What Is GDPR for SMEs?
GDPR is the UK's data protection law. It governs how businesses collect, store, use, and share personal data — and non-compliance can result in significant fines.
Key Takeaways
- UK GDPR applies to almost every business that handles personal data about individuals in the UK.
- You must have a lawful basis for processing personal data — consent is just one of six options.
- A privacy notice and a process for handling data subject requests are minimum requirements.
- The ICO can fine businesses up to £17.5 million or 4% of global turnover for serious breaches.
What GDPR is and who it applies to
The UK General Data Protection Regulation (UK GDPR), together with the Data Protection Act 2018, is the primary data protection law in the UK following Brexit. It applies to any organisation — regardless of size — that processes personal data about individuals in the UK. Personal data is any information that can identify a living individual: names, email addresses, IP addresses, photographs, and payroll data all qualify. If your business has a website that collects email addresses, employs staff, or holds a customer database, UK GDPR applies to you. There is no SME exemption, though the Information Commissioner's Office (ICO) takes proportionality into account when assessing compliance requirements and sanctions.
Lawful bases for processing data
Under UK GDPR, every time you process personal data you must be able to point to one of six lawful bases. The most commonly misunderstood is consent: it must be freely given, specific, informed, and unambiguous — pre-ticked boxes and bundled consent do not qualify. For many SME activities, a more appropriate basis is legitimate interests, which allows processing that is necessary for your genuine business purposes and does not unduly override individuals' rights. Contract is the basis for processing data to fulfil a contract with the individual (e.g. processing a customer's address to deliver an order). Legal obligation covers processing required by law, such as payroll records for HMRC. Choosing the right basis matters because it affects individuals' rights and your obligations.
Minimum compliance requirements
For most SMEs, the baseline compliance requirements are: maintain a Record of Processing Activities (ROPA) documenting what data you hold and why; publish a clear privacy notice on your website explaining how you use personal data; establish a process for responding to data subject access requests (individuals have 30 days to receive a copy of their data); implement reasonable technical security measures (strong passwords, access controls, encryption of sensitive data); and register with the ICO if you are a data controller (most businesses are — registration costs £40–£60 per year). If you use third-party processors — email marketing platforms, cloud storage, payroll providers — you need data processing agreements in place with each of them.
Breach notification and penalties
If you experience a personal data breach — unauthorised access, accidental loss, or unlawful disclosure of personal data — you must assess the risk to individuals and, if the breach is likely to result in a risk to their rights and freedoms, notify the ICO within 72 hours of becoming aware of it. If the breach poses a high risk to individuals, you must also notify the affected individuals directly. Penalties for serious non-compliance can reach £17.5 million or 4% of annual global turnover, whichever is higher. In practice, the ICO focuses significant enforcement resources on larger organisations, but SMEs have received fines for spam marketing, inadequate security, and failure to respond to data subject requests.