Does UK GDPR apply to my small business?

Yes, if you process personal data about individuals in the UK — which includes collecting customer email addresses, storing employee records, or using website analytics. The rules apply regardless of business size. However, the ICO takes a proportionate approach to enforcement for small businesses acting in good faith.

What is the difference between UK GDPR and EU GDPR?

UK GDPR is the UK's domestic version of EU GDPR, retained after Brexit. The rules are substantially the same. If you process data about EU residents, you may also need to comply with EU GDPR. For most UK-only small businesses, UK GDPR is the only relevant framework.

Do I need a Data Protection Officer (DPO)?

Most small businesses do not need a DPO. A DPO is only required if you are a public authority, carry out large-scale systematic monitoring of individuals, or process special category data (health, criminal records, etc.) on a large scale. If you are unsure, the ICO has a self-assessment tool.

Can I use Google Analytics without GDPR consent?

Google Analytics collects personal data (IP addresses, device identifiers) and may transfer data outside the UK. You need a lawful basis — usually consent — and must disclose this in your privacy policy. Many businesses use a cookie consent banner to obtain consent before loading analytics scripts.

What are the maximum fines for GDPR breaches?

The ICO can issue fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious breaches. For less serious infringements, the maximum is £8.7 million or 2% of turnover. In practice, large fines are reserved for serious, systematic failures by large organisations. Small businesses acting in good faith are more likely to receive guidance and warnings.

GDPR & Data Protection for UK Small Businesses (2026)

Last updated May 2026Reviewed against UK gov.uk sources

UK GDPR (the UK's post-Brexit version of the EU's General Data Protection Regulation) applies to almost every business that processes personal data about individuals in the UK. 'Processing' includes collecting, storing, using, sharing, and deleting data. For most small businesses, the obligations are manageable — but ignoring them is not an option.

Direct answer

Most small businesses process personal data — customer names, email addresses, employee records. UK GDPR sets out the rules. This guide explains what you must do, in plain English, without the legal jargon. Use the key facts, step list and official source links on this page to confirm the decision before you spend money or register anything.

ICO registration fee: £40–£60/year (most SMEs)
Maximum fine: £17.5m or 4% of turnover
Breach notification: 72 hours to ICO
Data subject rights: 1 month to respond

Checklist

Quick checklist

Check whether you need to register with the ICO (£40–£60/year)
Identify all the personal data you collect and process
Document your lawful basis for each type of processing
Publish a privacy policy on your website
Set up a process to handle Subject Access Requests within 1 month
Have a data breach response plan
Review and delete data you no longer need
Check your marketing emails comply with PECR (consent or soft opt-in)

Section 01

Do you need to register with the ICO?

Most businesses that process personal data must pay an annual data protection fee to the Information Commissioner's Office (ICO). This is separate from — and in addition to — complying with UK GDPR.

Tier 1 (£40/year): small organisations with turnover under £632,000 or fewer than 10 staff.
Tier 2 (£60/year): medium organisations with turnover under £36 million or fewer than 250 staff.
Tier 3 (£2,900/year): large organisations — public authorities and businesses above the Tier 2 thresholds.
Exemptions: individuals processing data for personal, family, or household purposes; businesses that only process data for staff administration, advertising, marketing, or public relations (with no other processing).
Check your registration status and pay at ico.org.uk/registration. Failure to register when required is a criminal offence.

Section 02

The six data protection principles

UK GDPR is built around six principles that govern how personal data must be handled. Every processing activity must comply with all six.

Lawfulness, fairness and transparency: you must have a lawful basis for processing, be honest about how you use data, and not process it in ways people would not reasonably expect.
Purpose limitation: collect data for specified, explicit and legitimate purposes. Do not use it for something incompatible with the original purpose.
Data minimisation: only collect the data you actually need. Do not collect data 'just in case'.
Accuracy: keep data accurate and up to date. Have processes to correct inaccurate data.
Storage limitation: do not keep data longer than necessary. Have a retention policy.
Integrity and confidentiality: protect data against unauthorised access, loss, or destruction. Use appropriate security measures.

