GDPR for Small Businesses UK 2025: What You Must Do and What Fines Look Like

Data protection law is one of the most misunderstood areas of business compliance in the UK. Many small business owners assume that GDPR is a large-company problem, or that the rules do not apply to them because they handle relatively small amounts of personal data. Neither assumption is correct. UK GDPR applies to virtually every business that processes personal data in any form, from email marketing lists to employee payroll records to customer invoices. The threshold for obligations is low, and the Information Commissioner's Office has shown willingness to investigate and fine businesses of all sizes when complaints arise.

This guide covers what UK small businesses actually need to do to comply with UK GDPR in 2025, what the ICO can do when things go wrong, and how to approach compliance without turning it into a major burden. Use our GDPR compliance checker to assess your current compliance position and identify gaps.

UK GDPR versus EU GDPR: what changed after Brexit

When the UK left the EU, it incorporated the EU General Data Protection Regulation into domestic law as UK GDPR, running alongside the Data Protection Act 2018. The substantive requirements of UK GDPR are largely identical to EU GDPR, covering the same six lawful bases for processing, the same data subject rights, the same breach notification timelines, and similar accountability obligations. For most UK businesses that only process data of UK individuals, the practical difference is minimal.

The main divergence arises for businesses that handle personal data of individuals in EU member states. Such businesses now need to comply with both UK GDPR and EU GDPR, which are separate legal regimes enforced by different regulators. A UK e-commerce business selling to French customers must comply with EU GDPR in respect of those customers, and may need a representative in an EU member state. The ICO regulates UK GDPR compliance, while EU data protection authorities regulate EU GDPR compliance. Businesses that traded with the EU pre-Brexit and continue to do so should not assume that UK GDPR compliance alone covers their EU obligations.

ICO registration: who must register and what it costs

Most organisations that process personal data must pay the data protection fee to the ICO, which is how data controllers are registered. The fee structure is tiered by size and turnover. Micro-organisations with fewer than 10 staff and turnover under £632,000 pay the Tier 1 fee of £40 per year. Small and medium organisations pay the Tier 2 fee of £60 per year. Larger organisations pay the Tier 3 fee of £2,900 per year. There are limited exemptions, including where processing is only for personal, family, or household purposes, or where processing is only for staff administration, advertising, or marketing in certain narrow circumstances.

Failing to register when required to do so is a criminal offence and the ICO can issue a fixed penalty notice of up to £4,000 without going through a full investigation process. Registration is separate from compliance, and being registered does not mean you are compliant, but it is a basic requirement that many small businesses overlook. The registration database is publicly searchable, and some customers and business partners check it as a basic due diligence step.

The six lawful bases: choosing the right one

Every time your business processes personal data, it must have a lawful basis for doing so. UK GDPR defines six: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Most small businesses rely primarily on contract (processing necessary to perform a contract with the individual), legal obligation (such as keeping payroll records as required by HMRC), and legitimate interests (where the business interest in processing outweighs the individual's privacy interests).

Consent is often misused as a default lawful basis when another ground applies more cleanly. Consent requires a positive, specific, and freely given action from the individual, must be as easy to withdraw as it was to give, and cannot be a condition of service. Using consent as the basis for processing employee data is problematic because the employment relationship creates a power imbalance that makes truly free consent questionable. For direct marketing by email to individuals who are not existing customers, consent is generally required. For existing customers, the soft opt-in rule under PECR allows marketing of similar products and services without fresh consent, provided an opt-out was offered at the point of collection.

Privacy notices: what they must contain

UK GDPR requires organisations to provide individuals with a privacy notice at the time their data is collected. The notice must be concise, transparent, and written in plain language. A privacy notice on a website covering data collected through contact forms, sign-ups, or purchases must tell visitors who is collecting the data, what it is being used for, the lawful basis for each use, how long it will be kept, whether it will be shared with third parties, whether it will be transferred outside the UK, and what rights the individual has. Rights include access, correction, erasure, restriction of processing, data portability, and the right to object.

Many small business privacy notices are inadequate because they are copied from templates without being tailored to what the business actually does. A privacy notice that says data will be used for marketing purposes without specifying the lawful basis, or that refers to data transfers to third countries without listing them, does not meet the transparency requirement. The ICO publishes a privacy notice generator and guidance that small businesses can use as a starting point. If your business uses tools like Google Analytics, Meta Pixel, or email marketing platforms, each of these involves sharing personal data with third parties that must be disclosed.

