Do small businesses need to register with the ICO?

Most businesses that process personal data as a data controller must pay the annual data protection fee. For micro and small businesses (up to 10 staff and £632,000 turnover), the fee is £40/year. Some organisations are exempt — check the ICO website to confirm your status.

What are the maximum fines for GDPR breaches in the UK?

Up to £17.5 million or 4% of global annual turnover (whichever is higher) for the most serious infringements such as unlawful processing. Up to £8.7 million or 2% of global turnover for other infringements such as security failures.

How long do I have to report a data breach to the ICO?

You must notify the ICO within 72 hours of becoming aware of a personal data breach, if it is likely to result in a risk to individuals' rights and freedoms. If the breach is likely to cause high risk, you must also notify the affected individuals directly without undue delay.

Do I need a cookie consent banner on my website?

Yes, if you use any non-essential cookies (such as Google Analytics, advertising pixels, or social sharing buttons). You cannot set these cookies before obtaining consent. Pre-ticked consent boxes are not valid. Refusing cookies must be as easy as accepting them.

What are the six lawful bases for processing personal data?

The six lawful bases under UK GDPR are: (1) Consent, (2) Contract — processing needed to fulfil an agreement, (3) Legal obligation — compliance with UK law, (4) Vital interests — protecting life, (5) Public task — official functions, (6) Legitimate interests — genuine business reason that does not override individual rights. You must identify your basis before processing begins.

GDPR for Small Businesses — UK Guide 2026

UK GDPR applies to almost every business that handles personal data — including sole traders and micro-businesses. This guide explains what the law requires, what you must do to stay compliant, and how to handle things when something goes wrong.

Post-Brexit note: Since 1 January 2021 the UK has its own data protection framework: UK GDPR, sitting alongside the Data Protection Act 2018 (DPA 2018). It closely mirrors EU GDPR but is enforced by the Information Commissioner's Office (ICO), not EU supervisory authorities.

Does GDPR Apply to Your Business?

UK GDPR applies if you process personal data about individuals (customers, employees, website visitors, mailing-list subscribers, etc.) in the context of your UK activities. Processing includes collecting, storing, using, sharing, or deleting data.

There is a narrow exemption for purely personal or household activity, but any commercial or professional use of personal data falls within scope — even a one-person business keeping a spreadsheet of customer emails.

ICO Registration

Most organisations that process personal data must pay the data protection fee to the ICO. This is commonly called "ICO registration." Fees are tiered by size and turnover:

Tier	Who qualifies	Annual fee (2026)
Tier 1 (micro)	Turnover ≤ £632,000 or ≤ 10 staff	£52
Tier 2 (small)	Turnover ≤ £36m or ≤ 250 staff	£93
Tier 3 (medium/large)	All others	£2,900

Some organisations are exempt from the fee — charities, elected representatives, school governors, and those processing data only for staff administration, advertising their own business, or accounts and records. Use the ICO's self-assessment tool to check your position. Failure to register when required can result in a fixed penalty of up to £4,000.

The Six Lawful Bases for Processing

Every time you process personal data you must have a lawful basis. You should identify and record your lawful basis before you start processing. There are six options:

Lawful basis	When to use it
Consent	The individual has given clear, freely given, specific, informed consent. Must be easy to withdraw. Often used for marketing emails.
Contract	Processing is necessary to perform a contract with the individual, or to take steps at their request before entering one.
Legal obligation	Processing is required by UK law (e.g., PAYE records for HMRC, right-to-work checks).
Vital interests	Necessary to protect someone's life. Rarely applicable to most small businesses.
Public task	Applies mainly to public authorities. Unlikely to apply to private small businesses.
Legitimate interests	Your interests (or a third party's) outweigh the individual's rights. Requires a Legitimate Interests Assessment (LIA). Commonly used for B2B marketing or fraud prevention.

Tip: Consent is not always the safest or most practical basis. For processing that is genuinely necessary to deliver your service, contract or legitimate interests is often more appropriate — and does not require you to manage consent records or worry about withdrawals.

Privacy Policies and Transparency

UK GDPR requires you to provide individuals with clear information about how you use their data — usually via a privacy notice (or privacy policy). Your privacy notice must cover:

Who you are and how to contact you (and your Data Protection Officer if you have one)
What personal data you collect and where it comes from
Your lawful basis for each type of processing
Who you share data with (processors, third parties)
How long you keep data (retention periods)
Whether data is transferred outside the UK and what safeguards apply
Individuals' rights and how to exercise them
The right to complain to the ICO

The notice must be concise, transparent, and written in plain English. Publish it on your website and link to it wherever you collect data (contact forms, checkout pages, sign-up forms).