Section 03

Lawful basis for processing

You must have a lawful basis for every type of personal data processing you carry out. There are six lawful bases — most small businesses rely on one or two.

Consent: the individual has given clear, specific, informed and freely given consent. Must be easy to withdraw. Not suitable for employment relationships.
Contract: processing is necessary to perform a contract with the individual, or to take steps before entering a contract (e.g. processing a customer's address to deliver an order).
Legal obligation: processing is necessary to comply with a legal obligation (e.g. keeping PAYE records for HMRC).
Vital interests: processing is necessary to protect someone's life. Rarely applicable to small businesses.
Public task: processing is necessary for a task in the public interest. Mainly applies to public authorities.
Legitimate interests: processing is necessary for your legitimate interests, and those interests are not overridden by the individual's rights. The most flexible basis, but requires a balancing test.
For marketing emails: you need either consent (for new contacts) or the 'soft opt-in' (for existing customers who bought similar products/services and did not opt out).

Section 04

What you must tell people — privacy notices

You must provide individuals with clear information about how you process their data. This is usually done through a privacy notice (also called a privacy policy) on your website.

Your identity and contact details.
The purposes and lawful basis for processing.
Who you share data with.
How long you keep data.
Individuals' rights (access, rectification, erasure, portability, objection).
The right to complain to the ICO.
Whether you transfer data outside the UK and what safeguards apply.
Use our free privacy policy template as a starting point.

Section 05

Individual rights you must respect

UK GDPR gives individuals a set of rights over their personal data. You must be able to respond to these requests within one month.

Right of access (Subject Access Request): individuals can ask for a copy of all personal data you hold about them. You must respond within one month, free of charge.
Right to rectification: individuals can ask you to correct inaccurate data.
Right to erasure ('right to be forgotten'): individuals can ask you to delete their data in certain circumstances (e.g. when you no longer need it, or they withdraw consent).
Right to data portability: individuals can ask for their data in a machine-readable format to transfer to another provider.
Right to object: individuals can object to processing based on legitimate interests or for direct marketing.
Rights related to automated decision-making: individuals have rights if you make solely automated decisions that significantly affect them.

Section 06

Data breaches — what to do

A personal data breach is any incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. If you have a breach, you must act quickly.

Assess the breach: what data was affected, how many people, what is the risk of harm?
If the breach is likely to result in a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware of it.
If the breach is likely to result in a high risk to individuals, you must also notify the affected individuals without undue delay.
Keep a record of all breaches, even those you do not need to report.
Report a breach to the ICO at ico.org.uk/report-a-breach.

Partner offers

Before you go — claim your reader offers

Two offers we recommend to every UK founder. Codes are exclusive to readers of this guide.

See full terms

Business bank account

Reader offer

Tide Business Account

£200 free cash

£75 when you complete £100 of card transactions within 30 days, plus a further £125 when you deposit £5,000 within 7 days. No credit check, open in 5 minutes.

Tide codeREFER200

Claim £200 free

Business credit card

Reader offer

Capital on Tap business credit card

7,500 free points

Get 7,500 points (worth £75) when you complete your first card transaction within 30 days. 1% uncapped cashback. Up to £250k credit limit.

Capital on Tap codeSETTINGUP

Claim 7,500 points

18+, UK residents only. Offers are subject to each provider's terms. Tide: £75 paid after completing £100 of card transactions within 30 days of opening, plus a further £125 paid after depositing £5,000 within 7 days (total £200, code REFER200). Capital on Tap: 7,500 points (≈ £75) after first card transaction within 30 days; credit subject to status. We may receive a commission if you sign up — it doesn't change the offer to you.

Common questions

GDPR & data protection for small businesses