GDPR can sound intimidating, but for most small businesses it boils down to sensible habits: only collect what you need, explain what you’re doing with it, store it safely, and delete it when you no longer need it.

This guide is a practical checklist you can work through in an afternoon.

Who this is for

Sole traders and small limited companies
Anyone collecting personal data (clients, leads, staff, suppliers)
Businesses using email marketing, enquiry forms, or cloud apps

What counts as personal data?

Personal data is information that can identify a person, such as:

names, addresses, email addresses, phone numbers
invoices to individuals
NI numbers, payroll details, ID documents
customer notes or communication history

If you can link the data to a real person, treat it as personal data.

Checklist: map what you collect and where it lives

Write down:

what personal data you collect (and why)
where it comes from (website form, email, phone, accounting software)
where it is stored (laptop, phone, Google Drive, Outlook, accounting platform)
who has access (you, staff, subcontractors)
how long you keep it

This simple “data map” is the foundation of everything else.

Checklist: your lawful basis (plain English)

For each type of data, note the lawful basis you rely on (examples include performing a contract, legal obligation, legitimate interests, consent). You don’t need to be a lawyer—just be consistent and honest.

If you’re using email marketing, be especially careful to record how people opted in and how they can opt out.

Checklist: privacy notice essentials

A good privacy notice should explain:

who you are and how to contact you
what data you collect and why
who you share it with (for example, software providers)
how long you keep it
people’s rights (access, correction, deletion, etc.)
how to complain (including the ICO)

Aim for clarity, not legalese.

Checklist: processors and software suppliers

If you use third-party tools (email provider, CRM, accounting software, cloud storage), they may be acting as a data processor.

Keep a list of key tools you use
Check they provide GDPR information and security features
Use strong passwords and multi-factor authentication (MFA)

Checklist: security basics that reduce risk

Use MFA on email and key business accounts
Keep devices updated (security patches)
Lock screens and use full-disk encryption where possible
Don’t store sensitive data in unencrypted notes or messaging apps
Use role-based access if you have a team (not everyone needs everything)
Back up important data securely

Checklist: retention and deletion

Decide how long you keep different types of data (clients, leads, payroll)
Delete or archive safely when you no longer need it
Avoid “forever storage” by default

Retention rules can depend on what the data is and why you hold it (including legal requirements). When in doubt, document your reasoning.

Checklist: handling data requests

People can ask you to access, correct, or delete their data.

Practical steps:

have a simple inbox/process for requests
verify identity before sending personal data
respond within the required timeframe (commonly one month)
keep a brief record of what you did

Checklist: data breaches

A breach can be as simple as emailing a document to the wrong person.

keep a short internal note of what happened and what you changed
if there’s a risk to people’s rights and freedoms, you may need to report to the ICO quickly (often within 72 hours)

A note on the ICO fee

Many UK organisations need to pay a data protection fee to the ICO unless exempt. Whether you need to pay depends on your activities.

Disclaimer

This guide is general information, not legal advice. GDPR requirements depend on your activities and the type of data you handle. If you’re unsure, check ICO guidance or get professional advice.

If you’d like help building a tidy admin system that keeps records secure and easy to find, Jeremy can help you put simple processes in place.

GDPR compliance guide for small businesses (UK)