GDPR Compliance Checklist for Small Businesses: UK Guide
Table of Contents
If you run a small business in the UK and collect any personal data from customers, website visitors, or staff, GDPR applies to you. There is no minimum employee threshold, no turnover floor, and no exemption for sole traders. Working through a GDPR compliance checklist is the most practical way to understand your obligations, identify gaps, and put the right processes in place before the Information Commissioner’s Office (ICO) comes calling.
This guide covers the full GDPR compliance checklist for small businesses operating under UK GDPR, with specific sections on how your website, digital marketing activity, and data tools create compliance obligations you may not have considered.
Does GDPR Apply to My Small Business?
Yes, if you process the personal data of any UK or EU resident, GDPR applies regardless of your business size. Personal data includes names, email addresses, IP addresses, phone numbers, and any information that can identify a living individual.
Under UK GDPR (the version of the regulation retained in domestic law after Brexit), the rules are largely identical to the EU version. If your business sells to customers in the Republic of Ireland or elsewhere in Europe, you may need to satisfy both frameworks simultaneously. This is a practical concern for businesses in Northern Ireland, where data frequently crosses the border between Northern Ireland, the Republic of Ireland, and Great Britain.
The Windsor Framework and the UK-EU adequacy ruling currently allow personal data to flow freely between the UK and EU without additional transfer mechanisms. This ruling is not permanent and could be reviewed, so businesses with cross-border operations should monitor ICO guidance regularly.
A note on the Data Protection Officer (DPO): most small businesses do not need one. A DPO is required only if your core activities involve large-scale processing of sensitive data (health records, criminal convictions, biometric data) or systematic monitoring of individuals. If you run a local services business, an e-commerce shop, or a professional practice collecting standard customer contact data, you almost certainly do not need a formal DPO.
The GDPR Compliance Checklist: 10 Steps for UK Small Businesses
This GDPR compliance checklist covers the actions every small business needs to take. Work through each step in order; the earlier steps inform the later ones.
Step 1: Conduct a Data Audit
Before you can comply, you need to know what personal data you hold, where it came from, where it lives, and who can access it. This is called a data audit or data mapping exercise.
For each type of data you hold, document: what it is, why you collected it, where it is stored, who has access, how long you keep it, and whether it is shared with any third parties. A simple spreadsheet serves this purpose for most small businesses.
Common data sources for SMEs include website contact forms, email marketing lists, CRM systems, accounting software, booking platforms, and social media lead generation tools.
Step 2: Establish a Lawful Basis for Processing
The second item on any GDPR compliance checklist is establishing a lawful basis for every data processing activity. GDPR provides six: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Most small business data processing falls under consent, contract, or legitimate interests.
| Common Activity | Lawful Basis |
|---|---|
| Sending a newsletter to subscribers | Consent |
| Storing a customer’s address to fulfil an order | Contract |
| Keeping payroll records | Legal obligation |
| Following up with a business prospect | Legitimate interests |
| Retargeting website visitors with ads | Consent |
You must identify and document the lawful basis for each processing activity before processing begins. If you rely on consent, you must be able to prove it was freely given, specific, and informed.
Step 3: Update Your Privacy Notice
Your privacy notice must clearly explain what personal data you collect, why you collect it, the lawful basis for processing, how long you keep it, who you share it with, and how individuals can exercise their rights. It must be written in plain language and easy to find, typically linked in the footer of your website.
Most small business privacy notices are either absent, outdated, or copied from another site and never adapted. None of these approaches satisfies UK GDPR. If your website was built without GDPR compliance in mind, your privacy notice and data collection practices may need to be revisited at the same time. ProfileTree’s web design team builds privacy-by-design principles into site architecture from the start, including correctly configured consent flows and compliant form structures.
Step 4: Audit Your Website’s Data Collection Points
Your website is likely your primary data collection mechanism, and it creates several specific compliance obligations.
Contact forms: Every contact form that collects a name and email address is processing personal data. The form must reference your privacy notice, and if you intend to add the person to a marketing list, you need a separate, unticked consent checkbox for that purpose.
