Business Handbook
All Handbooks
Data protection for small businesses

GDPR Handbook

2 hours· 5 chapters·2 free

GDPR compliance doesn't have to be complicated. For most small businesses, the core requirements are manageable — if you know what they actually are. This handbook explains what UK GDPR requires, what documents you need, and how to stay compliant without a legal team.

Please note: This handbook is for general information only. It is not legal or financial advice. Always check current regulations and seek professional guidance where needed.

UK GDPR (General Data Protection Regulation) is the law that governs how organisations handle personal data — any information that can identify a living person. It applies to every business that processes personal data, regardless of size.

The six core principles of UK GDPR are: lawfulness, fairness and transparency; purpose limitation (only use data for the purpose it was collected); data minimisation (only collect what you need); accuracy; storage limitation (don't keep data longer than necessary); and integrity and confidentiality (keep data secure).

You must have a lawful basis for every type of personal data processing you carry out. There are six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. You need to identify and document the basis for each processing activity.

Data subjects (the people whose data you hold) have rights under UK GDPR: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, and the right to object.

The Information Commissioner's Office (ICO) is the UK's data protection regulator. It enforces UK GDPR, provides guidance, and can impose fines for serious breaches. Most small businesses that handle personal data must also pay an annual data protection fee to the ICO.

Good to know

  • Start with a data audit — list what personal data you hold, why you have it, and where it's stored
  • Identify the lawful basis for each type of processing before doing anything else
  • Use the ICO's free guidance — it's comprehensive and written for non-lawyers
  • GDPR compliance is an ongoing process, not a one-off exercise

Watch out for

  • Assuming GDPR doesn't apply to small businesses — it does
  • Relying on consent for everything — it's just one of six lawful bases
  • Treating GDPR as a box-ticking exercise rather than a genuine commitment to data protection
  • Not responding to subject access requests within the one-month deadline

Related guidance

Unlock all chapters

Get full access to every handbook, template and checklist for £39/year.

All HandbooksView Pricing