GDPR for Businesses: A Practical UK Compliance Guide

UK GDPR compliance is not just a legal box to tick — it affects how you collect customer data, run marketing campaigns, manage employee records, and respond to requests. This guide cuts through the jargon and focuses on what UK businesses actually need to do.

1. GDPR and UK GDPR

Following Brexit, the EU GDPR was retained and adapted as UK GDPR — the version of the law that applies in Great Britain. UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018), which supplements and adapts it for the UK context. Together, these two instruments form the UK data protection regime.

Key points for UK businesses:

• The Information Commissioner's Office (ICO)is the UK's supervisory authority. It has powers to investigate, audit, issue enforcement notices, and impose fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious breaches
• Businesses operating in both the UK and EU may need to comply with both UK GDPR and EU GDPR — they are separate but similar regimes
• The UK operates under an EU adequacy decision, allowing personal data to flow freely from the EU to the UK. Data flows from the UK to other countries require appropriate safeguards (adequacy, standard contractual clauses, or binding corporate rules)
• Small organisations are not exempt — the obligations apply regardless of size, though the ICO's approach to enforcement tends to be proportionate

2. The 6 Lawful Bases

Every time you process personal data, you must have a lawful basis. UK GDPR provides six lawful bases, and you must identify the most appropriate one for each processing activity before you begin — you cannot switch bases retrospectively.

1. Consent — freely given, specific, informed, and unambiguous indication of agreement. Must be as easy to withdraw as to give. Not appropriate for employee data or where there is a power imbalance
2. Contract — processing is necessary to perform a contract with the individual, or to take steps at their request before entering a contract (e.g. processing customer delivery details)
3. Legal obligation — processing is necessary to comply with a legal obligation (e.g. PAYE records, right to work checks, HMRC reporting)
4. Vital interests— processing is necessary to protect someone's life. A narrow basis, rarely applicable outside emergency situations
5. Public task — processing is necessary for a task in the public interest or for official authority. Primarily relevant to public sector bodies and some regulated functions
6. Legitimate interests— processing is necessary for the controller's (or a third party's) legitimate interests, provided these are not overridden by the individual's interests, rights, and freedoms. Requires a three-part Legitimate Interests Assessment (LIA): purpose test, necessity test, and balancing test

For most SMEs, the most applicable bases are contract (for customer data) and legitimate interests (for marketing, fraud prevention, and network security). Always document your chosen basis.

3. Data Subject Rights

UK GDPR grants individuals (data subjects) eight rights. Businesses must be able to respond to these rights within statutory deadlines and without excessive burden on the requester.

1. Right of access (Subject Access Request / SAR) — right to obtain a copy of their personal data and supplementary information. Must respond within 1 month (extendable by 2 months for complex requests)
2. Right to rectification — right to have inaccurate or incomplete data corrected within 1 month
3. Right to erasure('right to be forgotten') — right to have data deleted in certain circumstances (e.g. data no longer necessary, consent withdrawn, no legitimate grounds override)
4. Right to restriction — right to restrict processing while a dispute is resolved
5. Right to data portability — right to receive data in a structured, machine-readable format (applies where processing is based on consent or contract and is carried out by automated means)
6. Right to object — right to object to processing based on legitimate interests or public task at any time. Processing must cease unless compelling legitimate grounds override
7. Rights related to automated decision-making — right not to be subject to solely automated decisions that produce significant effects, including profiling
8. Right to be informed — right to receive privacy information at the time data is collected (addressed through privacy notices)

Businesses should have a documented procedure for handling data subject requests, including how requests are recognised (they need not use the words 'Subject Access Request'), logged, and responded to.

4. Privacy Notices

A privacy notice (or privacy policy) is the mechanism through which you fulfil the right to be informed. It must be provided at the time of data collection and must be written in clear and plain English that is easy to understand.

Required content under UK GDPR Articles 13 and 14:

• Identity and contact details of the controller (and Data Protection Officer if applicable)
• The purpose of processing and the lawful basis for each purpose
• Any legitimate interests relied upon
• Who the data will be shared with (recipients or categories of recipient)
• Details of any international transfers and the safeguards in place
• Retention periods or the criteria used to determine them
• The individual's rights and how to exercise them
• The right to withdraw consent (if consent is the lawful basis)
• The right to lodge a complaint with the ICO
• Whether provision of data is a statutory or contractual requirement, and the consequences of not providing it

Privacy notices should be layered (short summary + more detail on click) and reviewed regularly. A legal boilerplate notice that is not tailored to your actual processing activities is unlikely to satisfy UK GDPR requirements.

5. Data Breach Response

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes not just cyber attacks but also sending an email to the wrong person, losing a device, or a rogue employee accessing data without authority.

The UK GDPR response framework:

• All breaches must be documented internally in a breach register, regardless of whether they are reportable — include date, nature, data involved, likely consequences, and remedial action
• Where a breach is likely to result in a risk to the rights and freedoms of individuals, it must be reported to the ICO within 72 hours of becoming aware of it. Where notification is delayed beyond 72 hours, reasons must be given
• Where the breach is likely to result in a high risk to individuals, those individuals must be notified directly without undue delay

Not every breach requires ICO notification. Low-risk breaches (e.g. sending one person's non-sensitive data to a trusted colleague by mistake) may not require notification. The assessment should be documented. Having an incident response plan in advance dramatically reduces the risk of missing the 72-hour deadline.

