GDPR Compliance Guide for Businesses 2025: What You Actually Need to Do

GDPR has been in force since May 2018 and the fines for non-compliance have become large enough to matter to businesses of any size. The regulation applies both in the EU and in the UK (as UK GDPR since Brexit), and the obligations it creates are not optional for any organisation that processes personal data about people in the EU or UK. Despite this, a significant number of businesses still operate without basic compliance steps in place.

This guide cuts through the legal language to explain what GDPR actually requires in practice, which obligations apply to most businesses, where the common mistakes are made, and what you need to have in place to demonstrate compliance if questioned by a regulator. You can check your current compliance status using our GDPR compliance checker.

What GDPR actually covers

GDPR regulates the processing of personal data relating to natural persons (individuals) in the EU. Personal data is any information that can identify an individual directly or indirectly. Names, email addresses, phone numbers, IP addresses, location data, cookie identifiers, employee payroll records, customer purchase histories: all of these are personal data under GDPR if they relate to an identified or identifiable living person.

The regulation applies to any organisation that processes personal data of EU residents, regardless of where the organisation is based. A UK company with EU customers, a US company with EU subscribers, a Japanese company with EU employees: all fall within GDPR scope for that EU-resident data. Similarly, UK GDPR applies to the same broad category of organisations processing data about UK residents.

Processing means virtually anything you do with personal data: collecting it, storing it, reading it, sharing it, deleting it, and analysing it all count as processing. You cannot avoid being a data processor simply by not looking at data you have collected. Holding data that you collected makes you a controller, with all the obligations that entails.

The seven principles of GDPR

GDPR is built around seven principles that apply to all processing of personal data. Article 5 of the regulation sets these out and they form the foundation on which all specific obligations rest.

Lawfulness, fairness, and transparency requires that you process data legally, fairly, and openly. You must have a legal basis for processing, and you must tell people what you do with their data. Purpose limitation means you collect data for specified, explicit, and legitimate purposes and do not use it for something incompatible with those stated purposes. Data minimisation requires collecting only the data that is actually necessary for the stated purpose. Accuracy means keeping data correct and up to date. Storage limitation requires not keeping data longer than necessary. Integrity and confidentiality requires processing data securely. And accountability means you must be able to demonstrate that you comply with all of the above.

This last principle, accountability, is arguably the one most often underestimated. It is not enough to comply. You must be able to prove you comply. This means written policies, documented processes, records of processing activities, staff training records, and evidence of decisions made about data. Verbal agreement and good intentions are not enough if a regulator asks for evidence.

Legal bases: you must have one for every type of processing

Every processing activity needs a legal basis. GDPR provides six: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Most businesses rely on a combination of these depending on the activity.

Consent is the most misunderstood legal basis. Many businesses think they need consent for everything, but consent is actually one of the weaker legal bases in some contexts because it can be withdrawn at any time. For processing that is essential to delivering your service, contract performance or legitimate interests is often more appropriate and more stable than relying on consent that might later be withdrawn.

Legitimate interests is the most flexible but also the most risky basis if not applied carefully. It requires a three-part test: identifying a legitimate interest, demonstrating that the processing is necessary for that interest, and conducting a balancing test to check that the individual's rights do not override that interest. Documenting this balancing test is important, particularly for activities like direct marketing, employee monitoring, or fraud prevention.

Individual rights you must be able to handle

GDPR gives individuals a substantial set of rights over their own data. Your business must have processes in place to handle requests relating to these rights within the statutory timeframe, which is one calendar month for most requests (extendable by two further months in complex cases).

The right of access allows any individual to request a copy of all personal data you hold about them, along with information about how it is processed. These subject access requests (SARs) must be fulfilled free of charge in most cases. If your data is poorly organised and spread across multiple systems, responding to a SAR can be time-consuming and expensive. Getting your data architecture in order makes SAR compliance much easier.

The right to erasure (often called the right to be forgotten) allows individuals to request deletion of their data in certain circumstances, including where the data is no longer necessary, where consent is withdrawn, or where the processing was unlawful. You do not have to delete data that you are legally required to retain or that is necessary for legal proceedings, but you must delete the rest if the request is valid.

The right to data portability allows individuals to receive their data in a structured, commonly used format and to have it transferred directly to another controller where technically feasible. The right to object allows individuals to object to processing based on legitimate interests or for direct marketing, with direct marketing objections always having to be honoured immediately.

Data breach notification: the 72-hour rule

One of the most time-sensitive obligations under GDPR is the requirement to notify the relevant supervisory authority (the ICO in the UK, or the relevant national authority in EU countries) within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. Not every breach triggers the notification obligation, but breaches involving sensitive data, large numbers of people, or data that could be used for identity theft or fraud typically do.

Where a breach is likely to result in a high risk to individuals, you must also notify the affected individuals without undue delay. This is a separate obligation from the regulator notification and applies when the risk to individuals is high enough that they need to be able to protect themselves. An example would be a breach exposing financial account details, passwords, or health information.

72 hours is not much time, and many businesses are not prepared to handle this in practice. Having an incident response plan that identifies who is responsible for breach assessment, who decides whether to notify, and how to notify both the regulator and affected individuals is important to have in place before a breach happens. Most organisations that receive significant fines after a breach are penalised as much for slow or inadequate breach response as for the breach itself.

What small businesses actually need to do

GDPR applies to almost all businesses that process personal data, but smaller organisations with fewer than 250 employees are exempt from some of the record-keeping obligations, specifically the requirement to maintain comprehensive Records of Processing Activities (RoPA) is lighter for smaller businesses, unless the processing is likely to result in risk, involves special category data, or is not occasional.

In practice, most small businesses that collect any customer data, run email marketing, or process employee records should treat the RoPA requirement as applicable. The documentation costs very little and provides significant protection if questioned by the ICO. The ICO's approach to small businesses in the UK has generally been proportionate, but cases where there is evidence of careless or deliberate disregard for privacy rights do result in enforcement action.

The ICO's maximum fines in the UK are £17.5 million or 4% of global annual turnover, whichever is higher. For a small business, 4% of turnover is a significant number even if the absolute amount is small compared to the headline fines issued to large companies. In practice, the ICO's enforcement actions against smaller businesses most often result in improvement notices and reprimands rather than maximum fines, particularly for first-time or inadvertent breaches where the organisation cooperates with the investigation.

Common mistakes that lead to ICO action

Security incidents are the most common trigger for ICO investigations, because they are often publicly visible and may require breach notification that puts the organisation on the regulator's radar. Inadequate security measures, poor access controls, insufficient staff training, and failure to patch known vulnerabilities are the security failures that appear most frequently in ICO enforcement decisions.

Unlawful direct marketing is another common route to ICO action. Sending marketing emails to people who have not opted in (under PECR, the Privacy and Electronic Communications Regulations that sits alongside GDPR), using pre-ticked consent boxes, and not providing a clear unsubscribe mechanism are relatively simple compliance failures that generate a significant number of complaints and enforcement actions.

Failing to respond to subject access requests or refusing them without proper legal grounds is also a regular feature of ICO caseloads. An organisation that receives a SAR from a disgruntled former employee or customer and simply ignores it is creating a clear and easily demonstrable compliance failure. Use the GDPR compliance checker to identify which areas of your current data practices may need attention, particularly if you have not carried out a formal compliance review recently.