The Complete Guide to GDPR For Small Businesses

Mariam Abu HusseinLegal Assessment Specialist @ Lawhive
Updated on 25th October 2023

GDPR. Sounds like a code from a secret society, right? Unfortunately, it’s not so glamorous but it is important for your business, regardless of its size.

What is GDPR and why should you care?

GDPR (General Data Protection Regulation) is a set of rules that everyone who handles personal data in the European Union – and that includes most businesses – must follow. Simply put, GDPR keeps your customers' and employees' personal information safe.


Businesses who don’t comply with GDPR can be, and often are, hit with hefty fines. For example, the Information Commissioner's Office (ICO) recently issued TikTok with a "notice of intent" that explains it believes the social networking company broke the law between 2018 and 2020 and announced its intention to fine TikTok over £27m.

Does GDPR apply to small businesses in the UK?

Small businesses aren’t exempt from GDPR. No matter how many employees you have, you must still comply with data protection rules. Although, how you should do this might differ depending on the size of your organisation.

While GDPR was drafted and passed by the European Union it is retained in domestic law as the UK GDPR so it still applies if you are a UK based business or organisation.

So, no. GDPR isn't just for giant corporations who process terabytes of data every week; it applies to everyone who collects and stores data. Ignoring it can lead to big fines and damage to your reputation. Not to mention that protecting your customers' data is simply the right thing to do.

What is personal data?


Before we dive into the nitty gritty of data protection, let’s consider what we actually mean when we talk about personal data.

In short, personal data is any information that could potentially identify a data subject like their name, address, medical information, ID, IP address, work history, etc. This list isn’t exhaustive and what constitutes personal data can depend on the person.

For example, personal data in a school could consist of names, addresses, allergies, and school reports, while customer data could include their email address, credit card details, phone numbers and IP addresses.

What is a data subject?

A data subject is the person to which personal data belongs and relates. Data subjects can be customers, employees, patients, students, subscribers, website users, or service users. In short, anyone who you hold data on.

Seven Principles of GDPR Made Simple

The seven principles for the lawful processing of personal data are:

  • Data Minimisation

  • Purpose Limitation

  • Accountability

  • Lawfulness, Fairness and Transparency

  • Accuracy

  • Storage limitations

  • Integrity and Confidentiality

Data Minimisation - Less is more

This principle is about using only the data you need and nothing more. In simple terms, don't collect mountains of data just because you can. Stick to what's necessary for your business purposes. For example, if you're running an online store, you'll need your customers' names and addresses for shipping, but you probably don't need their shoe size, job title, or favourite ice cream flavour.

Purpose Limitation - AKA why you're collecting data

When you collect someone's data, be crystal clear about why you're doing it. Are you gathering customer info to process orders? Or maybe it's for sending out newsletters? Whatever the reason, communicate it clearly to your customers, and don't use their data for anything else without their explicit consent.

Accountability - It's your responsibility

As a small business owner, you're responsible for the data you collect. GDPR requires you to put in place and document measures to protect personal data and make sure it's not misused.

GDPR also gives your customers the right to access their data, correct any errors, and even request that you delete it altogether. It's their info, after all. So, if a customer asks about their data, be ready to provide it, fix any mistakes, or say goodbye to it when they ask you to.

Lawfulness, fairness and transparency - The foundations

How you process personal data should be lawful, fair and transparent. For example, if you send out an online newsletter to customers about your products and services you must first get explicit consent from a person that you can process their data for this purpose. You should then only use that data for that specific purpose and nothing more.

You should be open and honest about what data you are collecting, why you are collecting it, and how you intend to use it. The best place to communicate this to website users and customers is through a privacy policy on your website.

Accuracy - The devil is in the detail

If you hold personal data that is of importance for the person the data is about, you should take reasonable measures to ensure it is correct and up to date.

Storage limitations - Nothing lasts forever (and nor should it)

You can’t hold personal data and information indefinitely. When it has served its purpose and you don’t need it anymore, you should securely destroy it.

For example, if a customer unsubscribes from your online newsletter, you should stop sending them emails and delete their data as soon as possible.

Integrity and confidentiality

The personal data you process should only be accessible to those who need it, and it is your responsibility to ensure that it cannot be stolen or manipulated by unauthorised parties. This doesn’t just mean hackers, either. It also extends to your employees.

For example, a list of email addresses used for online newsletters should only be accessible to employees who are responsible for sending those newsletters and not everyone at your organisation.

Data Protection Officer (DPO): Do Small Businesses Need One?


What's a Data Protection Officer (DPO)?

A DPO is the person responsible for making sure your small business follows all the data protection rules. They oversee data protection activities, inform and advise your team, and act as a contact point for data subjects (your customers and employees).

Do Small Businesses Need A DPO?

GDPR says you should have a DPO if:

  • Your small business is a public authority or performs tasks on behalf of a public authority (like handling public services);

  • Your business's main activities involve a lot of data processing, and that processing is likely to result in high risks to the rights and freedoms of individuals.

Most small businesses won't meet these criteria. If you're running a local bakery or a small marketing agency, you likely won't need a DPO. Phew! But...

Should You Appoint a DPO Anyway?

Even if GDPR doesn't require it, you can still choose to appoint a DPO. Having a data protection expert on your side can be a smart move, especially if you're dealing with sensitive data or if you just want to ensure you're doing everything by the book.

A DPO can help you:

  • Understand and navigate GDPR requirements.

  • Develop and implement data protection policies.

  • Train your staff on data protection best practices.

  • Ensure you're handling data breach notifications correctly.