Data subject rights: responding to requests

Individuals have the right to request access to personal data held about them, commonly called a subject access request or SAR. Businesses must respond within one calendar month at no charge. A SAR requires you to provide the individual with a copy of all personal data held about them, the purposes for which it is processed, the categories of data, the recipients or categories of recipients, the retention period, and information about their rights. Failing to respond within the deadline or refusing a valid request without justification are among the most common reasons individuals complain to the ICO.

The right to erasure allows individuals to request deletion of their data in certain circumstances, such as when consent is withdrawn or the data is no longer necessary for the purpose it was collected. This right is not absolute: if processing is necessary to comply with a legal obligation (such as keeping payroll records for HMRC purposes), the legal obligation overrides the erasure request for that data. Having a clear records retention policy that documents how long different categories of data are kept and why is both a compliance requirement and a practical tool for responding to erasure requests efficiently.

Data breach notification: the 72-hour rule

If a personal data breach occurs and it is likely to result in a risk to individuals' rights and freedoms, the breach must be reported to the ICO within 72 hours of the organisation becoming aware of it. A personal data breach is any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes sending an email to the wrong recipient, losing a laptop containing customer records, ransomware encrypting files containing personal data, or a spreadsheet being inadvertently made public.

Not every breach needs to be reported, only those that are likely to result in risk. A letter containing personal data sent to an incorrect address within an organisation, where it was retrieved without being read, might not meet the threshold. A breach affecting large numbers of individuals, sensitive categories of data, or where there is potential for fraud or identity theft clearly does. If the breach is high-risk to individuals, they must also be directly notified without undue delay. Maintaining a breach log even for low-risk incidents that do not require ICO notification is good practice and evidences your accountability obligations.

ICO fines and enforcement: what small businesses face

UK GDPR provides for two tiers of administrative fines. The lower tier applies to less serious infringements and reaches up to £8.7 million or 2% of global annual turnover, whichever is higher. The upper tier covers the most serious infringements such as breach of the fundamental principles or violation of data subject rights, and reaches up to £17.5 million or 4% of global annual turnover. These headline figures attract attention, but the vast majority of ICO enforcement action against small businesses does not involve fines at these levels.

The ICO's enforcement priorities are proportionate to the harm caused and the size of the organisation. Reprimands, warnings, and enforcement notices requiring corrective action are far more common than large financial penalties for small businesses. That said, the ICO does fine small and medium organisations. Recent examples include a small law firm fined £98,000 for failing to implement adequate security measures following a ransomware attack, and a sole trader fined £8,000 for unlawful direct marketing. The reputational damage from an ICO investigation, even if it ends without a fine, is significant for small businesses that rely on customer trust. Our GDPR compliance checker identifies the areas of highest risk for your type of business and helps you prioritise where to focus compliance efforts first.

Practical compliance for small businesses

For most small businesses, compliance can be broken down into a manageable set of practical steps. Register with the ICO and pay the annual fee. Audit what personal data you hold, where it came from, what you do with it, and who has access. Write or update your privacy notice to reflect what you actually do. Document the lawful basis for each type of processing. Put a process in place for handling SARs and breach notifications. Review any third-party tools and services you use that involve personal data and ensure you have appropriate contracts or data processing agreements in place with those suppliers.

If your business processes special category data such as health information, racial or ethnic origin, or political opinions, or if you carry out large-scale systematic monitoring of individuals, you may need to appoint a Data Protection Officer. For most small businesses that do not handle special category data at scale, a DPO is not mandatory, but designating someone internally as responsible for data protection and ensuring they have access to appropriate guidance is good practice. If your business operates across the UK and EU and you need to understand the interaction with EU GDPR requirements, our EU business compliance resources cover the additional obligations that arise when operating in specific EU member states.

For sole traders and limited company directors thinking about the broader compliance landscape for running a UK business, our guides on when to register a limited company and VAT obligations when selling in Europe cover complementary regulatory requirements that sit alongside data protection obligations. Compliance across all three areas, company structure, tax, and data protection, is what a properly run small business needs to have in place.