Cookie consent: If your site uses Google Analytics 4, Facebook Pixel, or any other tracking technology, you need a cookie consent banner that allows visitors to accept or decline non-essential cookies before those cookies are set. Pre-ticked boxes do not satisfy UK GDPR. A consent management platform (CMP) integrated into your website handles this correctly.
Secure hosting: Personal data must be stored securely. Your hosting provider is a data processor under GDPR, which means you need a Data Processing Agreement (DPA) in place with them. UK and EU-based hosting removes complexity around international data transfers.
SSL certificate: All data transmitted through your website must be encrypted. An SSL certificate (HTTPS) is the baseline requirement.
Step 5: Address Digital Marketing Compliance
Digital marketing is one of the areas most commonly missing from a small business GDPR compliance checklist, yet it generates some of the most significant obligations.
Email marketing: You must have a valid lawful basis for every contact on your email list. For B2C marketing, this is almost always consent. For B2B marketing, legitimate interests may apply if you are contacting business contacts about relevant products or services and have conducted a legitimate interests assessment (LIA). Every marketing email must include an unsubscribe mechanism that works.
Lead magnets and gated content: If you offer a free download, guide, or resource in exchange for an email address, the consent to receive that resource does not automatically grant consent to receive marketing emails. These must be separate opt-ins.
GA4 and tracking pixels: Google Analytics 4 uses identifiers that constitute personal data under UK GDPR. Facebook and LinkedIn pixels track user behaviour across your site. All of these require informed consent before they are activated for a given visitor. ProfileTree’s digital marketing team builds compliant tracking setups that collect the consent signals needed to run effective campaigns without creating compliance exposure.
Step 6: Prepare for Subject Access Requests
Any individual whose data you hold can submit a Subject Access Request (SAR) at any time. You must respond within one month, free of charge, with a copy of all personal data you hold about them and an explanation of how it is used.
Small businesses are often unprepared for SARs because their data is scattered across multiple systems. The data audit in Step 1 makes this manageable. Assign one person the responsibility for handling SARs and document your response process.
Step 7: Establish Data Processing Agreements with Third Parties
Any organisation that processes personal data on your behalf is a data processor. This includes your web hosting provider, email marketing platform, CRM, payment processor, and any agency or freelancer who handles customer data. UK GDPR requires a written Data Processing Agreement (DPA) with each of these parties.
Most reputable software providers offer standard DPAs in their terms of service or available on request. Check that you have accepted or signed one for each tool in your stack.
Step 8: Implement Data Security Measures
Personal data must be protected against unauthorised access, accidental loss, and deliberate attack. For small businesses, practical security measures include strong password policies, multi-factor authentication for all accounts that hold personal data, access controls that ensure only staff who need the data can access it, regular software and plugin updates to close security vulnerabilities, and encrypted storage for sensitive data.
A security breach that compromises personal data may be a reportable incident under UK GDPR. You have 72 hours from becoming aware of a breach to notify the ICO if it poses a risk to individuals’ rights and freedoms.
Step 9: Train Your Team
Staff training sits on every serious GDPR compliance checklist, yet it is often the last item small businesses get to. Every member of staff who handles personal data needs to understand their obligations, including how to recognise a SAR, what constitutes a data breach, how to handle data securely, and when not to share personal information.
Training does not need to be lengthy, but it must be documented. ProfileTree’s digital training programmes include modules on data protection awareness for SME teams, covering practical scenarios relevant to day-to-day business operations.
Step 10: Document Everything
UK GDPR requires you to demonstrate compliance, not just achieve it. Maintain records of your processing activities (a Record of Processing Activities, or RoPA), your lawful bases, your consent records, your DPAs, your DPIAs for higher-risk activities, and any staff training completed.
The ICO does not expect perfection from small businesses. It does expect good faith effort and documentation that shows you have taken the regulation seriously.
GDPR for Northern Ireland: The UK-EU Dimension
Businesses operating in Northern Ireland sit in a unique position. Under the Windsor Framework, Northern Ireland maintains alignment with certain EU single market rules, and data flows between Northern Ireland, the Republic of Ireland, and the rest of the UK are subject to ongoing regulatory attention.
