If you run a business in the UK and you collect any kind of customer information, whether that is a name, an email address, a phone number or even an IP address, then UK GDPR applies to you. Full stop.
A lot of small business owners assume GDPR is only something big corporations need to worry about. That is simply not true. The Information Commissioner’s Office enforces data protection rules on businesses of all sizes, including sole traders and startups.
The good news is that once you understand the basics, compliance is very manageable. This guide is written in plain English with a step by step checklist, useful tables, and answers to the questions UK business owners search for most. By the end, you will know exactly where you stand and what to do next.
Common Myth
“We are too small for GDPR to apply to us.” Wrong. GDPR applies to any organisation that collects personal data, regardless of size. Even a one person business with a small mailing list must comply.
What Is UK GDPR and Who Does It Apply To?
UK GDPR stands for the UK General Data Protection Regulation. It is the UK version of the EU’s original GDPR law, which became UK law after Brexit on 1 January 2021. It works alongside the Data Protection Act 2018 and is enforced by the ICO.
In simple terms, it is a set of rules about how businesses must collect, store, use and protect personal information. If you handle data that belongs to a real, living person based in the UK, this law applies to you.
This includes businesses that:
- Collect names, email addresses, phone numbers or any other personal details
- Store customer order history or account information
- Run a website with contact forms, chat tools or cookies
- Use a call centre, email support team or live chat service to handle customer enquiries
The 7 Principles of UK GDPR:
Everything in UK GDPR comes back to seven core principles. Think of these as the rules your business must follow when handling anyone’s personal information.
| Principle | What It Means in Practice |
| Lawfulness, Fairness and Transparency | You must have a proper reason to collect data and be upfront with people about how you use it |
| Purpose Limitation | Only collect data for a specific reason, then only use it for that reason and nothing else |
| Data Minimisation | Collect only the data you actually need. Do not gather information just because you can |
| Accuracy | Keep data up to date and fix mistakes promptly when people point them out |
| Storage Limitation | Do not keep data forever. Set clear timelines and delete it when you no longer need it |
| Integrity and Confidentiality | Keep data safe from hackers, accidental loss and unauthorised access |
| Accountability | You must be able to prove you are doing all of the above. Document everything |
UK GDPR Compliance Checklist for Small Businesses
Use this checklist to see where your business currently stands. Work through each item and tick off what you already have in place.
| Task | What You Need to Do | Priority |
| Register with the ICO | Most UK businesses must pay an annual data protection fee. Check if you need to at ico.org.uk | Essential |
| Write a Privacy Policy | Publish a clear privacy policy on your website explaining what data you collect and why | Essential |
| Identify Your Lawful Basis | Know the legal reason you are collecting each type of data before you collect it | Essential |
| Create a Processing Record | Keep a written record of all the personal data your business holds and why | High |
| Get Proper Marketing Consent | Never send marketing emails or texts without clear opt in consent from the recipient | Essential |
| Secure Your Data | Use strong passwords, encryption and access controls to protect customer information | Essential |
| Plan for a Data Breach | Know exactly what you would do and who you would contact if customer data was exposed | High |
| Train Your Team | Make sure every member of staff who handles data understands their basic responsibilities | High |
| Handle Access Requests | Have a process ready for when customers ask to see what data you hold about them | High |
| Delete Old Data | Regularly review what you are holding and remove anything you no longer need | Ongoing |
| Vet Your Suppliers | If a third party handles data on your behalf, check they are GDPR compliant too | High |
| Fix Your Cookie Banner | Get proper consent for non essential cookies before they are placed on a visitor’s device | Essential |
ICO Registration and the Data Protection Fee
Most businesses that handle personal data must register with the ICO and pay an annual fee. This is separate from Companies House registration and is often overlooked by small business owners.
| Tier | Who This Applies To | Annual Fee (2025) |
| Tier 1 | Micro businesses with a turnover under £632K or fewer than 10 members of staff | £52 |
| Tier 2 | Small and medium sized businesses that do not qualify for Tier 1 | £93 |
| Tier 3 | Large organisations and public authorities | £2,900 |
Not sure whether you need to register? The ICO has a free self assessment tool on their website at ico.org.uk that takes about 5 minutes. If you are required to register and have not done so, the ICO can issue a fine just for that alone.
Your Lawful Basis: Why You Are Allowed to Collect Data
Before you collect any personal data, you need a lawful basis. This means you need a valid legal reason for doing so. You must decide which one applies to each type of data you collect.
| Lawful Basis | When It Applies | Example |
| Consent | The person has clearly agreed to it | Ticking a box to join your email newsletter |
| Contract | You need the data to fulfil a contract | Collecting a delivery address when someone places an order |
| Legal Obligation | The law requires you to hold it | Keeping payroll records for HMRC for 6 years |
| Vital Interests | Needed to protect someone’s life | Sharing health information in an emergency |
| Public Task | Necessary for an official function | A council processing planning applications |
| Legitimate Interests | Your business has a genuine and proportionate reason | Following up with an existing customer about a related service |
Key Tip
Consent is often used as a default but it is not always the right choice. If you are collecting data to fulfil a contract, for example a customer placing an order, then “contract” is the correct lawful basis. Consent is best saved for marketing and situations where people have a genuine free choice.
