appropriate safeguards. Check where your data is hosted, whether standard contractual clauses (or UK IDTA) are in place, and whether your vendor’s sub-processors are covered.

Also be thoughtful about generative AI, analytics and productivity tools. If staff paste sensitive customer data into AI prompts or share files widely in cloud storage, that can create risks. Set clear policies, lock down access, and review default settings. If you’re unsure about your setup, consider an audit of cloud configurations and access controls. If you need to assess commonly used platforms, you might start by reviewing whether your cloud stack and collaboration tools are configured to meet UK GDPR expectations (including access controls and data location) - and implement remediation where needed.

Breaches, The ICO And Fees

If a breach could risk harm to people (e.g. phishing leads to inbox access, lost laptop without encryption), you may need to notify the ICO within 72 hours and sometimes affected individuals. Keep decision logs - not every incident is notifiable, but you must show how you reached your conclusion.

Most organisations must also pay an annual data protection fee to the ICO unless an exemption applies. The fee varies by size/turnover. It’s worth checking whether your business qualifies for any ICO fee exemptions to avoid paying more than you need to.

Cookies And Marketing: A Quick Word On PECR

PECR sits alongside the UK GDPR and deals with electronic marketing and tracking. In practice, that means:

• Non-essential cookies (analytics, advertising) usually require consent before setting.
• Email/SMS marketing to individuals requires consent unless you meet the soft opt-in conditions.
• You must always provide a simple way to opt out.

If you run ads or analytics, audit your tags and ensure your banner and choices truly reflect what’s being set.

Real-World Examples: Are You Caught?

• Online boutique taking orders: You’re a controller for customer data. You need a Privacy Policy, lawful bases for orders and marketing, cookie consent for analytics, processor contracts with your email and ecommerce platforms, and a retention plan.
• Trades business using a job app: You’re a controller for customer contact details and job notes. Your app provider likely acts as your processor - you’ll need a compliant DPA.
• US SaaS targeting UK clients: If you have UK users, you’re subject to UK GDPR for those users. You may need a UK representative and appropriate transfer safeguards.
• Agency running ads for clients: For campaign data you process on client instructions, you’re a processor. You’ll need a DPA with the client and must follow their lawful basis and instructions.

Key Takeaways

• Most UK organisations - including small and micro businesses - must conform with the UK GDPR if they process personal data. There’s no blanket small business exemption.
• If you target UK customers from overseas or monitor behaviour in the UK, the UK GDPR can still apply to you.
• Know whether you’re a controller, a processor, or both. Controllers carry the main duties, and controller–processor relationships must be governed by a compliant Data Processing Agreement.
• Core actions include choosing lawful bases, being transparent via a clear Privacy Policy, minimising data, securing systems, setting and applying retention periods, and handling rights requests on time.
• PECR adds rules for cookies and electronic marketing - make sure your cookie banners and marketing flows meet consent/soft opt-in standards.
• Prepare for data rights requests and track subject access request deadlines, and set clear, documented data retention periods so deletion is timely and consistent.
• Keep an eye on international transfers, cloud settings and vendor risk. Maintain incident response plans and check your ICO fee exemptions position annually.

If you’d like help working out whether the UK GDPR applies to your operations, or you need support with policies, contracts and practical compliance steps, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.