GDPR Compliance Guide for Small Businesses

The General Data Protection Regulation (GDPR) applies to any business that processes personal data of people in the UK or EU — regardless of the size of your business. Freelancers and small businesses are not exempt. Here's a practical guide to getting compliant without needing a legal team.

Does GDPR Apply to Your Small Business?

GDPR applies if you:

• Have a website that UK or EU residents can access
• Collect email addresses, names, or any other personal data from UK/EU residents
• Run Google Analytics, AdSense, or any other tracking technology
• Send marketing emails to customers or subscribers
• Store client data (even just names and email addresses in a spreadsheet)

If any of these apply, GDPR applies to you. The good news: compliance is achievable for small businesses without massive resources.

The 7 Principles of GDPR

Everything in GDPR flows from seven core principles. Your data processing must be:

• Lawful, fair, and transparent: You must have a legal basis, be honest about what you do with data, and not mislead people.
• Purpose-limited: Collect data only for specified, explicit purposes and don't use it for anything else.
• Data minimisation: Only collect what you actually need.
• Accurate: Keep data accurate and up to date.
• Storage-limited: Don't keep data longer than necessary.
• Integrity and confidentiality: Protect data against unauthorised access, loss, or destruction.
• Accountability: Be able to demonstrate your compliance.

Step 1: Map Your Data

Before you can comply, you need to know what personal data you hold. Create a simple spreadsheet (your Record of Processing Activities, or ROPA) listing:

• What data you hold (names, emails, addresses, payment info, etc.)
• Where it came from (contact forms, purchases, email sign-ups)
• Why you hold it (to fulfil a contract, for marketing, for analytics)
• Where it's stored (Gmail, Mailchimp, Google Drive, your server)
• Who has access to it
• How long you keep it

Step 2: Establish Your Lawful Basis

For every type of processing, you need a lawful basis. The most common for small businesses:

• Contract: Processing is necessary to fulfil a contract with the person (e.g., client details to deliver a project).
• Legitimate interests: You have a legitimate business reason that isn't overridden by the person's rights (e.g., basic security logging).
• Consent: The person has freely given, specific, informed, and unambiguous consent (e.g., newsletter sign-ups).
• Legal obligation: Processing is required by law (e.g., keeping tax records).

Step 3: Update Your Privacy Policy

Your privacy policy must be clear, concise, and cover all required information. See our complete privacy policy guide and use our Privacy Policy Generator to create one.

Step 4: Get Cookie Consent Right

This is where many small businesses fall short. Under UK GDPR and the Privacy and Electronic Communications Regulations (PECR), non-essential cookies (analytics, advertising) can only be set AFTER the user gives consent. This means:

• No pre-ticked consent boxes
• No loading Google Analytics before consent is given
• A genuine "Reject" option must be as easy to find as "Accept"
• Users must be able to withdraw consent as easily as they gave it

Tools like Cookiebot, CookieYes, or Osano can help implement compliant cookie consent banners.

Step 5: Secure Your Data

GDPR requires "appropriate technical and organisational measures" to protect personal data. For small businesses, this means:

• Using strong, unique passwords and a password manager
• Enabling two-factor authentication (2FA) on all accounts
• Ensuring your website uses HTTPS
• Keeping software and plugins updated
• Using encrypted storage for sensitive files
• Having a clear process for what to do if data is lost or stolen

Step 6: Set Up a Process for Data Subject Requests

Individuals have the right to request access to their data, correct it, or have it deleted. You must respond within 30 days. Set up a simple process:

• A dedicated email address (e.g., privacy@yoursite.com)
• A procedure for verifying the identity of the requester
• A system for locating and deleting/exporting data on request

Step 7: Know Your Data Breach Obligations

Under GDPR, if you experience a personal data breach (e.g., a hacker accesses your email account containing client data), you may need to:

• Report it to the ICO (UK) or relevant supervisory authority within 72 hours of becoming aware of it
• Notify affected individuals "without undue delay" if the breach is likely to result in high risk to them

Not all breaches require reporting — only those that are likely to result in a risk to individuals' rights and freedoms. But you must document all breaches, whether or not you report them.

GDPR Penalties

The maximum fines under UK GDPR are £17.5 million or 4% of global annual turnover, whichever is higher. For small businesses, the ICO focuses on repeat offenders and egregious violations — but smaller fines (£10,000–£100,000) are increasingly common even for small organisations.

---

Related Articles

• How to Create a Privacy Policy
• Essential Legal Documents Every Freelancer Needs