The EU GDPR no longer applies in the UK. Instead, UK businesses must comply with the UK GDPR and the Data Protection Act 2018 (DPA 2018). If you trade in the EEA, you may also need to follow EU GDPR rules.
If your business handles personal data—such as names, addresses, emails, phone numbers, or payment details—you must use it fairly and securely.
Even small businesses process personal data, so it is important to understand what it is and how to manage it properly.
1. List the personal data you hold
Create a general list of the types of personal data you collect (e.g. “customer phone numbers”). Exclude personal or household data like family photos.
2. Know why you need it
Only collect data you truly need. Make sure your use is fair, lawful, and expected. Identify a lawful basis and keep a record of it.
3. Keep it secure
Protect data based on its sensitivity. Use strong passwords, secure storage, and other appropriate security measures.
4. Be transparent
You must tell people why you are collecting their data, who you will share it with, and how long you will keep it. A privacy notice is a good way to be transparent—review it regularly.
5. Respect people's rights
Individuals can request access to, correction of, or deletion of their data. Have a process in place to respond to these requests. Here is step-by-step guide on how to deal with a request for information.
6. Prepare for data breaches
If data is lost, damaged, or shared inappropriately, act quickly. You may need to report it within 72 hours. Have a response plan ready.
This is the step-by-step guide on how to respond to a data breach, specific for small and medium organisations, which include a self-assessment to see if you need to report a data breach: 72 hours - how to respond to a personal data breach | ICO
7. Check if you need to register
Many small businesses must register with the ICO and pay an annual fee. Use the ICO’s self-assessment tool to check.
8. Stay up-to-date
Set reminders to check the Information Commissioners Office (ICO) website for updates and guidance. Data protection is an ongoing responsibility.
If you’re looking for further support, you can contact the ICO here.
Get the support you need right now
You can connect with us through the contact form, call us or contact your local Business Gateway office.