So, while you might not need a DPO by law, it's worth considering if it makes sense for your business and gives you peace of mind.

How do small businesses become GDPR compliant?


So, now you know the principles of GDPR, how can you be sure your small business complies with GDPR?

Review your data

First up, make a list of the types of personal data you currently process. This could be addresses, phone numbers, email addresses, etc. It’s important to consider all areas of your business. Remember: GDPR doesn’t just apply to your customer data but also the data you hold on employees, too!

Make sure you have a lawful basis for processing your data

You need to have a valid reason to collect or use personal information. This is called ‘lawful basis’. There are six lawful bases:

Lawful Basis



This must be freely given, indicated by a positive action to opt in (like ticking a box) and a person should be able to withdraw their consent easily at any time.


When you need to collect or use a person’s information to deliver a contractual service to them.

Legal obligation

When you need to collect or use personal information to comply with the law.

Vital interest

When you need to use or share personal information to protect someone’s life.

Public task

When you need to carry out specific tasks in the public interest. This is most relevant to public authorities or organisations.

Legitimate interest

hen personal information is in the legitimate interest of yourself, an individual or a third party.

When you have compiled a list of the different types of personal information your small business processes or uses, you should identify the most appropriate lawful basis for what you’re doing with that information.

You must ensure that you have specific, unambiguous consent to process data and you can do this by using consent requests. Consent requests must be prominent and separate from your general terms and conditions. They must include:

  • The name of your organisation and the names of any other controllers who will rely on the consent;

  • Why you want the data;

  • What you will do with the data;

  • That consent can be withdrawn at any time.

When you have identified the lawful basis for collecting data, review how you are obtaining consent and ask yourself if that method of obtaining consent makes it obvious that the individual has consented, and what they have consented to. Examples of active opt-in mechanisms include:

  • An opt-in check box or button;

  • Optional fields in a form;

  • Signing a consent statement.

If you need explicit consent, your opt in mechanisms must involve an express statement confirming consent. You can’t use pre-ticked boxes, default settings, or opt out boxes.

You should go out of your way to check any data entry forms are compliant with lawful basis and consent request regulations.

Create processes to maintain compliance

When you’re sure that your consent requests are compliant, you should then update your processes to ensure your customers, users and employees can exercise their rights in relation to their data. These rights are:

Individual Rights


Right to be informed

You must tell people why you need the data you're asking for, how long you will keep it for, and who it will be shared with.

Right of access

When requested, you must give individuals the right to access and receive a copy of their personal data, and other supplementary information.

Right to rectification

When requested, you must update or correct data.

Right to erasure

Individuals have the right to request you erase their personal data. It is sometimes referred to as 'the right to be forgotten.' This right is not absolute and only applies in certain circumstances.

Right to restrict processing

Individuals can limit the way your organisation uses their data. When processing is restricted, you can store the data but you cannot use it.

Right to data portability

Individuals have the right to move, copy or transfer personal data from one IT environment to another in a safe and secure way.

Right to object

Individuals can object to the processing of their data in certain circumstances. For example, they have an absolute right to stop their data being used for direct marketing.

Rights related to automated decision making including profiling

If your business uses automation to make decisions you are required to give individuals specific information about the processing and give them the right to challenge and request a review of the decision.

For example, should a customer request to know what personal data you hold about them, they can make a subject access request (SAR) either verbally or in writing. It is your responsibility to comply with a SAR without undue delay, making reasonable efforts to find and retrieve the requested information.

Establishing processes to help you do this in the first instance will ensure you maintain compliance and respond to the rights of users, customers and/or employees quickly.

Update your privacy policy

Your privacy policy is your promise to your customers about how you handle their data. Make sure it's clear, concise, and up-to-date. Describe what data you collect, why you collect it, where you store it, who you share it with, and how long you keep it. Don't forget to include contact information for data inquiries as customers can request to see their data and ask for it to be deleted.

Implement security measures

Invest in security measures like encryption, secure passwords, and regular software updates. Keep data access limited to those who need it for legitimate reasons.

Train your team

Your employees are the guardians of your customers' data. Make sure they understand GDPR and how it applies to their roles. Provide training on data protection best practices, and encourage a culture of privacy within your business.


If you're ever unsure about GDPR compliance, don't hesitate to get legal help and advice. Consulting with a qualified small business solicitor who specialises in data protection can provide you with peace of mind and ensure you're on the right track.

At Lawhive, our expert solicitors are on hand to help you understand and navigate data protection processes and complexities, while helping you remain compliant. To get started, simply tell us about your case and we will give you a fixed-fee quote for fast, affordable support from an expert in commercial law.

Share on:

Get legal help the hassle-free way

We have expert solicitors ready to resolve any type of legal issue in the UK.

Remove the uncertainty and hassle by letting our solicitors do the heavy lifting for you.

Get Legal Help

Takes less than 5 mins

We pride ourselves on helping consumers and small businesses get greater access to their legal rights.

Lawhive Ltd is not a law firm and does not provide any legal advice. Lawhive Ltd uses a network of licensed solicitors to provide legal work directly to clients through our online platform. Please read our Terms for more information.

Our network includes our affiliate company, Lawhive Legal Ltd. Lawhive Legal Ltd is authorised and regulated by the Solicitors Regulation Authority with ID number 8003766 and is a company registered in England & Wales, Company No. 14651095.

Lawhive Legal Ltd is a separate company from Lawhive Ltd.

© 2024 Lawhive
86-90 Paul Street, London EC2A 4NE

Version: 10d8c6d