If your business collects, stores, or processes any personal data — a customer's name, email address, phone number, or anything else that could identify a person — you are legally required to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The Information Commissioner's Office (ICO) can issue fines of up to £17.5 million or 4% of annual global turnover for serious breaches. For a small business, even a minor violation can result in a fine that causes serious damage.
The good news? Getting compliant is entirely achievable — even for a business of one. This checklist walks you through everything you need to do, in plain English.
💡 Quick note: Following Brexit, the UK operates under UK GDPR — a version of the EU's GDPR tailored for the UK. The core principles and obligations are virtually identical, but UK GDPR is enforced by the ICO rather than EU supervisory authorities.
1. Understand What Personal Data You Hold
Before you can protect data, you need to know what you have. Personal data is any information that can identify a living individual, either on its own or in combination with other information.
Common types of personal data a small business collects:
- Names, email addresses, phone numbers
- Home or billing addresses
- IP addresses, cookies, and website analytics data
- Payment card information (though this is also governed by PCI DSS)
- Employee records, including payroll and HR data
- CCTV footage (if you operate cameras)
- Identify all the personal data your business collects
- Know where it is stored (spreadsheets, CRM, email, paper files)
- Know who has access to it
- Understand how long you retain it
2. Establish a Lawful Basis for Processing
Under UK GDPR, you must have a valid legal reason — called a lawful basis — for every type of personal data processing you carry out. There are six lawful bases, and the most relevant for small businesses are:
- Consent — the individual has given clear, specific consent (commonly used for marketing emails)
- Contract — processing is necessary to fulfil a contract with the individual (e.g. delivering a service they've paid for)
- Legal obligation — you're required to process data by law (e.g. keeping payroll records for HMRC)
- Legitimate interests — you have a genuine business reason that isn't overridden by the individual's rights
- Identify the lawful basis for each type of data you process
- Document your lawful bases in writing
- Never rely on consent where another basis is more appropriate
- Ensure marketing consent is freely given, specific, and easy to withdraw
3. Register with the ICO
Most organisations that process personal data must pay the ICO's data protection fee. For the majority of small businesses, this is £40 per year (Tier 1). Failing to register is a criminal offence and can result in a fine of up to £4,000.
⚠️ Don't skip this step. ICO registration is one of the quickest wins — it takes around 15 minutes online and costs £40. The ICO actively pursues unregistered organisations.
- Register with the ICO at ico.org.uk/registration
- Pay the annual £40 fee (Tier 1 for most small businesses)
- Renew your registration every year
- Update your registration if your processing activities change significantly
4. Write a Privacy Policy
Your privacy policy is a legal requirement under UK GDPR. It must be publicly available (typically on your website) and written in clear, plain English. It needs to explain, at minimum:
- Who you are and how to contact you
- What personal data you collect and why
- Your lawful basis for processing
- How long you keep data
- Whether you share data with third parties
- Individuals' rights (access, erasure, rectification, etc.)
- How to make a complaint to the ICO
- Publish a privacy policy on your website
- Link to it from your contact forms and checkout pages
- Keep it up to date as your data practices change
- Avoid copying generic templates — your policy should reflect your actual practices
5. Implement a Cookie Policy
If your website uses cookies — and most do, including Google Analytics — you need a cookie policy and a mechanism for obtaining consent before non-essential cookies are set.
- Audit what cookies your website uses (Google Analytics, marketing pixels, etc.)
- Publish a cookie policy explaining each type of cookie
- Implement a cookie consent banner that allows users to accept or reject non-essential cookies
- Do not pre-tick consent boxes or load analytics cookies before consent is given
6. Respond to Individual Rights Requests
UK GDPR grants individuals a number of rights over their personal data. As a business, you must be able to respond to these requests within one calendar month.
Key rights you must be able to fulfil:
- Right of access — individuals can request a copy of all data you hold on them (Subject Access Request / SAR)
- Right to erasure — also known as the "right to be forgotten"
- Right to rectification — individuals can ask you to correct inaccurate data
- Right to restrict processing — individuals can ask you to stop processing their data in certain circumstances
- Right to data portability — individuals can ask for their data in a machine-readable format
- Set up a process for receiving and responding to rights requests
- Create a dedicated email address or contact form for data requests
- Train anyone who handles customer data on how to respond
- Document all requests and your responses
7. Secure the Data You Hold
UK GDPR requires you to implement appropriate technical and organisational measures to keep personal data secure. What counts as "appropriate" depends on the nature of the data and the risks involved.
- Use strong, unique passwords and a password manager
- Enable two-factor authentication (2FA) on all business accounts
- Keep software, operating systems, and apps up to date
- Encrypt sensitive data at rest and in transit
- Limit access to personal data — only staff who need it should have it
- Use reputable, GDPR-compliant cloud services for storing data
- Securely delete data you no longer need
🔒 Tip: Cyber Essentials certification is a UK government-backed scheme that demonstrates you have basic cybersecurity controls in place. It's particularly valuable if you work with the public sector or handle sensitive data. SwiftForge can help you achieve Cyber Essentials certification.
8. Have a Data Breach Response Plan
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, or disclosure of personal data. Under UK GDPR, if a breach is likely to pose a risk to individuals, you must report it to the ICO within 72 hours.
- Know what constitutes a personal data breach
- Have a documented process for identifying, containing, and reporting breaches
- Know how to report a breach at ico.org.uk
- Keep a record of all breaches, even those you don't need to report
- Know when you must also notify affected individuals directly
9. Manage Third-Party Data Processors
If you use any third-party services that process personal data on your behalf — a CRM, email marketing platform, accounting software, web host — they are considered data processors. UK GDPR requires you to have a written contract with them covering their data processing obligations.
- Email marketing tools (Mailchimp, etc.)
- CRM software (HubSpot, Salesforce, etc.)
- Cloud storage (Google Drive, Dropbox, etc.)
- Payment processors (Stripe, PayPal, etc.)
- Web hosting providers
- List all third-party services that process personal data for you
- Ensure each has a Data Processing Agreement (DPA) in place
- Check they are GDPR/UK GDPR compliant themselves
- Be cautious about services that store data outside the UK or EU without adequate safeguards
10. Keep Records of Your Processing Activities
If your business has fewer than 250 employees, you are generally only required to keep records where processing is regular, likely to result in a risk to individuals, or involves special category data. However, maintaining a Record of Processing Activities (RoPA) is still best practice for all businesses.
- Create and maintain a Record of Processing Activities
- Include: what data you process, why, who has access, how long you keep it
- Review and update your records regularly
Need help becoming GDPR compliant?
SwiftForge provides GDPR compliance audits, privacy policy drafting, and ongoing data protection support for UK small businesses — starting from £400.
Get a Free ConsultationGDPR Compliance Checklist — Summary
Here's your complete checklist at a glance:
- Map all personal data you collect, store, and process
- Establish and document a lawful basis for each type of processing
- Register with the ICO and pay the annual £40 fee
- Publish a clear, accurate privacy policy on your website
- Implement a cookie consent mechanism
- Set up a process for handling individual rights requests
- Implement appropriate technical and organisational security measures
- Have a documented data breach response plan
- Review and manage all third-party data processors
- Maintain a Record of Processing Activities
Final Thoughts
GDPR compliance isn't a one-time task — it's an ongoing responsibility. The landscape evolves, your business changes, and new tools introduce new data flows. The key is to build good habits from the start: document what you do, keep your policies updated, and take data security seriously.
If you're unsure where to start or want an expert to review your current setup, SwiftForge offers GDPR compliance audits specifically designed for UK small businesses. We'll identify any gaps and help you fix them — without the jargon.