Data Subject Rights

Individuals have eight rights under UK GDPR. You must have a process for handling requests — known as Data Subject Access Requests (DSARs) and other rights requests:

Right	What it means for your business	Deadline
Access (DSAR)	Provide a copy of all personal data you hold about them	1 month
Rectification	Correct inaccurate or incomplete data	1 month
Erasure ("right to be forgotten")	Delete data in certain circumstances	1 month
Restriction	Pause processing while a dispute is resolved	1 month
Data portability	Provide data in a structured, machine-readable format (where basis is consent or contract)	1 month
Object	Stop processing for direct marketing (absolute right); object to legitimate interests processing	Immediately for marketing
Automated decision-making	Not be subject to solely automated decisions with significant effects	1 month
Withdraw consent	Where consent is the lawful basis, individuals can withdraw at any time	Without delay

Requests are generally free of charge. You can extend the deadline by a further two months for complex or numerous requests, provided you notify the individual within the first month.

Data Breach Notification

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes:

Sending an email containing customer data to the wrong recipient
A cyber attack or ransomware incident — one reason cyber insurance is increasingly important for small businesses
Loss or theft of a laptop, phone, or USB drive containing personal data
An employee accidentally deleting records with no backup

72-hour rule: If a breach is likely to result in a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware of it. If the breach poses a high risk, you must also notify the affected individuals without undue delay.

You must keep a written record of all breaches — even those you decide not to report — including details of what happened, its effects, and the remedial action taken. This is your internal breach register.

Records of Processing Activities (ROPA)

Formally, businesses with fewer than 250 employees are partially exempt from maintaining a full Record of Processing Activities. However, the exemption does not apply to processing that is not occasional, involves special category data, or could risk individuals' rights. In practice, the ICO strongly recommends all businesses maintain a ROPA as it forms the backbone of demonstrable compliance.

A simple ROPA spreadsheet should record: the type of processing, the categories of data, the lawful basis, who you share data with, retention periods, and any international transfers.

Special Category Data

Some types of data require extra care — special category data includes health information, racial or ethnic origin, religious beliefs, sexual orientation, trade union membership, biometric and genetic data, and criminal convictions. Processing this data requires a lawful basis plus an additional condition under Schedule 1 of the DPA 2018 (such as explicit consent, employment law obligations, or vital interests). If your business collects any special category data, seek specialist advice. Note also that hiring employees creates a significant new category of personal data you are responsible for — contracts, payroll, sick leave, and performance records all fall within UK GDPR.

Appointing a Data Protection Officer (DPO)

Most small businesses are not required to appoint a DPO. A DPO is mandatory only if your core activities involve large-scale systematic monitoring of individuals, or large-scale processing of special category data. That said, you may appoint one voluntarily — and for growing businesses handling significant volumes of data, it is good practice to designate a responsible person internally.

GDPR Compliance Checklist for Small Businesses

#	Action	Priority
1	Check whether you need to register with the ICO and pay the data protection fee	High
2	Audit all personal data you hold — what it is, where it came from, what you do with it	High
3	Identify and document your lawful basis for each category of processing	High
4	Write or update your privacy notice and publish it on your website	High
5	Ensure any marketing consent is freely given, specific, and recorded	High
6	Put in place a process to handle DSARs and other rights requests within one month	Medium
7	Create a breach log and a procedure for identifying and reporting breaches within 72 hours	Medium
8	Review contracts with third-party suppliers who process data on your behalf (data processors) — ensure Data Processing Agreements (DPAs) are in place	Medium
9	Set and enforce data retention periods — do not keep data longer than necessary	Medium
10	Train any staff who handle personal data on their responsibilities	Ongoing
11	Review and update your compliance documentation at least annually	Ongoing

ICO Enforcement and Fines

The ICO can issue fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for the most serious infringements, and up to £8.7 million or 2% of global turnover for other breaches. In practice, the ICO focuses enforcement on organisations causing real harm and typically works with small businesses to achieve compliance before issuing penalties. However, fines have been issued to small businesses — ignorance of the law is not a defence.

Free help from the ICO: The ICO offers a free SME Hub with practical guidance, checklists, and template documents specifically designed for small businesses. It is an excellent starting point and entirely free to use.

Getting GDPR right from the outset protects your customers, builds trust in your brand, and avoids the disruption and reputational damage of a regulatory investigation. Start with the basics — register with the ICO, know your lawful basis, and publish a clear privacy notice — then build your compliance programme from there. If your business creates original content, software, or designs, you should also read our guide to intellectual property — copyright and GDPR intersect when you are handling creative works that contain personal data. And if you use cloud accounting software (Xero, QuickBooks, FreeAgent) to meet your Making Tax Digital obligations, check each provider's data processing agreement to confirm your GDPR compliance as a data controller.