For most NI small businesses, the practical implication is this: if you collect data from customers in the Republic of Ireland or elsewhere in the EU, you are subject to EU GDPR as well as UK GDPR. The UK-EU adequacy decision means data can flow freely between the two regimes for now, but NI businesses should build a GDPR compliance checklist that satisfies both UK and EU requirements and monitor any changes to the adequacy ruling.
The ICO provides a dedicated resource for UK businesses with EU data flows. The Irish Data Protection Commission (DPC) is the relevant supervisory authority for EU-side obligations.
What Happens If a Small Business Is Not GDPR Compliant?
The ICO has the power to issue fines of up to £17.5 million or 4% of annual global turnover, whichever is higher, for serious breaches. In practice, the ICO focuses its enforcement activity on organisations that cause real harm to individuals or show wilful disregard for the rules. Small businesses that make a genuine effort to comply, document that effort, and respond appropriately to incidents are rarely the subject of significant enforcement action.
The more immediate risk for small businesses is reputational. A data breach or a customer complaint to the ICO damages trust in ways that are difficult to recover from. Working through a GDPR compliance checklist is, in practical terms, as much about building customer trust as meeting a legal obligation.
GDPR and Your Website: A Note on Design
A significant proportion of GDPR compliance for small businesses flows directly from website design decisions. Cookie consent, form structure, privacy notice placement, data storage, and secure hosting are all design and development choices. A website built without GDPR compliance in mind requires remediation work; a site built correctly from the start avoids that cost entirely.
If your current website was built before 2018 or by a developer who did not prioritise compliance, it is worth reviewing your site’s data collection architecture against this checklist. ProfileTree’s web design and development services include compliant form builds, cookie consent management, and secure hosting configurations as standard.
Quick Reference: GDPR Compliance Checklist Summary
- Map all personal data you hold and document your processing activities
- Establish and record a lawful basis for every processing activity
- Publish a clear, plain-language privacy notice on your website
- Audit website contact forms, cookie consent, and tracking pixels
- Check email marketing lists for valid consent or legitimate interests basis
- Put Data Processing Agreements in place with all third-party processors
- Implement access controls, encryption, and software security measures
- Set up a process for handling Subject Access Requests within one month
- Train staff on data protection responsibilities and document that training
- Keep records of everything to demonstrate compliance to the ICO
For businesses working through these steps and needing support with the technical or digital marketing dimensions, ProfileTree’s team works with SMEs across Northern Ireland, Ireland, and the UK to build GDPR-compliant websites and digital strategies from the ground up. Get in touch to discuss your requirements.
Frequently Asked Questions
Does GDPR apply to sole traders?
Yes. GDPR applies to any individual or organisation that processes the personal data of UK or EU residents. Sole traders collecting customer contact details, running email lists, or using website analytics are processing personal data and must comply.
What is the difference between UK GDPR and EU GDPR?
UK GDPR is the version of the regulation retained in UK domestic law after Brexit, sitting alongside the Data Protection Act 2018. The substantive requirements are nearly identical to EU GDPR. The main practical difference is that UK businesses selling to EU customers must satisfy both regimes. The UK-EU adequacy decision currently allows free data flows between the two, but this is subject to review.
Do I need a cookie banner for Google Analytics?
Yes. Google Analytics 4 uses identifiers that constitute personal data under UK GDPR. Non-essential cookies, including analytics cookies, require informed consent before being set. A compliant cookie consent banner must allow visitors to decline before any tracking activates.
Can I cold-email other businesses under GDPR?
B2B cold email is not automatically prohibited, but it requires a legitimate interests assessment (LIA) confirming the contact is relevant to the recipient’s role and business. You must also provide an easy opt-out mechanism in every message. B2C cold email generally requires prior consent.
How long can I keep customer data?
UK GDPR sets no fixed retention periods. Data should be kept only as long as necessary for the purpose for which it was collected. Document your retention periods in your privacy notice and delete or anonymise data when the retention period expires.
What happens if I have a data breach?
If a breach is likely to risk the rights and freedoms of individuals, you must notify the ICO within 72 hours of becoming aware of it. If the breach is likely to cause high risk to individuals, you must also notify those affected directly. Not all breaches require notification; the key test is whether the breach poses a real risk of harm.