top of page
  • Facebook
  • Instagram
  • TikTok
  • LinkedIn
Search

Your Guide to GDPR Compliance for UK Businesses

  • Writer: Your Legal Team
    Your Legal Team
  • Sep 22
  • 4 min read

Updated: Oct 7

If you run a business that collects or uses any personal data — names, emails, phone numbers, payment info, customer preferences — then UK GDPR applies to you.


Whether you’re a solo founder or a growing SME, data protection laws aren’t optional. But that doesn’t mean they have to be overwhelming.


In this blog, we’ll walk you through what GDPR compliance means, what your business needs to have in place, and how Your Legal Team can help you get sorted — without the jargon.


What is GDPR, and Who Does it Apply To?


The General Data Protection Regulations (GDPR) are a set of rules about how personal data must be handled. In the UK, they are implemented as the UK GDPR, alongside the Data Protection Act 2018.


It applies to any organisation that processes personal data — which means almost all businesses, charities, and sole traders.


You’re processing data if you:


  • Take customer details online, over the phone, or in person

  • Send marketing emails or texts

  • Use cookies on your website

  • Collect employee or job applicant information

  • Run surveys, loyalty schemes, or account-based services


⚠️ It applies even if you only have one employee or collect minimal data.


The Core Principles of GDPR


There are 7 key principles that guide how you must handle data:


  1. Lawfulness, fairness, and transparency

  2. Purpose limitation - you must only collect data for specific, legitimate purposes

  3. Data minimisation - only collect what you need

  4. Accuracy

  5. Storage limitation - don’t keep it longer than needed

  6. Integrity and confidentiality - keep it secure

  7. Accountability - you must show how you comply


Understanding these is the first step to building a GDPR-compliant business.


What Your SME Needs to Have in Place


Here’s a breakdown of the key steps to ensure compliance:


1. A Lawful Basis for Processing Data


You must identify and record the legal reason for collecting each type of data. The most common bases for SMEs are:


  • Consent – freely given, specific, and informed, for example, for email marketing

  • Contract – needed to perform a service or fulfil a transaction

  • Legal obligations such as keeping payroll records for HMRC

  • Legitimate interest – if the processing is necessary and balanced, such as for customer service follow-up


📌 You must document your legal basis and explain it clearly in your privacy notice.


2. A GDPR-Compliant Privacy Notice


You must provide individuals with clear, accessible information about:


  • What data you collect

  • Why you collect it

  • How it’s used

  • Who it’s shared with (including third-party processors)

  • How long it’s kept

  • Their legal rights (e.g., access, correction, deletion)


Most SMEs provide this as a Privacy Policy on their website, plus in onboarding documents and contracts.


3. Valid Consent, Where Needed


If you rely on consent, especially for marketing, it must be:


  • Freely given

  • Specific

  • Informed, and

  • Easy to withdraw


⚠️ You must also record when and how consent was given.


4. Website Compliance: Cookies and Tracking


If your website uses cookies — including those from Google Analytics, Facebook Pixel, or any ad platform — you must:


  • Inform users clearly

  • Get prior consent for non-essential cookies

  • Provide a cookie policy

  • Allow users to change or withdraw their preferences


A simple cookie banner isn’t enough — it must give users a real choice.


5. Data Processing Contracts


If you use third parties to handle personal data — for example:


  • Cloud storage like Google Drive or Dropbox

  • Email platforms such as Mailchimp or ConvertKit

  • CRM systems

  • Payment processors such as Stripe and PayPal


…then you must have a data processing agreement (DPA) in place with each one. The good news is that they will usually provide these as standard; but it’s a good idea to check.


These contracts must contain specific GDPR clauses, including about data security, breach notification, and sub-processors.


6. Security Measures


You’re legally required to keep personal data secure. This means:


  • Password protection and encryption where needed

  • Access controls, so that only authorised staff can access data

  • Regular backups

  • Secure file sharing

  • Keeping software up to date

  • Staff training


If you’re hacked or suffer a breach, you must report it to the ICO (Information Commissioner’s Office) and the affected individuals — so prevention is key.


7. Responding to Data Rights Requests


Individuals have rights under GDPR, including to:


  • Access their data

  • Correct inaccurate data

  • Request deletion - the “right to be forgotten”

  • Object to you processing their data

  • Restrict or transfer their data


You need a process to handle these requests within one month.


8. A Data Retention Policy


You can’t keep personal data forever. You need a clear policy on:


  • How long each type of data is kept

  • When and how it’s deleted or anonymised

  • Who is responsible for monitoring this


This applies to customer records, employee files, marketing lists — everything.


9. A Record of Processing Activities (ROPA)


If your processing is high-risk or large-scale, you need to document:


  • What data you process

  • The legal basis

  • Who you share it with

  • Security measures in place


Many SMEs don’t need a full ROPA, but it’s still good practice to keep internal records.


Do You Need to Register with the ICO?


Yes — almost all UK organisations that process personal data must register with the ICO and pay a data protection fee, unless an exemption applies.


Fees start at £40 per year, depending on your size and turnover.


You can check if you need to register here:


What Happens If You Don’t Comply?


The ICO has the power to:


  • Investigate your business

  • Issue warnings or enforcement notices

  • Fine you (up to £17.5 million or 4% of turnover in serious cases)

  • Require you to stop using or delete data


But even more damaging can be the loss of customer trust — especially if there’s a breach or complaint.


How We Can Help


At Your Legal Team, we help SMEs stay compliant with confidence. We offer:


  • Custom GDPR policies and privacy notices

  • Cookie compliance checks

  • Data processing contracts and reviews

  • Staff training and security advice

  • Ongoing legal support


Whether you need a quick audit or full GDPR setup, we’ll make it clear, practical, and affordable.


Want to check your compliance?


Let’s have a quick chat about where you’re at — and how we can help.



---wix---

 
 
bottom of page