GDPR in Plain English: What Small Businesses Actually Need to Do

GDPR has been law in the UK since 2018, and it still makes small business owners nervous. The combination of legal language, horror stories about massive fines, and a general sense that it is all very complicated has led a lot of people to either ignore it entirely or spend money on compliance consultants they did not need.

The truth is somewhere in the middle. GDPR does require you to take data protection seriously. But for most small businesses, compliance is achievable, affordable, and far less complicated than the scaremongering suggests.

Here is what you actually need to know.

GDPR — the General Data Protection Regulation — is a set of rules about how organisations collect, store, and use personal data. In the UK, it is implemented through the UK GDPR and the Data Protection Act 2018.

Personal data means any information that can identify a living person. That includes names, email addresses, phone numbers, IP addresses, and even things like job titles when combined with a company name.

GDPR is not a reason to stop collecting data. It is a framework for collecting and using it responsibly.

GDPR is built around six core principles. If you understand these, you understand the regulation.

1. Lawfulness, fairness, and transparency — You must have a valid reason to collect data, and you must be honest with people about what you are doing with it.

2. Purpose limitation — You can only use data for the specific purpose you collected it for. If someone gives you their email to receive a quote, you cannot add them to your marketing list without asking.

3. Data minimisation — Only collect the data you actually need. If you do not need someone's date of birth, do not ask for it.

4. Accuracy — Keep data up to date and correct errors when you become aware of them.

5. Storage limitation — Do not keep data longer than you need it. Old customer records from five years ago that you will never use again should be deleted.

6. Integrity and confidentiality — Keep data secure. This does not mean you need enterprise-grade security, but it does mean sensible precautions like strong passwords and not leaving customer spreadsheets in your email inbox forever.

For most small businesses, GDPR compliance comes down to a handful of practical steps.

If you have a website that collects any personal data — even just a contact form — you need a privacy policy. It needs to explain what data you collect, why you collect it, how long you keep it, and what rights people have over their data.

It does not need to be 20 pages long. A clear, honest, plain-English privacy policy is better than a dense legal document that nobody reads.

If your website uses cookies beyond the strictly necessary ones (analytics tools like Google Analytics, for example), you need to ask for consent before setting them. This means a cookie banner that gives people a genuine choice — not one that makes "accept all" the only obvious option.

For every type of personal data you collect, you need a lawful basis. The most common ones for small businesses are:

• Legitimate interests — you have a genuine business reason to process the data, and it does not override the individual's rights
• Contract — you need the data to fulfil a contract with the person
• Consent — the person has actively agreed to you using their data for a specific purpose

People have the right to ask what data you hold about them, to have it corrected, or to have it deleted. You need a process for handling these requests — even if that process is just "email us and we will sort it within a month."

Unless you are processing large volumes of sensitive personal data, you almost certainly do not need:

• A Data Protection Officer (DPO)
• A formal Data Protection Impact Assessment (DPIA) for routine activities
• An expensive compliance consultant on retainer

Most small businesses can achieve solid GDPR compliance with a clear privacy policy, sensible data practices, and a bit of staff awareness.

The headlines about GDPR fines tend to involve large organisations that have had significant data breaches or have been systematically ignoring the rules. The Information Commissioner's Office (ICO) — the UK's data protection regulator — has been clear that it takes a proportionate approach with small businesses.

That said, ignoring GDPR entirely is not a sensible strategy. A complaint from a customer or a data breach can trigger an investigation, and demonstrating that you have made a genuine effort to comply will always work in your favour.

If you are not sure where your business stands on GDPR compliance, start with these questions:

• Do you have a privacy policy on your website?
• Do you have cookie consent in place?
• Do you know what personal data you hold and where it is stored?
• Do you have a process for deleting data you no longer need?

If the answer to any of these is "no" or "I'm not sure," that is where to focus first.

We help small businesses get GDPR-compliant without the jargon or the unnecessary expense. Get in touch if you would like a hand.