GDPR for Small Businesses: All you need to know

The Data (Use and Access) Act (DUAA) became law on 19 June 2025, which may result in changes to GDPR that is set to be introduced in the coming year (June 2025-26).

UK GDPR is a law that governs how businesses handle personal data such as health information, address, mobile numbers, biometrics and more. It was introduced to improve people’s control over their personal data – and it applies to organisations of all sizes, including small businesses, that collect or process personal data. 

Non-compliance can lead to hefty fines and reputational damage, which could be devastating for smaller businesses in particular. Despite this, there are thousands of GDPR breaches every year, with nearly 3,500 self-reported personal data breaches reported to the information commissioner's office (ICO) from January to March 2025.  These can be caused by cyber and non-cyber incidents – anything from a phishing email or hack, to a lost file or human error.

Key summary 

• A GDPR breach can lead to substantial fines (4% of annual turnover or up to £17.5m) for small businesses if it’s found they are at fault for a data breach
• Data breaches can also have a big impact on those impacted, leading to crimes like identify theft and fraud
• Small businesses need to ensure they abide by the seven principles of GDPR (such as accuracy, transparency and data minimisation)

How does GDPR affect small businesses?

GDPR influences how small businesses process personal data. According to the government website, GDPR legally requires businesses  to ensure any data they collect is:

• Used fairly, lawfully and transparently
• Used for specified, explicit purposes
• Used in a way that is adequate, relevant and limited to only what is necessary
• Accurate, and where necessary, kept up to date
• Kept for no longer than is necessary
• Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage 

It also states there are greater protections for sensitive information like race, ethnicity, political opinions, health, genetics and more. People also have more rights over their personal data, including knowing how a small business may use it, request for it to be updated or deleted, and access it. 

GDPR is enforced by the ICO in the UK, which handles any reports or breaches. Small businesses can self-report a breach in their organisation by explaining what has happened and what information is compromised, which the ICO will be able to confirm and advise on.

What are the seven principles of GDPR?

UK GDPR is broken into seven principles for small businesses to follow when processing personal data:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability 

By following these principles, small businesses can demonstrate compliance and they will be more protected against fines or other penalties if a breach occurs.  For example, if you’re collecting customer data, you should only collect data that you need and ensure it’s up to date. Also take measures to secure it such as encryption and passwords, or locks on cabinets if it’s physical data.

What is the maximum fine for GDPR non-compliance?

Like any organisation, small businesses can be fined 4% of their annual turnover or up to £17.5m (whichever is higher) if the ICO’s investigation finds they are responsible for a breach. Larger businesses may be able to absorb these costs but for smaller businesses, a fine of this magnitude could bankrupt them.

However, fines are assessed on a case-by-case basis by the ICO, and depend on the severity of the breach (including impact), any mitigating circumstances and turnover of the undertaking. 

Data breaches also have other negative consequences for small businesses:

• Damage to reputation
• Loss of customers
• Legal challenges
• Regulatory investigations

It can also have big consequences for the people impacted because cyber criminals can use their personal data to commit identity theft, fraud and other crimes.

Read more about what factors include GDPR penalties.

5 ways to maintain GDPR compliance

Small businesses are not exempt from GDPR. Even if you don’t have the same resources as a larger company, you are still legally bound to protect customer data from falling into the wrong hands.

1. Understand what personal data you collect and process

Assess your data processing activities. This will help you identify the personal data you collect and process and the purposes for which you collect and process it.

The GDPR defines personal data as information about an identified or identifiable natural person (a "data subject").This includes information such as name, address, email address, phone number and IP address. The GDPR also applies to sensitive personal data, such as information about health, sexual orientation or religious beliefs.

As a rule of thumb, never collect data unless it is vital to do so.

2. Obtaining consent for the processing of personal data

The GDPR requires businesses to obtain consent from data subjects before collecting or processing their personal data. Consent must be freely given, specific, informed and unambiguous. This can be done using a tick-box on a form, and providing a clear ‘unsubscribe’ button on emails.

3. Keeping personal data secure

Businesses must take appropriate technical and organisational measures to keep personal data secure. This includes steps to prevent unauthorised access, use, disclosure, alteration or destruction of personal data. Staff must use strong passwords, encrypt data and restrict access to personal data.

4. Providing data subjects with their rights

The GDPR gives data subjects a number of rights, including the right to access their personal data, the right to have their personal data erased and the right to object to the processing of their personal data. Ensure that you communicate these rights to your data subjects.

Businesses must be able to comply with these rights when requested by a data subject. This includes responding to requests for access, erasure and objection.

5. Designating a data protection officer (DPO)

Most smaller businesses don’t need a digital protection officer (DPO), unless they are processing large amounts of personal data or carry out processing activities that are required to designate a data protection officer (DPO).

The ICO highlights organisations who are legally required to appoint a DPO include: 

• Public authority or body (except for courts)
• Activities include large scale, regular monitoring of people (e.g. online behaviour tracking)
• Large scale processing of special categories of data (race, genetics, biometrics, health and more)
• Large scale processing of data relating to criminal convictions and offences 

Card payments

Many small businesses take card payments. If you do, you must comply with the  Payment Card Industry Data Security Standard. The PCI-DSS outlines a number of specific technical and organisational measures that the payment card industry considers applicable whenever such data is being processed.

If your business isn't compliant and there's a data breach, your bank provider could pass these fines onto you or terminate your business bank account entirely, as you are seen as posing a significant risk of leaking customer data.

Resources

GDPR can be a complex regulation for small businesses to comply with but there are many resources to help them understand and implement it:

• GDPR website
• ICO website
• Skillcast’s GDPR blogs
• Skillcast's free training aids

Need help with data protection compliance?

At Skillcast, we have a comprehensive data protection compliance package to help businesses of all sizes better understand how to handle/process personal data including GDPR. 

Our blog offers small business best practice tips on data protection, employment law, money laundering, taxation  and health and safety – and we have additional free resources such as e-learning modules, microlearning modules and more.