Skip to content
FasScale

UK GDPR for small businesses: a practical 2026 guide

By Bernie Smith, Founder of FasScale · Published 21 April 2026 · Reviewed 21 April 2026 · 11 min read

Felt UK map outline with a yellow-and-blue padlock decorated with a biscuit-cookie texture, illustrating UK GDPR for small businesses

Get started free.

FasScale Tasks tracks your ICO renewal, breach log review and policy update dates.

Get started free

GDPR sounds like a problem for big tech firms, not someone with three clients and a Mailchimp list. The truth is more nuanced: most of the rules apply to anyone holding personal data, but the practical bar for a small UK business is much lower than the panic-merchants suggest. This guide separates what you must legally do from what’s good practice, with the actual steps a sole trader or small Ltd needs to take in 2026.

What UK GDPR actually requires

UK GDPR (the post-Brexit British version of the same regulation that applies in the EU) gives individuals rights over their personal data and requires every business that processes it to do so lawfully, fairly and transparently. “Personal data” means any information that identifies a living individual: a name plus an email address is enough. “Processing” means anything you do with it – collecting, storing, sending, deleting.

The five practical obligations for a typical small business are: pick a lawful basis for every type of processing you do; tell people what you’re doing through a clear privacy policy; respect their rights (access, correction, deletion, portability) when they exercise them; keep the data reasonably secure; and report serious data breaches to the ICO within 72 hours of becoming aware.

Do you need to register with the ICO?

Most businesses processing personal data must register with the Information Commissioner’s Office and pay an annual data protection fee. There are three tiers, set by reference to size and turnover: a micro-organisation tier (around £40/year), a small/medium tier (around £60), and a large tier (around £2,900). The exact figures change periodically – verify them at ico.org.uk before paying.

There are some exceptions: purely manual processing, certain not-for-profit work, and payroll-only processing are exempt. The ICO’s online self-assessment tool walks you through whether you’re in scope in about three minutes. Failure to pay when you’re required to is itself a fineable offence – up to about £4,350.

The six lawful bases (in plain English)

Every processing activity needs to map to one of six lawful bases. Consent – freely given, specific, opt-in. Common for marketing newsletters. Contract – necessary to deliver what you’ve agreed to. Common for active client work. Legal obligation – required by law, e.g. retaining tax records. Vital interests – life-or-death; rarely applies in commerce. Public task – government and regulators. Legitimate interests – when your processing is reasonable and proportionate; common for B2B prospecting and fraud prevention, provided you’ve done a balancing test and made it easy for people to object.

For a typical UK small business: contract for active clients, legitimate interests for B2B marketing to corporate emails, and consent for newsletter signups and consumer marketing. Pick once, document it, move on.

What you actually need to publish

Four things should appear on your website (or in your client paperwork). A privacy policy setting out who you are, what data you collect, why, on what lawful basis, who you share it with, how long you keep it, and what rights people have. A cookie bannerif your site uses non-essential cookies (analytics, embedded video, social pixels). Consent text next to every form where you collect personal data, explaining what you’ll do with it. And, internally, a record of processing activities – a simple spreadsheet listing each processing purpose, the lawful basis, the data categories, and retention.

Practical steps for a one-person business

A reasonable first-pass programme for a sole trader or single-director Ltd takes a single afternoon. Map your data. List every place personal data lands: contact form, accounting software, email marketing tool, CRM, accountant’s portal. Pick a lawful basis for each. Write a privacy policy – use a template and customise. Add a cookie banner if your site uses analytics or embeds. Update consent text on signup and contact forms. Build a one-page record of processing. Pay the ICO fee.

After that, the recurring effort is light. Review the privacy policy annually. Renew the ICO fee. Log any breaches as they happen. Respond to subject access requests within a calendar month. That’s the rhythm.

Marketing rules (PECR + GDPR)

Marketing has its own layer on top of GDPR called PECR – the Privacy and Electronic Communications Regulations. The headline distinctions: B2C email marketing needs explicit consent (opt-in). B2B email marketing to corporate emails can rely on legitimate interests, but the message must include an obvious opt-out and be relevant to the recipient’s professional role. Email to sole traders or partnerships is treated as B2C – consent required. Postal marketing can run on opt-out but you must respect the Mailing Preference Service. Phone calls require checking the Telephone Preference Service before cold calling.

Data breaches: what counts and what to do

A breach is any unauthorised access, accidental loss, or destruction of personal data. A lost laptop with client data is a breach. An email sent to the wrong recipient with personal data attached is a breach. A cyber-attack is a breach. Not every breach is reportable: you only notify the ICO within 72 hours of becoming aware if it’s likely to result in a risk to individuals’ rights and freedoms. You only notify the affected individuals if the risk is “high”.

Either way, log every incident internally – what happened, what data was affected, what you did, why you concluded it was/wasn’t reportable. The log is your evidence if the ICO ever investigates. Most small-business breaches the ICO sees are educational, not punitive, on first occurrence; the absence of a log is the single biggest aggravating factor.

