Vertical guide · SMEs and sole traders

UK GDPR for small businesses

Updated April 2026UK GDPR · DPA 2018ICO aligned

UK GDPR applies to every UK organisation that processes personal data — including sole traders, micro-businesses, and early-stage companies. The obligations are the same as for larger organisations; only the means of meeting them is proportionate to scale and risk. The ICO enforces against small businesses, and the most common triggers are preventable with basic documented procedures.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

Size is not an exemption

The ICO has been explicit that UK GDPR applies to all organisations regardless of size. A sole trader with a customer email list is a data controller subject to the full framework. What size affects is proportionality — how obligations are met, not whether they apply.

What you must actually do

For a small business with limited resources, the core non-negotiable elements are:

A basic data audit identifying what personal data is held, why, and where it came from
A simple ROPA documenting each processing activity and its lawful basis
A privacy notice in plain language covering all processing activities
A process for responding to subject access requests within one month
A process for reporting data breaches to the ICO within 72 hours where required
Basic security measures appropriate to the data held
Payment of the ICO data protection fee (£52 for small organisations from February 2025)

Proportionality in practice

The accountability principle requires being able to demonstrate compliance, but the means can be proportionate to scale and risk. A sole trader processing a small customer list does not need an elaborate ROPA — a simple spreadsheet documenting what data is held, why, and for how long is sufficient. The ICO requires genuine thought and documented evidence, not a compliance programme scaled for a multinational.

ICO data protection fee

Most data controllers must pay an annual data protection fee to the ICO. Small organisations — turnover under £632,000 or fewer than 10 staff — pay £52 per year from February 2025. Failure to pay is a civil monetary penalty offence separate from substantive data protection breaches.

Source: Data Protection (Charges and Information) Regulations 2018; ICO fee schedule from February 2025

Common risks for small businesses

The most common ICO enforcement issues affecting small businesses are: sending personal data to the wrong recipient; failure to respond to a subject access request on time; inadequate security leading to a breach; and using customer contact details for marketing without consent or a valid legitimate interests basis. All are preventable with basic documented procedures.

Record this. Keep a simple log of every data-related decision — what you process, why, how long you keep it. When a SAR arrives, log it. When a breach occurs, log it. Small businesses are investigated because of basic failures to respond to requests or report breaches, and because they have no records to show they tried.

Not legal advice. This guide is derived from UK GDPR (Data Protection Act 2018 / DUAA 2025) and ICO published guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.