Why GDPR Still Matters for Your Small Business
Four years after GDPR came into force, the ICO is still issuing fines to businesses of all sizes. In 2023 alone, the regulator issued enforcement notices and fines totalling millions of pounds — and a significant proportion went to small and medium-sized enterprises who thought the rules didn't really apply to them.
They do. And the consequences of getting it wrong go beyond the financial penalty. A data breach or enforcement action can destroy the trust you've spent years building with your clients.
The good news? Compliance doesn't have to be complicated. This checklist covers everything the ICO expects from a UK SME.
1. Register with the ICO
If your organisation processes personal data, you almost certainly need to pay the data protection fee and register with the ICO. The fee is tiered:
| Tier | Criteria | Annual Fee |
|---|---|---|
| Tier 1 | Micro-organisations (≤10 staff, ≤£632k turnover) | £40 |
| Tier 2 | Small/medium organisations | £60 |
| Tier 3 | Large organisations | £2,900 |
Action: Register at ico.org.uk (https://ico.org.uk). Failure to register is itself a criminal offence.
2. Map Your Data
You cannot protect data you don't know you have. Create a Record of Processing Activities (ROPA) that documents:
- What personal data you collect
- Why you collect it (the lawful basis)
- Where it is stored
- Who has access to it
- How long you keep it
- Whether it is shared with third parties
This doesn't need to be complex. A spreadsheet works perfectly for most SMEs.
3. Establish Your Lawful Basis
For every type of personal data you process, you must identify a lawful basis under Article 6 of UK GDPR. The most common bases for SMEs are:
Consent — The individual has given clear, specific, informed consent. This is often the hardest to rely on correctly because consent must be freely given and easily withdrawable.
Contract — Processing is necessary to perform a contract with the individual (e.g., processing a client's address to deliver a service).
Legitimate Interests — Your organisation has a legitimate interest that outweighs the individual's privacy rights. This requires a Legitimate Interests Assessment (LIA).
Legal Obligation — You are required to process the data by law (e.g., HMRC requirements).
4. Update Your Privacy Notice
Your privacy notice must be clear, concise, and accessible. It should tell people:
- Who you are and how to contact you
- What data you collect and why
- The lawful basis for each processing activity
- How long you keep data
- Their rights (access, erasure, rectification, portability, objection)
- Whether you use automated decision-making
- Whether data is transferred outside the UK
Common mistake: Burying the privacy notice in a footer link that nobody reads. The ICO expects you to bring it to people's attention at the point of collection.
5. Implement a Subject Access Request Process
Individuals have the right to request a copy of all personal data you hold about them. You have one calendar month to respond. You must:
- Have a clear process for receiving and logging SARs
- Know where all data relating to an individual is stored
- Be able to provide it in a commonly used electronic format
- Not charge a fee (in most cases)
Action: Designate a named person responsible for handling SARs and document your process.
6. Secure Your Data
Technical and organisational security measures are a GDPR requirement, not optional. For most SMEs, this means:
- Strong, unique passwords and multi-factor authentication on all accounts
- Encrypted storage for sensitive data
- Regular software updates and patching
- A clear policy on who can access what data
- Secure disposal of physical documents (shredding)
- Staff training on data security
7. Have a Breach Response Plan
You must report certain types of data breaches to the ICO within 72 hours of becoming aware of them. You must also notify affected individuals if the breach is likely to result in a high risk to their rights and freedoms.
Your breach response plan should cover:
- How breaches are identified and reported internally
- Who is responsible for assessing severity
- How and when to notify the ICO
- How and when to notify affected individuals
- How to document the breach
8. Review Third-Party Contracts
If you share personal data with third parties (processors) — such as cloud storage providers, payroll companies, or email marketing platforms — you must have a Data Processing Agreement (DPA) in place. This is a legal requirement.
Check that your DPAs:
- Clearly describe the processing being carried out
- Require the processor to only act on your instructions
- Include appropriate security obligations
- Address data transfers outside the UK
9. Train Your Staff
The ICO consistently finds that human error is the leading cause of data breaches. Your staff must understand:
- What personal data is and why it matters
- How to handle data securely
- How to recognise a phishing attempt
- What to do if they suspect a breach
- How to handle SARs and other individual rights requests
Annual training is the minimum. Document that training has taken place.
10. Review and Update Regularly
GDPR compliance is not a one-time exercise. Your data processing activities change as your business grows. Schedule a quarterly review to check:
- Has anything changed in what data you collect or why?
- Are all your third-party DPAs still current?
- Have there been any near-misses or incidents to learn from?
- Is your privacy notice still accurate?
Need Help Getting Compliant?
Lexl works with UK SMEs to make GDPR compliance practical, affordable, and sustainable. Book a Lexl Clarity Session — a focused 45-minute consultation — to identify exactly where your business stands and what you need to do next.