Common GDPR myths

“I have to delete all my data after three years.”Not necessarily; the rule is “only as long as needed for the purpose”. Tax records have their own statutory retention.

“Every cookie needs consent.” Only non-essential ones. Strictly necessary cookies (login state, basket) don’t need consent.

“I can’t email past clients.” You usually can, if the original sale was opted-in or you can rely on legitimate interest with a clear opt-out.

“GDPR is just an EU thing.” UK GDPR is a separate but parallel UK law since Brexit. Same rules in practice.

When to get professional help

Most small UK businesses can handle GDPR themselves with a template and an afternoon. Get specialist help when you handle special category data (health, biometric, religious, political), when you process data on behalf of others as a processor (rather than for yourself as a controller), when you employ over 250 people (formal records become mandatory), when you handle children’s data, or when a breach has occurred and you’re unsure whether it’s reportable. These are the situations where the rules become genuinely complex and professional fees pay back quickly.

Frequently asked questions

The questions UK small businesses ask most often about GDPR.

Do I need to pay the ICO fee if I'm just a sole trader with a website and a few clients?

Almost certainly yes, if you process any personal data electronically (which includes a contact form on your website). The micro-organisation tier fee is around £40/year. Use the ICO's self-assessment tool at ico.org.uk to confirm. Failure to pay can result in a fine of up to £4,350.

Do I need a Data Protection Officer (DPO)?

Almost no small businesses do. A DPO is mandatory only if you're a public authority, your core activities involve large-scale systematic monitoring of individuals, or your core activities involve large-scale processing of special category data. A typical UK small business with a website, mailing list, and customer database does not need a DPO.

What's the difference between a controller and a processor?

A controller decides why and how personal data is processed (you, the business owner). A processor acts on the controller's instructions (your email service, your accountant, your website host). Most small businesses are controllers for the data they collect. You need a written contract with each processor (a 'data processing agreement' or DPA).

How do I handle a Subject Access Request (SAR)?

When someone asks for a copy of their data, you have one calendar month to respond (extendable in complex cases). Provide the data in a 'commonly used electronic format' (PDF, Excel) and don't charge a fee. Verify the requester's identity before sending. Keep a log of every SAR you receive.

Can I send a marketing email to someone whose business card I picked up at a networking event?

If their email is a personal email or sole-trader-style email (john@plumbing.co.uk), no — without consent. If it's a corporate email (info@bigcompany.com), legitimate interest can apply for B2B prospecting, but you must include an opt-out and the message must be relevant to their professional role.

Do I need a cookie banner if my website only uses Google Analytics?

Yes. Google Analytics sets non-essential cookies. You need a banner that lets users accept, reject, or manage. Pure essential cookies (login state, shopping cart) don't need explicit consent, but most small business sites use at least some non-essential cookies (analytics, embedded YouTube, social pixels).

How long should I keep client data?

Only as long as you need it for the purpose. For ongoing clients, that's the duration of the relationship plus a reasonable period after. For tax records, HMRC requires 6 years (Ltd) or 5 years (sole trader). Define a retention policy per data type and review annually. Holding data 'just in case' indefinitely isn't compliant.

What happens if I'm audited by the ICO?

The ICO rarely audits small businesses unless there's been a complaint or breach. If they do investigate, they'll ask for documentation: your privacy policy, records of processing, lawful basis for each activity, and evidence of any breaches and how you handled them. Most enforcement is educational, not punitive, for first-time small-business issues. Repeat or serious failures can result in fines.

Track your GDPR housekeeping like the rest of your business

FasScale Tasks lets you build a recurring GDPR action list – privacy policy review, ICO fee renewal, cookie banner check, breach log review – with reminders so compliance becomes a quarterly tickbox, not a panic.

Try FasScale Tasks free

Onboarding new clients? Read our client onboarding checklist.

Related guides

What to do after registering your UK limited company

A practical 30-day checklist for new directors: HMRC, banking, VAT, insurance, and the rest of the first month.

Read the guide
How to find your first 10 clients: a UK small business guide for 2026

Where they actually come from, what works in the first 90 days, and what to ignore.

Read the guide
Client onboarding: a 30-day checklist for UK service businesses (2026)

The first 30 days, the documents you need, and how to set the relationship up to keep them happy.

Read the guide
Bernie Smith, Founder of FasScale

Bernie Smith

Bernie Smith is the Founder of FasScale and owner of Made to Measure KPIs. He has spent two decades helping companies measure and improve their performance, from FTSE 100 operational improvement work in the US, Finland and the UK to performance consulting across every UK retail bank. He is the author of 21 books on performance measurement and has worked with HSBC, UBS, Lloyd’s Register, Credit Suisse, Sainsbury’s Bank, Scottish Widows, Tesco Bank and Yorkshire Building Society, among others. Bernie lives in Sheffield.

Read more about Bernie
This guide is for general information and is not legal, tax, or financial advice. Figures were verified against gov.uk on 2026-05-02 – always check current figures and consult a qualified professional before acting.