What Happens If You Have a Data Breach?
A data breach is any incident where personal data is accessed, lost, destroyed or shared without authorisation. This includes a hacker stealing your customer list, an email sent to the wrong person, or a laptop being stolen.
Under UK GDPR, if a breach is likely to put people’s rights or freedoms at risk, you must:
- Report it to the ICO within 72 hours of becoming aware of it
- Notify the affected individuals directly if they are at high risk of harm
- Document the breach even if you decide it does not need to be reported
A breach response plan does not need to be complicated. It simply needs to exist before something goes wrong, not after.
What Are the Fines for Non Compliance?
The ICO can issue fines for UK GDPR violations. For most small businesses, the ICO will typically start with warnings and improvement notices before reaching for financial penalties. However, the fines can be significant if a business is found to be repeatedly ignoring its obligations.
| Type of Breach | Maximum Fine |
| Less serious violations such as poor record keeping or missing documentation | Up to £8.7 million or 2% of global annual turnover |
| More serious violations such as unlawful data processing or major security failures | Up to £17.5 million or 4% of global annual turnover |
Beyond the financial penalties, the reputational damage of a publicised data breach can be far more costly for a small business than any fine. Customers care deeply about how their information is handled.
How Outsourcing Affects Your GDPR Responsibilities
Many small businesses use external providers to handle part of their customer operations, whether that is a call centre, an email support team or a live chat service. Under UK GDPR, when a third party processes personal data on your behalf, they become what is known as a Data Processor.
As the business owner, you remain the Data Controller. You are still responsible for ensuring that your supplier handles data correctly. This means you must:
- Have a written Data Processing Agreement in place before sharing any customer data
- Check that your supplier follows the same data protection standards you are required to uphold
- Ensure data is not transferred outside the UK without appropriate safeguards
At Telesolutions Call Central, every client receives a signed Data Processing Agreement as standard. All customer data handled through our call centre and support services is managed in full compliance with UK GDPR, from how calls are recorded to how long records are kept and when they are deleted.
Conclusion
UK GDPR compliance is not something you can put off indefinitely. The legal obligations are real, the ICO’s enforcement activity is increasing year on year, and customers are paying more attention than ever to how businesses handle their personal information.
For most small businesses, getting compliant is not a huge project. It is a matter of working through the checklist above, getting registered with the ICO, having a clear privacy policy, knowing why you are collecting each type of data, and making sure your team and your suppliers are on the same page.
Once you have the basics in place, compliance becomes part of how you operate rather than something you stress about. And the businesses that handle data well do not just avoid fines. They build the kind of customer trust that is genuinely hard to buy.
Frequently Asked Questions (FAQs)
Does UK GDPR apply to small businesses?
Yes. UK GDPR applies to any business or individual that collects or processes personal data relating to UK residents, regardless of how large or small the organisation is. A sole trader with a contact form on their website is subject to the same legal framework as a major corporation.
Do I need to register with the ICO?
Most businesses that process personal data do need to register and pay the annual data protection fee. The most affordable tier is £52 per year for micro businesses. You can use the ICO’s free self assessment tool at ico.org.uk to find out whether you need to register.
What counts as personal data under UK GDPR?
Personal data is any information that can identify a living person. This includes obvious things like names, email addresses and phone numbers, as well as less obvious data such as IP addresses, location data, cookie identifiers and customer account numbers.
What is a Subject Access Request?
A Subject Access Request, often shortened to SAR, is when a person asks to see all the personal data your business holds about them. Under UK GDPR, you must respond within one calendar month and there is no charge for a standard request.
Can I email customers for marketing purposes?
Only if you have their clear consent or if they are an existing customer and the marketing relates to similar products or services they have previously bought from you. You must also provide an easy way to unsubscribe in every marketing message you send.
What should my privacy policy include?
Your privacy policy should explain who you are, what personal data you collect, why you collect it, who you share it with, how long you keep it, and what rights people have over their own data. It needs to be written in clear, plain language that anyone can understand.
How long can I keep customer data?
There is no single answer. It depends on the purpose for which the data was collected and any legal requirements that apply. HMRC requires financial records to be kept for at least six years. The key rule is that you must not keep data longer than you genuinely need it, and you should have a documented retention policy that sets out your timelines.
What do I do if there is a data breach?
If a breach is likely to put people’s rights at risk, report it to the ICO within 72 hours of discovering it. If individuals face a high risk of harm, you must also notify them directly. Whether or not you report, document every breach internally so you have a record.
Do I need a cookie banner on my website?
Yes, if your website uses non essential cookies such as Google Analytics, advertising trackers or social media plugins. These require user consent before they are activated. A cookie banner that lets visitors accept or reject cookies is the standard approach and it must be set up so cookies are not loaded before consent is given.
Do I need a contract with my call centre or support provider?
Yes. If a third party processes personal data on your behalf, UK GDPR requires you to have a written Data Processing Agreement in place. Without one, both you and your provider are exposed to regulatory risk. Any reputable outsourced support provider should offer this as a matter of course.