Running a business

The UK General Data Protection Regulation (UK GDPR): 8 Key Points for SMEs

The EU GDPR no longer applies in the UK. Instead, UK businesses must comply with the UK GDPR and the Data Protection Act 2018 (DPA 2018). Here are 8 key points for getting started with data protection.

Guide

1 min read

The EU GDPR no longer applies in the UK. Instead, UK businesses must comply with the UK GDPR and the Data Protection Act 2018 (DPA 2018). If you trade in the EEA, you may also need to follow EU GDPR rules.

If your business handles personal data—such as names, addresses, emails, phone numbers, or payment details—you must use it fairly and securely.

Even small businesses process personal data, so it is important to understand what it is and how to manage it properly.

1. List the personal data you hold

Create a general list of the types of personal data you collect (e.g. “customer phone numbers”). Exclude personal or household data like family photos.

2. Know why you need it

Only collect data you truly need. Make sure your use is fair, lawful, and expected. Identify a lawful basis and keep a record of it.

3. Keep it secure

Protect data based on its sensitivity. Use strong passwords, secure storage, and other appropriate security measures.

4. Be transparent

You must tell people why you are collecting their data, who you will share it with, and how long you will keep it. A privacy notice is a good way to be transparent—review it regularly.

5. Respect people's rights

Individuals can request access to, correction of, or deletion of their data. Have a process in place to respond to these requests. Here is step-by-step guide on how to deal with a request for information.

6. Prepare for data breaches

If data is lost, damaged, or shared inappropriately, act quickly. You may need to report it within 72 hours. Have a response plan ready.

This is the step-by-step guide on how to respond to a data breach, specific for small and medium organisations, which include a self-assessment to see if you need to report a data breach: 72 hours - how to respond to a personal data breach | ICO

7. Check if you need to register

Many small businesses must register with the ICO and pay an annual fee. Use the ICO’s self-assessment tool to check.

8. Stay up-to-date

Set reminders to check the Information Commissioners Office (ICO) website for updates and guidance. Data protection is an ongoing responsibility.

If you’re looking for further support, you can contact the ICO here.

Get the support you need right now

You can connect with us through the contact form, call us or contact your local Business Gateway office.

Contact us
Find my local office

You might also be interested in

Auditing your digital presence: a how-to guide


Whether you’re at the stage of establishing your social presence, or if you already have several accounts across platforms but need to bring them in-line, read on for some top tips.

Build Your Own Website

If you own or help to run a business in the modern age, chances are that you will already have a website to showcase your services or products.

There's no spilt milk with cyber essentials

How Angela Prentner-Smith, the Founder and Managing Director of This is Milk, benefited from achieving Cyber Essentials.