UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
GDPR for small business: a plain-English guide to getting it right — networkGDPR for small business: a plain-English guide to getting it right — reach
IT Guidance

GDPR for small business: a plain-English guide to getting it right

Helen Carmichael · Data Protection Adviser10 min read

GDPR has a fearsome reputation, and for a small business that can be paralysing - it sounds like a project that needs a lawyer and a six-figure budget. The reality is far more manageable. UK GDPR is mostly common sense written down: know what personal data you hold, protect it sensibly, be honest about how you use it, and respect people's rights over it. This guide turns the law into the handful of practical things a small UK business actually needs to do.

UK GDPR small-business essentials
UK GDPR — control mapICO-1Registered with the ICO (or exempt) and fee paidCOREMAP-1Personal data mapped - what, where and whyCORELAW-1A lawful basis for each type of data heldCOREPRV-1Plain privacy notice publishedCORESEC-1Security basics: MFA, encryption, access limitsCORERTS-1Process to handle access and erasure requestsPLUSBRC-172-hour breach reporting plan agreedPLUS

What GDPR is, in one breath

Since Brexit, the UK runs its own version, usually called UK GDPR, sitting alongside the Data Protection Act 2018 and overseen by the Information Commissioner's Office (the ICO). The principle behind all of it is simple: if you hold information about living people, you have a duty to look after it.

Personal data is broader than most owners assume. It is not just obviously sensitive records - it is any information that can identify a living person: names, emails, phone numbers, a customer list, even an IP address or a CCTV image. If you have customers, staff or a mailing list, GDPR applies to you, full stop, however small you are.

The myth that it is only for big companies

The single most damaging GDPR myth is that it is a problem for large corporations and that small firms fly under the radar. The law makes no such exemption, and the ICO has acted against very small organisations.

What is true is that the response should be proportionate. A ten-person firm is not expected to do what a bank does. You are expected to take steps appropriate to your size and the data you hold - which, for most small businesses, is a realistic and affordable list rather than a daunting one. The risk of ignoring it is not just fines; it is the reputational damage and lost trust when customers learn you were careless with their details, often after a data breach.

The practical things you must do

Cutting through the legal language, here is the core of what a small UK business needs in place. None of it requires a lawyer to start.

  • Know your data: a simple list of what personal data you hold, where it lives, and why - you cannot protect what you have not mapped.
  • Have a lawful reason: be clear why you hold each type of data (a contract, consent, a legal duty), and do not keep it 'just in case'.
  • Be transparent: a plain privacy notice telling people what you collect and how you use it.
  • Secure it: sensible protection - strong logins, encryption, restricted access - proportionate to how sensitive the data is.
  • Respect rights: have a way to handle requests from people to see, correct or delete their data.
  • Plan for breaches: know that serious personal-data breaches must be reported to the ICO within 72 hours.

Individual rights, without the jargon

GDPR gives people rights over their own data, and a small business needs a simple process to handle the common ones - not a legal department, just a known way to respond within the time limits.

The two you will meet most are the right of access (someone asking for a copy of the data you hold on them - a 'subject access request') and the right to erasure (asking you to delete it, sometimes called the right to be forgotten). You generally have one month to respond. The deeper, technical machinery behind handling these at scale - and the data protection impact assessments larger projects need - is covered in our guide to UK GDPR for IT teams; for a small firm, a clear inbox and a simple checklist usually suffice.

A realistic first-90-days GDPR plan
W0W2W4W6W8W10W12Register + map data3wNotice + lawful basis3wTighten security4wRights + breach drill4wTotal: 12 weeks end-to-end

Security is most of the battle

A large share of GDPR in practice is simply good security, because the law requires you to protect personal data with 'appropriate technical and organisational measures'. Get the security basics right and you are most of the way there.

The foundations are unglamorous and effective: strong, unique passwords backed by a password manager, multi-factor authentication on key accounts, reliable backups so you never lose data, and staff who can spot a scam email through regular security awareness training. Demonstrating this baseline is exactly what the government's Cyber Essentials scheme is for, and our wider compliance support maps it to GDPR.

A realistic first-90-days plan

Rather than trying to become perfectly compliant overnight, treat GDPR as a short project with a sensible order. Doing the high-value steps first gets you most of the protection quickly.

  • Weeks 1-3: register with the ICO if required, and map what personal data you actually hold and where.
  • Weeks 3-6: write a plain privacy notice and confirm a lawful basis for each type of data you keep.
  • Weeks 5-9: tighten the security basics - passwords, MFA, backups, access limits - across the systems holding that data.
  • Weeks 8-12: agree a simple process for data requests and breaches, and brief the team so everyone knows the drill.

When to get help

Most small businesses can handle the basics themselves with a methodical approach. It is worth getting specialist help when the data is genuinely high-risk - large volumes, health or financial records, children's data - or when you are launching something new that processes a lot of personal information.

If that is you, a structured risk assessment is the sensible starting point, and our compliance team can map GDPR alongside related standards. For everyone else, the message is reassuring: GDPR for a small business is a manageable, mostly-common-sense list, and starting today beats waiting for a breach to force the issue.

Key takeaways
  • UK GDPR applies to every business that holds data about living people - there is no small-business exemption.
  • The response should be proportionate: a realistic, affordable list for a small firm, not a corporate-scale project.
  • The core is: know your data, have a lawful reason, be transparent, secure it, respect rights, and plan for breaches.
  • Most of GDPR in practice is good security - passwords, MFA, backups and trained staff get you most of the way.
  • Serious personal-data breaches must be reported to the ICO within 72 hours, so have a simple plan ready.
Frequently asked

FAQs — GDPR for small business

Does it apply to me?

Does GDPR really apply to a tiny business or sole trader?

Yes. UK GDPR applies to any organisation that holds personal data about living people - customers, staff or a mailing list - regardless of size. There is no exemption for small firms or sole traders. What changes with size is the scale of the response, which should be proportionate to the data you hold.

What counts as personal data?

Any information that can identify a living person: names, email addresses, phone numbers, a customer list, and even things like IP addresses or CCTV images. It is much broader than just obviously sensitive records, which is why most businesses hold more personal data than they first realise.

Do I need to register with the ICO?

Most businesses that process personal data must pay a data protection fee to the ICO unless they qualify for an exemption. The fee is modest and tiered by organisation size. The ICO website has a quick self-assessment to confirm whether you need to register and at what level.

Getting compliant

How quickly must I report a data breach?

A personal-data breach that poses a risk to people must be reported to the ICO within 72 hours of you becoming aware of it. Not every incident meets that threshold, but the clock is tight, so it is worth deciding in advance who assesses a breach and how you would notify the ICO if needed.

Is good security enough to be GDPR compliant?

It is a large part of it but not the whole picture. GDPR requires 'appropriate technical and organisational measures' to protect data, so strong security is essential - but you also need a lawful basis for holding data, transparency about its use, and a way to handle people's rights. Security plus those steps gets a small firm compliant.

How long does a data subject access request take to handle?

You generally have one month to respond to a request from someone for the data you hold on them. For a small business the practical answer is to have a known process - a designated inbox and a simple checklist - so a request is handled calmly within the deadline rather than scrambled at the last minute.

Related

Continue reading

More in IT Guidance

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →