Skip to main content
UK ComplianceSmall Business10 min read · June 2026
Hero image, sourcing in progress

UK GDPR for Small Businesses: Plain English

The UK General Data Protection Regulation (UK GDPR) applies to every business that collects, stores, or uses personal data, regardless of size. If you hold a customer list, a supplier contact spreadsheet, or staff HR records, you are in scope. This guide explains what UK GDPR actually requires from small businesses, in plain English, without the legal jargon.

UK GDPR vs EU GDPR

Since Brexit, the UK has its own data protection law (UK GDPR) retained and modified from the EU GDPR. If you transfer personal data to or from the EU (e.g. using EU-based software), you may also need to consider EU GDPR separately. For most UK small businesses operating only in the UK, UK GDPR and the Data Protection Act 2018 are the relevant laws.

The Six Data Protection Principles

UK GDPR is built on six principles that govern how personal data must be handled. Your business must demonstrate compliance with all six.

1

Lawfulness, fairness, and transparency

You must have a lawful basis to process data, process it fairly, and be transparent about how you use it.

2

Purpose limitation

Collect data only for specified, explicit, and legitimate purposes, do not use it for something different later without consent.

3

Data minimisation

Collect only what you actually need. If you do not need a person's phone number, do not collect it.

4

Accuracy

Keep personal data accurate and up to date. Allow people to correct inaccurate information.

5

Storage limitation

Do not keep personal data longer than necessary. Have a retention policy and delete data when the purpose ends.

6

Integrity and confidentiality

Process data securely: protect it against unauthorised access, accidental loss, and destruction. This is the security principle.

The Security Principle: What You Must Do

Article 5(1)(f) requires “appropriate technical and organisational measures” to secure personal data. For most small businesses, this means:

Strong, unique passwords on all accounts that hold personal data: use a password manager
Two-factor authentication on email, cloud storage, and any software holding client data
Full-disk encryption on laptops and mobile devices (BitLocker for Windows, FileVault for Mac)
Regular software updates: patched systems prevent the most common breaches
A documented process for what happens if you lose a device or suspect a breach

What to Do When a Data Breach Happens

Under UK GDPR, you must report certain breaches to the ICO within 72 hours, that clock starts when you become aware of the breach, not when it happened.

  1. 1Contain the breach immediately: change passwords, isolate compromised systems, prevent further access.
  2. 2Assess the risk: does the breach risk individuals' rights and freedoms? (Lost encrypted laptop with strong password = low risk. Email with client records sent to a stranger = high risk.)
  3. 3Notify the ICO within 72 hours if the breach is likely to result in a risk to people's rights and freedoms. Use the ICO's self-service breach reporting portal.
  4. 4Notify affected individuals if the breach is high risk to them, promptly, clearly, and without undue delay.
  5. 5Document the breach in your breach register, even if you decide not to report it to the ICO.

Strengthen your security to meet UK GDPR obligations. Free.

Cyber Nova AI gives you a personalised security checklist mapped to the UK GDPR security principle. Create a free account and know exactly where you stand.

Start for free →

Related guides

Cyber Essentials Guide

UK GDPR requires appropriate security: Cyber Essentials demonstrates it.

UK Data Breach Rights

What individuals can claim when their data is breached.

Cybersecurity for Sole Traders

UK GDPR applies to sole traders who hold client data.

Frequently asked questions

Does UK GDPR apply to small businesses?

Yes. UK GDPR applies to any organisation that processes personal data, regardless of size. There is a small-business exemption for some administrative requirements, but the core security and transparency obligations apply from your first customer record. Sole traders who hold client names, email addresses, or payment information are in scope.

What are the fines for UK GDPR breaches?

The ICO can fine organisations up to £17.5 million or 4% of global annual turnover (whichever is higher) for the most serious breaches. For less serious violations, fines can reach £8.7 million or 2% of turnover. In practice, the ICO focusses on larger organisations and persistent non-compliance. For small businesses, informal enforcement, warnings, and reprimands are more common; but fines have been issued to sole traders.

Do I need to register with the ICO?

Most businesses that process personal data must register with the ICO and pay the data protection fee (£40–£60 per year for most small businesses). Exemptions exist for some sole traders who only process data for personal, family, or household purposes. Check the ICO website to confirm whether you need to register.

What counts as a data breach under UK GDPR?

A data breach is any security incident that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes a lost laptop with unencrypted client data, an email sent to the wrong person, a ransomware attack, or a phishing attack that gives a criminal access to your email account.