Data protection feels heavy, but most small businesses only need to get a handful of things right — and getting them right protects you from complaints, fines and lost trust. Here are the essentials, in plain English.
- Most organisations must register with the ICO and pay the data-protection fee.
- Know your lawful basis and publish a clear privacy notice.
- Collect only what you need, keep it only as long as you need it.
- Handle data-subject requests and report breaches within 72 hours.
Register and know your basis
Most organisations that process personal data must register with the ICO and pay the annual fee. You need a lawful basis for each type of processing and a clear, accessible privacy notice explaining what you do with people's data.
Minimise, secure and retain
Collect only what you need, keep it secure (access controls, sensible IT hygiene — consider Cyber Essentials), and keep it only as long as you genuinely need it, then delete it. A short retention schedule is an easy win.
Rights, requests and breaches
People can access, correct, erase and object. You must handle a data-subject access request within the statutory timeframe, and report qualifying personal-data breaches to the ICO within 72 hours. Have a simple process ready before you need it.
Check where you stand
Not sure if you're compliant? Our free GDPR self-check scores you against the essentials and shows your biggest gaps in two minutes.
Frequently asked questions
Does GDPR apply to my small business?
Almost certainly, if you handle any personal data about customers, staff or suppliers.
Do I have to pay the ICO?
Most organisations must pay the annual data-protection fee unless exempt.
How quickly must I report a breach?
Qualifying breaches must be reported to the ICO within 72 hours of awareness.