The Data (Use and Access) Act (DUAA) became law on 19 June 2025, which may result in changes to GDPR that is set to be introduced in the coming year (June 2025-26).
UK GDPR is a law that governs how businesses handle personal data such as health information, address, mobile numbers, biometrics and more. It was introduced to improve people’s control over their personal data – and it applies to organisations of all sizes, including small businesses, that collect or process personal data.
Non-compliance can lead to hefty fines and reputational damage, which could be devastating for smaller businesses in particular. Despite this, there are thousands of GDPR breaches every year, with nearly 3,500 self-reported personal data breaches reported to the information commissioner's office (ICO) from January to March 2025. These can be caused by cyber and non-cyber incidents – anything from a phishing email or hack, to a lost file or human error.
GDPR influences how small businesses process personal data. According to the government website, GDPR legally requires businesses to ensure any data they collect is:
It also states there are greater protections for sensitive information like race, ethnicity, political opinions, health, genetics and more. People also have more rights over their personal data, including knowing how a small business may use it, request for it to be updated or deleted, and access it.
GDPR is enforced by the ICO in the UK, which handles any reports or breaches. Small businesses can self-report a breach in their organisation by explaining what has happened and what information is compromised, which the ICO will be able to confirm and advise on.
UK GDPR is broken into seven principles for small businesses to follow when processing personal data:
By following these principles, small businesses can demonstrate compliance and they will be more protected against fines or other penalties if a breach occurs. For example, if you’re collecting customer data, you should only collect data that you need and ensure it’s up to date. Also take measures to secure it such as encryption and passwords, or locks on cabinets if it’s physical data.
Like any organisation, small businesses can be fined 4% of their annual turnover or up to £17.5m (whichever is higher) if the ICO’s investigation finds they are responsible for a breach. Larger businesses may be able to absorb these costs but for smaller businesses, a fine of this magnitude could bankrupt them.
However, fines are assessed on a case-by-case basis by the ICO, and depend on the severity of the breach (including impact), any mitigating circumstances and turnover of the undertaking.
Data breaches also have other negative consequences for small businesses:
It can also have big consequences for the people impacted because cyber criminals can use their personal data to commit identity theft, fraud and other crimes.
Read more about what factors include GDPR penalties.
Small businesses are not exempt from GDPR. Even if you don’t have the same resources as a larger company, you are still legally bound to protect customer data from falling into the wrong hands.
Assess your data processing activities. This will help you identify the personal data you collect and process and the purposes for which you collect and process it.
The GDPR defines personal data as information about an identified or identifiable natural person (a "data subject").This includes information such as name, address, email address, phone number and IP address. The GDPR also applies to sensitive personal data, such as information about health, sexual orientation or religious beliefs.
As a rule of thumb, never collect data unless it is vital to do so.
The GDPR requires businesses to obtain consent from data subjects before collecting or processing their personal data. Consent must be freely given, specific, informed and unambiguous. This can be done using a tick-box on a form, and providing a clear ‘unsubscribe’ button on emails.
Businesses must take appropriate technical and organisational measures to keep personal data secure. This includes steps to prevent unauthorised access, use, disclosure, alteration or destruction of personal data. Staff must use strong passwords, encrypt data and restrict access to personal data.
The GDPR gives data subjects a number of rights, including the right to access their personal data, the right to have their personal data erased and the right to object to the processing of their personal data. Ensure that you communicate these rights to your data subjects.
Businesses must be able to comply with these rights when requested by a data subject. This includes responding to requests for access, erasure and objection.
Most smaller businesses don’t need a digital protection officer (DPO), unless they are processing large amounts of personal data or carry out processing activities that are required to designate a data protection officer (DPO).
The ICO highlights organisations who are legally required to appoint a DPO include:
Many small businesses take card payments. If you do, you must comply with the Payment Card Industry Data Security Standard. The PCI-DSS outlines a number of specific technical and organisational measures that the payment card industry considers applicable whenever such data is being processed.
If your business isn't compliant and there's a data breach, your bank provider could pass these fines onto you or terminate your business bank account entirely, as you are seen as posing a significant risk of leaking customer data.
GDPR can be a complex regulation for small businesses to comply with but there are many resources to help them understand and implement it:
At Skillcast, we have a comprehensive data protection compliance package to help businesses of all sizes better understand how to handle/process personal data including GDPR.
Our blog offers small business best practice tips on data protection, employment law, money laundering, taxation and health and safety – and we have additional free resources such as e-learning modules, microlearning modules and more.