Home / Academy / Tax & Compliance / What Is GDPR and What Does It Mean for Your Business?
Tax & ComplianceIntermediate5 min read

What Is GDPR and What Does It Mean for Your Business?

GDPR governs how businesses collect, store, and use personal data. Learn your key obligations and the practical steps to comply.

Key Takeaways

  • UK GDPR applies to any business that processes personal data about individuals in the UK
  • You need a lawful basis for processing — legitimate interest, consent, or contract are most common
  • Individuals have rights including access, erasure, and objection to processing
  • The ICO can fine businesses up to £17.5 million or 4% of global annual turnover for serious breaches

What UK GDPR is

The UK General Data Protection Regulation applies to any organisation that processes personal data about people in the UK. Almost every business processes some personal data — customer names and email addresses, employee records, supplier contacts — making UK GDPR relevant to virtually all UK businesses regardless of size.

The six lawful bases for processing

You must have a lawful basis for processing personal data. The six bases are: Consent (clear, informed agreement), Contract (necessary to fulfil a contract with the individual), Legal obligation (required by law), Vital interests (protecting life), Public task (task in the public interest), and Legitimate interests (your legitimate interests, provided not overridden by individual rights). Legitimate interests is the most flexible basis used for most business processing — but requires a documented balancing test.

Individual rights

UK GDPR gives individuals rights over their data: access (Subject Access Requests — fulfilled within 30 days, free of charge), erasure (right to be forgotten, subject to exceptions), rectification (correcting inaccurate data), restriction of processing, data portability (machine-readable format), and the right to object. Build processes for handling these requests before you receive them — responding reactively under time pressure is stressful.

The privacy notice

Every business processing personal data must provide a privacy notice explaining: what data you collect, why, how long you keep it, who you share it with, and what rights individuals have. It must be in clear plain language and easily accessible — typically as a dedicated page on your website. If you collect data not mentioned in the notice, or share with unlisted third parties, you are non-compliant.

Data breaches and the ICO

If a data breach occurs — unauthorised access to, loss of, or destruction of personal data — assess whether it is likely to cause risk to individuals. If so, report to the Information Commissioner's Office (ICO) within 72 hours. High-risk breaches require direct notification to affected individuals. The ICO can fine businesses up to £17.5 million or 4% of global annual turnover for serious breaches — though in practice fines focus on large organisations with systemic failings.

Related Articles

What Is Data Governance?4 min · IntermediateWhat Is Making Tax Digital (MTD)?4 min · BeginnerWhat Is Companies House Compliance?4 min · BeginnerWhat Is Making Tax Digital (MTD)?4 min · BeginnerWhat Is Companies House Compliance?4 min · Beginner