Most small business owners hear “GDPR” and feel one of two things: mild dread or a vague sense that they probably should have sorted their affairs out by now. Neither response is particularly helpful. The regulation has been in force since May 2018, and yet the amount of genuine confusion still swirling around it, especially among sole traders and small teams, is striking. So here is an attempt to explain what it actually means for you, without the legal theatre.
The short version: GDPR is about personal data. Any information that relates to an identifiable living person; a customer’s email address, a prospect’s phone number, a supplier contact’s name ; falls under its scope. If you collect it, store it, process it, or pass it on, the regulation applies to you. That’s true whether you’re a one-person consultancy or a company with fifty staff.
Before the panic sets in, consider this: if you already treat customer data with basic common sense, you’re likely closer to compliance than you think. Not sending someone else’s details to a third party without good reason. Not keeping a spreadsheet of old contacts from 2013 that you’ve never emailed and never will. Not sharing a client list over an unencrypted email. These are the intuitive behaviours that GDPR essentially formalised into law.
The regulation didn’t invent good data hygiene. It just made it compulsory and gave regulators the power to enforce it. For a small business operating honestly and thoughtfully, the gap between current practice and full compliance is often smaller than the lawyers and software vendors would like you to believe.
One of the more useful things GDPR introduced is the concept of a lawful basis for processing data. You need a legitimate reason to collect and use personal information. There are six options, but most small businesses will find themselves working with just two or three of them in practice.
Consent is the one everyone reaches for first, but it’s not always the right choice. Consent under GDPR must be freely given, specific, informed, and unambiguous. That means no pre-ticked boxes, no bundled permissions, and a genuine ability for someone to say no without penalty. If your legal basis is consent, you also need to be able to prove you obtained it.
More often, small businesses process data under contract ; because you need someone’s address to deliver their order ; or under legitimate interests, which is a broader category covering things like sending marketing to existing customers who would reasonably expect to hear from you. Legitimate interests require a brief balancing test to document, but they’re far less fragile than relying on consent for everything.
A privacy notice on your website is the most visible requirement. This should explain what data you collect, why you collect it, how long you keep it, who you share it with, and what rights the individual has. It doesn’t need to be written in dense legalese. In fact, GDPR specifically requires that it be written in plain, accessible language ; which is rather refreshing as regulatory requirements go.
You should also keep a basic record of your processing activities. This sounds more intimidating than it is. For most small businesses, it’s a simple document listing what categories of personal data you hold, why you hold them, where they’re stored, and how long you keep them. A well-maintained spreadsheet will do. The Information Commissioner’s Office, the UK’s data protection regulator, offers templates for exactly this purpose.
Data subject rights are the third pillar. Individuals have the right to access the data you hold about them, to have inaccuracies corrected, and in certain circumstances to have their data deleted. If someone sends you a subject access request, you have one month to respond. That’s not as alarming as it sounds, provided you know where your data lives and can retrieve it without significant effort.
Third-party processors are a common blind spot. If you use a CRM, an email marketing platform, a cloud-based accounting tool, or any software that handles personal data on your behalf, that provider is a data processor and you are the controller. You’re responsible for ensuring they handle the data appropriately, which in practical terms means checking that they have their own privacy commitments in place and signing a data processing agreement with them. Most reputable software providers will have this available, often buried somewhere in their terms of service.
Data breaches are another area where small businesses underestimate their obligations. If you suffer a breach that is likely to result in a risk to individuals’ rights and freedoms; a laptop stolen, an email sent to the wrong person containing sensitive client information ; you have 72 hours to report it to the ICO. That window starts from when you become aware of the breach, not when you’ve finished panicking about it. Having a simple internal plan for what to do if something goes wrong is not overcautious. It’s sensible.
And then there’s the question of retention. How long are you keeping data? Many small businesses hold onto customer information indefinitely, out of habit or a vague sense that it might come in handy. GDPR requires you to keep data only for as long as necessary for the purpose it was collected for. That doesn’t mean you have to delete everything aggressively; it means having a policy and applying it consistently.
People often ask about the fines, usually after reading a headline about a large corporation being penalised millions of euros. The ICO’s enforcement approach is risk-based and proportionate. The regulator is not hunting down sole traders who forgot to add a cookie banner. The large penalties tend to follow systemic failures, deliberate non-compliance, or significant harm to individuals. That doesn’t mean you should be complacent, but it does mean the scale of enforcement risk is meaningfully different for a small business operating in good faith compared to a major data processor.
The more realistic risk for most small businesses is reputational. A customer who feels their data was mishandled, shared without permission, or held for longer than they expected is a customer who will not come back and who might say something publicly about it. Trust is harder to rebuild than a privacy policy is to write.
If you’re starting from scratch, here is a reasonable sequence. Audit what personal data you currently hold and where it sits. Write or update your privacy notice. Document your lawful bases for processing. Review your third-party tools and confirm data processing agreements are in place. Set a basic retention schedule. Make sure you know what to do if someone made a subject access request or reported a breach.
None of these tasks require a solicitor or a dedicated compliance officer. They require a few hours of honest attention and the willingness to look at your business with fresh eyes. The ICO website is genuinely useful and has guidance written specifically for small organisations.
GDPR is not a bureaucratic obstacle invented to inconvenience small businesses. At its core, it reflects a straightforward principle: people have a right to know what you’re doing with information about them. If your answer to that question is one you’d be comfortable saying out loud to a customer, you’re most of the way there already. The question worth sitting with is not whether you’re technically compliant, but whether you’d be proud of how you handle the data people entrust to you.
If you would like any guidence on how to move your business forward, G&G has the necessary skillset to help you manage your business more efficiently and more profitably. if you would like some assistance, please dont hesitate to contact us.
From business planning or Business Administration to assisting with your organisations growth, we are happy to advise and help where we can. Get in touch to start your no-obligation consultation!
Share this article:
