Do I need to register with the ICO?

Most organisations that process personal data must pay the ICO's data protection fee. The fee is £40 per year for small organisations (fewer than 10 staff and turnover under £632,000), £60 for medium organisations, and £2,900 for large organisations and public bodies. Some organisations are exempt — including those that process data only for staff administration, accounts and records, advertising and marketing their own business, or for judicial functions. Use the ICO's self-assessment tool to check if you are exempt.

What is the difference between a data controller and a data processor?

A data controller determines the purposes and means of processing personal data — this is usually your business. A data processor processes data on behalf of a controller — for example, a cloud software provider, payroll bureau, or email marketing platform. Controllers have the primary compliance obligations under UK GDPR. Processors must act only on documented instructions from the controller and must have a Data Processing Agreement (DPA) in place. If there is a breach, the controller is usually liable to the ICO and affected individuals.

How long do I have to respond to a Subject Access Request (SAR)?

You must respond to a Subject Access Request within one calendar month of receiving it. If the request is complex or you have received multiple requests from the same person, you may extend this by up to two further months — but you must inform the individual of the extension within the first month and explain why. You cannot charge a fee for most SARs. Failing to respond on time or refusing without justification can lead to an ICO complaint and enforcement action.

When must I report a data breach to the ICO?

You must report a personal data breach to the ICO within 72 hours of becoming aware of it, if the breach is likely to result in a risk to the rights and freedoms of individuals. Not all breaches need to be reported — low-risk incidents (for example, an email sent to the wrong internal address with non-sensitive data) do not need to be notified. However, you must document all breaches internally, even those that do not require notification. You must also notify affected individuals directly if the breach is likely to result in a high risk to them.

Do I need a Data Protection Officer (DPO)?

Most small businesses do not need to appoint a formal DPO. Under UK GDPR, a DPO is mandatory only for public authorities, organisations whose core activities require large-scale systematic monitoring of individuals, or organisations that process special category data (health, ethnicity, religion, etc.) at large scale. For SMEs, it is good practice to designate a responsible person internally for data protection matters, but this does not need to be a formal DPO with statutory obligations.

UK GDPR and Data Protection for Small Businesses | Yolist

If your business collects, stores, or uses information about individuals — customers, employees, or website visitors — you must comply with UK GDPR and the Data Protection Act 2018. This guide explains your obligations in plain English.

1. Do you need to comply?

If you process personal data about individuals in the UK, UK GDPR applies to you. Personal data is any information that relates to an identifiable living person — names, email addresses, phone numbers, IP addresses, location data, CCTV footage, and financial information all count.

Very limited exemptions apply:

Purely personal or household activity (keeping your own address book) — no business exemption
Some small clubs and societies with limited personal processing

In practice, almost every business needs to comply. The key question is not whether UK GDPR applies, but how to comply proportionately for your size and risk level.

ICO registration: Most businesses that process personal data must pay the ICO data protection fee: £40/year for small organisations, £60 for medium, £2,900 for large. Check the ICO's self-assessment tool — some organisations are exempt (e.g. manual-only records, certain charities).

2. The 6 lawful bases for processing

Every instance of personal data processing must have a lawful basis. The six lawful bases under UK GDPR are:

Basis	When to use it
Consent	The individual has freely given, specific, informed, and unambiguous agreement. Must be able to withdraw it easily.
Contract	Processing is necessary to fulfil a contract with the individual (e.g. processing their address to deliver an order)
Legal obligation	Processing is required by law (e.g. keeping payroll records for HMRC)
Vital interests	Processing is necessary to protect someone's life (emergency situations only)
Public task	Mainly for public authorities; rarely relevant for private businesses
Legitimate interests	Processing is necessary for your legitimate interests (or a third party's), and these interests are not overridden by the individual's rights

Important:Choose the correct lawful basis before you start processing — you cannot switch bases later. You cannot “stack” multiple bases for the same processing activity. If you rely on consent, withdrawing consent must stop the processing.

Legitimate interests is the most flexible basis for many business uses (e.g. direct marketing to existing customers, fraud prevention, network security). You must conduct and document a Legitimate Interests Assessment (LIA) to confirm the balance test is met.

