GDPR Compliance Checklist for UK Small Businesses

I'll be honest, GDPR isn't exactly the most thrilling topic. But it's one of those things that can properly bite you if you ignore it. The UK GDPR applies to every business that handles personal data, and unless you're running a cash-only market stall with no customer records, that means you.

Here's the thing though: the ICO isn't out to get small businesses who are trying to do the right thing. The massive fines (up to £17.5 million or 4% of turnover) are aimed at companies showing blatant disregard. But "we didn't know" isn't a defence, so let's get you sorted.

The Basics: Have You Got These Covered?

1. Privacy Policy

You need one on your website. It's got to explain what data you collect, why you're collecting it, how long you keep it, who sees it, and how people can ask you to delete or correct their information. I'd say about half the small business websites I look at either don't have one or have a template from 2018 that's completely out of date. Review yours annually, and actually update it when your practices change.

2. Records of Processing Activities (ROPA)

This is the one that catches people out. Article 30 says you need a record of everything you do with personal data. Sounds scary, but frankly it's just a spreadsheet listing each type of data you handle, why you have it, your legal basis, how long you keep it, and who else gets access. Most small businesses don't have this at all. It's literally the first thing the ICO asks for if they come knocking.

3. Data Processing Agreements (DPAs)

Using Mailchimp? Xero? A cloud CRM? Any service that touches your customer data on your behalf needs a Data Processing Agreement. The good news is most big providers like Microsoft, Google, Mailchimp, and Xero already have standard DPAs buried in their terms. Go find them, download them, and keep copies. It takes an afternoon, not a week.

4. Lawful Basis for Processing

For every type of personal data you handle, you need a legal reason. The three most common for small businesses:

• Consent: They've actively opted in (like ticking a newsletter signup box, not a pre-ticked one, mind).
• Contract: You need the data to deliver something they've bought or signed up for.
• Legitimate interest: You've got a genuine business reason and it doesn't trample on their rights. This one's useful but don't treat it as a catch-all.

Security: Are You Actually Protecting This Data?

5. Access Controls

Not everyone in your business needs access to everything. Your Saturday temp doesn't need to see HR records. Use role-based access, and this is the bit people forget, remove access the moment someone leaves or changes role. We've seen ex-employees still logged into systems months after leaving. That's a breach waiting to happen.

6. Encryption

Your website should be HTTPS (if it's not in 2026, we need to talk). Emails should use TLS. Laptops and cloud storage should be encrypted. Here's why this matters practically: if an encrypted laptop gets nicked from a van, you probably don't need to report it as a breach. If an unencrypted one does, you absolutely do.

7. Multi-Factor Authentication

Turn on MFA for everything that holds personal data. Email, CRM, accounting software, cloud storage, the lot. It's free, it takes five minutes per account, and it stops the vast majority of unauthorised access. I genuinely don't understand why anyone skips this.

8. Backup and Recovery

You need to be able to get personal data back if something goes wrong. But here's the bit that matters: test your backups. Regularly. We've walked into businesses that thought they had backups running for years. Turns out they'd been failing silently for months. An untested backup isn't a backup.

Individual Rights: Could You Actually Respond?

9. Subject Access Requests (SARs)

Anyone can ask for a copy of all the personal data you hold on them. You've got one calendar month to respond. So ask yourself honestly: do you know where all your customer data actually lives? Email inboxes, spreadsheets, old databases, someone's phone contacts? If you can't pull it all together in a month, map your data stores now, before someone asks.

10. Right to Erasure

People can ask you to delete their data (with a few exceptions). Can you actually do that across all your systems? That means CRM, email archives, backup tapes, third-party tools. Everywhere. Most businesses we speak to haven't thought this through at all.

11. Breach Notification

If something goes wrong and there's a risk to individuals, you've got 72 hours to tell the ICO. That's three days. Do you have a plan? Does your team know what counts as a breach? Do they know who to call? Sort this out now, because the middle of an incident is the worst possible time to figure it out.

The Gaps We See All the Time

• No cookie consent banner: If your website runs analytics or marketing pixels, you need proper cookie consent. Loads of sites still don't have this.
• Pre-ticked consent boxes: These aren't valid. Consent has to be an active opt-in. Rip those pre-ticked boxes out.
• Keeping data forever "just in case": That's not compliant. Set retention periods and actually delete stuff when it expires.
• Staff using personal email for work: If your team's sending customer data through their personal Gmail, that's a compliance nightmare. Get them onto managed business email.
• Zero staff training: Most breaches start with human error. Even 30 minutes of training every quarter makes a massive difference.

Need a Hand Getting This Right?

We help businesses sort out the technical side of GDPR, from cybersecurity and access controls to secure cloud migration and managed IT with data protection baked in. We're not lawyers (and we won't pretend to be), but we work alongside your legal advisors to make sure the tech side is properly covered.

Drop us a line for a free compliance review of your IT systems. No jargon, no scare tactics. Just a clear picture of where you stand.