6. Data Processors and Contracts

A data controller determines the purposes and means of processing. A data processor processes data on behalf of the controller (e.g. a payroll provider, cloud storage company, or email marketing platform). Both bear responsibilities under UK GDPR.

Controllers must:

• Only use processors who provide sufficient guarantees of compliance
• Have a written Data Processing Agreement (DPA) with each processor, containing the mandatory provisions set out in UK GDPR Article 28 (subject-matter, duration, nature of processing, instructions, confidentiality, security, sub-processing, assistance with rights, deletion/return of data)
• Remain responsible to data subjects for the processor's compliance — if the processor breaches UK GDPR, the controller can be held liable

Sub-processors (processors used by your processors) must also be subject to equivalent data protection obligations. Review processor contracts and data processing agreements at least annually, particularly after significant changes to processing activities.

7. Special Category Data

Special category data is information that deserves higher protection because of its sensitivity and the particular risks its misuse poses. UK GDPR Article 9 identifies eight categories: health data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to identify someone, and data concerning sex life or sexual orientation.

Processing special category data requires both a standard lawful basis (one of the six above) and a separate condition under Article 9(2). For businesses, the most commonly applicable Article 9 conditions are:

• Explicit consent — more stringent than standard consent; must be specific to the special category data
• Employment, social security and social protection — processing necessary for employment law obligations (e.g. managing sick leave, disability adjustments)
• Legal claims — processing necessary for establishing, exercising, or defending legal claims

Special category data requires enhanced security measures, stricter access controls, and should only be processed by those with a genuine need. Criminal offence data has its own special regime and should only be processed under official authority or when authorised by DPA 2018 Schedule 1.

8. Direct Marketing and PECR

Direct marketing is regulated by both UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR). PECR applies to electronic marketing communications and creates specific rules on top of UK GDPR.

Key PECR rules for businesses:

• Email and SMS to consumers (B2C) — requires prior consent. The soft opt-in exception allows marketing to existing customers for similar products/services, provided they were given the opportunity to opt out at the time their details were collected and on every subsequent message
• Email and SMS to businesses (B2B) — the soft opt-in applies; can market to business email addresses without prior consent if the recipient had a reasonable opportunity to opt out. Marketing to named individuals at a business requires the same consent as B2C
• Cold calling — must check the Telephone Preference Service (TPS) and Corporate TPS (CTPS) before calling. Do not call numbers registered on TPS/CTPS unless the individual has specifically consented to calls from you
• Cookies — consent required for all non-essential cookies (functional, analytical, marketing). Consent must be freely given, specific, and as easy to withdraw as to give

The ICO enforces PECR and has issued fines of hundreds of thousands of pounds for nuisance calling and spam email. Marketing lists should be suppressed against TPS/CTPS and your own opt-out list before every campaign.

9. Retention and Deletion

UK GDPR's storage limitation principle requires that personal data is kept no longer than necessary for the purpose for which it was collected. Organisations must document their retention schedules — a policy specifying how long different categories of data are held and the criteria for determining this.

Common statutory retention periods that inform business retention schedules:

• HMRC financial and tax records — generally 6 years from the end of the accounting period (self-employed: 5 years after 31 January submission deadline)
• Employee records — employment contracts, payslips, absence records: retain for 6 years after the employment ends (some HR advisers recommend 7 years for limitation period safety)
• Recruitment records — for unsuccessful candidates, 6–12 months to defend discrimination claims
• Health and safety records (RIDDOR) — 3 years minimum
• Accident book entries — 3 years
• Employer's liability insurance certificates — 40 years

When data reaches the end of its retention period, it must be securely deleted or anonymised. Paper records should be cross-cut shredded; digital records should be overwritten or the media destroyed. Retention schedules should be actively enforced, not just documented.

10. ICO Registration and Fees

Most organisations that process personal data are required to pay an annual data protection fee to the ICO under the Data Protection (Charges and Information) Regulations 2018. This replaces the old notification requirement but the obligation to register is similarly broad.

Fee tiers (2024/25):

• Tier 1 — Micro organisations: turnover up to £632,000 and/or maximum 10 members of staff — £40/year
• Tier 2 — Small and medium organisations: turnover up to £36 million and/or maximum 250 members of staff — £60/year
• Tier 3 — Large organisations: above Tier 2 thresholds — £2,900/year
• A £4 discount applies for direct debit payment
• Charities pay Tier 1 rates regardless of size

Exemptions include: individuals processing for purely personal purposes, organisations that only process for core business purposes (e.g. staff administration, advertising own services, keeping accounts), not-for-profit organisations processing only member/supporter data for non-commercial purposes. The ICO's online self-assessment tool confirms whether registration is required. Failure to pay when required can result in a civil monetary penalty of up to £4,000.

Key compliance checklist