What Is GDPR and Why Does It Exist?
GDPR stands for General Data Protection Regulation. It's a piece of legislation that sets out how organisations must handle personal data — any information that can identify a living person, such as a name, email address, phone number, IP address or location data.
The regulation came into force in May 2018 across the EU, and the UK adopted its own version — UK GDPR — after Brexit. For practical purposes, UK GDPR works in the same way as the EU version and is enforced by the Information Commissioner's Office (ICO).
The purpose of GDPR is to give people more control over their personal data and to hold organisations accountable for how they use it. It replaced a patchwork of older data protection laws and introduced significantly higher fines for serious breaches — up to £17.5 million or 4% of global annual turnover, whichever is higher. In practice, large fines are reserved for serious or repeated violations by larger organisations. Small businesses that make genuine efforts to comply are treated very differently.
Who Does GDPR Apply To?
GDPR applies to any organisation that processes personal data about people in the UK — regardless of size. If you hold a customer email list, keep employee records, use a CRM, or even just have a contact form on your website, GDPR applies to you.
There's no exemption for small businesses or sole traders. However, the regulation does take a proportionate approach — the obligations on a one-person business are far less onerous than those on a large corporation. The key is understanding what applies to your specific situation.
The 6 Lawful Bases for Processing Personal Data
One of the core principles of GDPR is that you must have a lawful basis for processing personal data. There are six options. You need to identify which one applies to each type of processing you carry out — and document it.
Consent
The person has given clear, specific agreement to you processing their data. This is what most people think of first — but it's not always the right basis, and it's one of the harder ones to maintain correctly.
Contract
Processing is necessary to fulfil a contract with the person, or to take steps before entering into one. If a customer buys from you, you need their address to deliver — that's contract.
Legal obligation
You're required to process the data to comply with the law. Keeping payroll records for HMRC is a good example.
Vital interests
Processing is necessary to protect someone's life. Rarely relevant for most small businesses.
Public task
Relevant mainly to public authorities and organisations carrying out tasks in the public interest.
Legitimate interests
You have a genuine, proportionate reason to process the data that isn't outweighed by the individual's rights. This is often the most appropriate basis for B2B marketing, fraud prevention and internal admin — but you need to document your reasoning.
For most small businesses, the most commonly used bases are contract (for processing customer data to fulfil orders or services), legal obligation (for payroll and tax records) and legitimate interests (for marketing to existing customers or business contacts). You don't need to use consent for everything — and in many cases, it's not the most appropriate choice.
What Documents Do You Actually Need?
GDPR requires you to be able to demonstrate compliance — which means having some documentation in place. Here's what most small businesses need:
Privacy Policy
A public-facing document on your website that explains what personal data you collect, why you collect it, how you use it, how long you keep it, and people's rights. It must be written in plain English and be easy to find. If you have a website with a contact form, you need one.
Record of Processing Activities (ROPA)
An internal document listing all the types of personal data you process, why you process it, the lawful basis, who has access to it, and how long you keep it. Technically required for organisations with 250+ employees, but the ICO strongly recommends all businesses maintain one — and it's the first thing they'd ask for in an investigation.
Consent Records (where consent is your lawful basis)
If you rely on consent to process data — for example, for an email marketing list — you must be able to prove that consent was freely given, specific, informed and unambiguous. Keep records of when and how people consented, and make it easy for them to withdraw consent at any time.
Data Processing Agreements (DPAs)
If you use third-party services that process personal data on your behalf — email platforms, CRMs, cloud storage, payroll software — you need a DPA with each of them. Most reputable providers (Mailchimp, Xero, Google, etc.) provide these automatically in their terms of service or on request.
ICO Registration
Most businesses that handle personal data need to pay a data protection fee to the ICO. It's £52/year for most small businesses. See our dedicated guide for the full details.
Do you need to register with the ICO?What Is a Data Breach and What Do You Do About One?
A data breach is any incident where personal data is accidentally or unlawfully accessed, disclosed, altered, lost or destroyed. This includes obvious things like a hacker accessing your systems — but also more mundane incidents like sending an email to the wrong person, losing a laptop with unencrypted data on it, or accidentally deleting customer records.
Under UK GDPR, if you experience a breach that is likely to result in a risk to people's rights and freedoms, you must report it to the ICO within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to individuals, you must also notify the affected people directly.
Not every breach needs to be reported. A low-risk incident — like accidentally sending a non-sensitive email to the wrong address — may not meet the threshold. The key question is: could this breach cause harm to the individuals whose data was affected?
What you should always do is document the breach internally — what happened, when you became aware of it, what data was involved, and what steps you took. This demonstrates accountability even if you decide reporting isn't required.
Common Mistakes Small Businesses Make
Relying on consent for everything
Consent is just one of six lawful bases. For many processing activities — like keeping client records or sending invoices — contract or legitimate interests is more appropriate and more robust.
Having a privacy policy but nothing else
A privacy policy is visible to the public, but GDPR also requires internal documentation. Your Record of Processing Activities (ROPA) is for your own records — it's what you'd show the ICO if they came knocking.
Forgetting about data held by third parties
If you use a CRM, email platform, accountancy software or cloud storage, those providers are processing personal data on your behalf. You should have a Data Processing Agreement (DPA) in place with each of them — most reputable providers offer these automatically.
Not knowing what data you hold
You can't protect data you don't know about. A simple data audit — listing what personal data you hold, where it's stored, why you have it and how long you keep it — is the foundation of good GDPR compliance.
Ignoring subject access requests
Anyone whose data you hold can ask to see it. You have one month to respond, and you must do so for free. Missing this deadline can trigger an ICO complaint.
A Practical Starting Point
If you're a small business just getting started with GDPR compliance, here's a sensible order of priority:
- Do a simple data audit — list what personal data you hold and why
- Write or update your privacy policy and publish it on your website
- Identify the lawful basis for each type of processing you carry out
- Check whether you need to register with the ICO (most businesses do)
- Make sure you have DPAs in place with any third-party processors
- Put a process in place for handling subject access requests
- Document how you'd respond to a data breach
Go deeper
Follow the GDPR Compliance pathway or pick up the GDPR Handbook for a comprehensive guide to staying compliant.
Disclaimer: This guide is for general information only and does not constitute legal or financial advice. Always check current HMRC guidance and seek professional advice where appropriate.