3. The 7 key principles

Article 5 of UK GDPR sets out seven principles that must underpin all processing:

Lawfulness, fairness and transparency — you must have a lawful basis, not deceive individuals, and be open about how you use their data
Purpose limitation — only collect data for specified, explicit, and legitimate purposes; do not use it for incompatible new purposes without further justification
Data minimisation— collect only what is adequate and relevant for the purpose; do not collect data “just in case”
Accuracy — keep personal data accurate and up to date; correct or erase inaccurate data promptly
Storage limitation — do not keep personal data longer than necessary; set and follow retention schedules
Integrity and confidentiality — protect data against unauthorised access, loss, or destruction using appropriate technical and organisational measures
Accountability — you must be able to demonstrate compliance; document your decisions and processes

4. Privacy notices

You must provide individuals with a privacy notice (or “privacy policy”) at the time you collect their data. This must include:

Who you are and your contact details (and DPO contact if applicable)
What personal data you collect and why
Your lawful basis for processing
How long you will keep the data (or the criteria you use to determine this)
Who you share the data with
Details of any international transfers
The individual's rights and how to exercise them
The right to complain to the ICO

Write privacy notices in plain, clear English — the ICO can take enforcement action against overly legalistic or unclear notices. Use a layered approach for complex processing: a short summary at the point of collection linking to the full notice.

5. Individual rights

UK GDPR gives individuals the following rights, all of which you must be ready to honour:

Right of access (Subject Access Request) — individuals can request a copy of all personal data you hold about them; you must respond within 1 month (extendable by 2 months for complex cases); no fee for most SARs
Right to erasure (“right to be forgotten”) — individuals can request deletion where data is no longer necessary, consent is withdrawn, or there is no legitimate interest; not absolute — legal obligations can override it
Right to rectification — individuals can request correction of inaccurate personal data
Right to restriction of processing — individuals can ask you to stop processing in certain circumstances while a dispute is resolved
Right to data portability — where processing is based on consent or contract and carried out by automated means, individuals can receive their data in a structured, machine-readable format
Right to object — individuals can object to processing based on legitimate interests or direct marketing; direct marketing objections must always be honoured immediately
Rights related to automated decision-making — individuals have the right not to be subject to solely automated decisions that significantly affect them (e.g. automated loan decisions) without human review

6. Data retention

You must not keep personal data longer than necessary. Set and follow documented retention schedules. Common minimum retention periods required by law or best practice:

Record type	Minimum retention	Legal basis
Payroll and wage records	3 years	HMRC requirement
Employment records (general)	6 years post-employment	Limitation Act 1980
Contracts and business records	6 years	Limitation Act 1980
Accounting records	6 years (companies); 5 years (sole traders)	Companies Act / HMRC
Marketing consent records	Until consent withdrawn + evidence period	UK GDPR accountability
CCTV footage	Typically 30 days; longer only if needed for incident	Data minimisation principle

After the retention period, data must be securely deleted — for digital data, this means overwriting or cryptographic erasure; for paper, cross-cut shredding.

7. Third parties — processors and controllers

When you share personal data with third parties who process it on your behalf (payroll bureaux, cloud software providers, email marketing platforms, IT support firms), you must have a Data Processing Agreement (DPA) in place. The DPA must specify:

The subject-matter and duration of processing
The nature and purpose of processing
The type of personal data involved
The obligations of both parties

International transfers: If personal data leaves the UK (for example, data stored on US servers), you need safeguards. Acceptable safeguards include: UK adequacy decisions (for countries with equivalent protection), Standard Contractual Clauses (SCCs), or Binding Corporate Rules. Check whether your software providers are processing data outside the UK.

8. Data breaches

A personal data breach is any security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data. Your breach response plan should include:

Contain and assess — stop the breach and assess what data was affected and the likely risk
Notify the ICO within 72 hoursif the breach is likely to result in a risk to individuals' rights and freedoms
Notify affected individuals without undue delay if the breach is likely to result in a high risk to them
Document internally — all breaches must be logged, even low-risk ones that do not require notification

The 72-hour clock starts from when you become aware of the breach, not when it happened. If you cannot provide all information within 72 hours, you can notify in phases.

9. ICO registration

Organisation size	Annual fee
Small (under 10 staff, turnover under £632,000)	£40/year
Medium	£60/year
Large / Public body	£2,900/year

10. Practical steps for SMEs

Data audit — map what personal data you collect, where it is stored, who has access, and how long you keep it
Update your privacy notice — ensure it covers all your processing activities and is clearly accessible on your website
Review consent mechanisms — pre-ticked boxes and bundled consent are not valid under UK GDPR
Check your lawful bases — document which basis you rely on for each processing activity
Sign DPAs with all processors — check your contracts with software providers, accountants, and IT suppliers
Appoint a responsible person — designate someone internally to handle SARs and breach responses (a full DPO is not required for most SMEs)
Train your team — staff who handle personal data should understand the basics of UK GDPR and know how to spot a breach
Register with the ICO — confirm whether you need to pay the data protection fee and register if so
Create a breach response plan — know in advance who is responsible, how to contain breaches, and how to notify the ICO
Document everything — the accountability principle requires you to demonstrate compliance; keep records of decisions, assessments, and training

The ICO has extensive free guidance at ico.org.uk, including a free self-assessment tool for SMEs.