As a leading data protection consultancy, we have had the pleasure of partnering with businesses of all sizes from various industries. 

What we often find with smaller firms is uncertainty – they’re uncertain about data protection law, how it applies to them and what they need to maintain compliance. Part of our mission is to simplify the GDPR, making it easy to understand and easy to do.

To help with this, we’ve addressed our top ten most frequently asked questions about GDPR for small businesses.

1. What Data Protection Laws Apply in the UK?

The UK’s data protection legislation includes the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). These laws govern the use of personal information, also known as personal data, by businesses and government departments. 

The original EU version of the GDPR came into force in 2016. In the UK, the government added sections to the regulation, which, at the time, were left for EU member states to add and implement. This led to the DPA receiving royal assent in 2018. 

After Brexit, the government combined the EU GDPR with the DPA 2018 to form the UK GDPR, which has been in place since 2021. 

2. What Is DUAA? And Should You Be Worried? 

The Data Use and Access Act (DUAA) 2025 is a recent act of parliament that updates (but does not replace) the UK GDPR, the DPA 2018 and the Privacy and Electronic Communications Regulations (PECR).

While any change in law can be a cause for concern, your business won’t have to respond immediately (if new requirements even apply) until each change is implemented. The government expects to phase out changes between June 2025 and June 2026. 

Want to learn more about the DUAA? Read our latest resources:

• How to Prepare for the Data (Use & Access) Act 2025 [Blog]
• How the Data (Use and Access) Act Is Changing Data Protection Law [Blog]
• New Complaint Provisions in the DUA Act [Blog]
• The Data (Use and Access) Act 2025 [Podcast]
• DUA Act – Part Two [Podcast]

3. Who Needs to Pay a Data Protection Fee? 

If you process personal data as a business, organisation or sole trader, you must pay a data protection fee to the Information Commissioner’s Office (ICO). The ICO’s self-assessment form will help you decide if you need to pay it and how much is owed. 

The data protection fee helps fund the ICO’s work in providing help and educational measures about how to comply with the law.

4. What Is Considered Personal Data Under the UK GDPR?

Personal data refers to information that an individual (the data subject) holds about themselves. As a business, you may handle personal data, such as:

• People’s names and addresses
• Medical information
• Photographs
• Email address
• Location data
• IP address
• Customer reference numbers

This may be exchanged in a document, file, image or email chain. Even if it doesn’t include the data subject’s name, it can still be classed as personal data. You may collect other information that can be used together to identify them. 

Personal data only applies to individuals who are alive. The UK GDPR aims to protect this data, granting individuals various rights to the information a business collects about them (See question 6 for more on individual rights). 

5. How Many Principles Apply to the GDPR? 

The UK GDPR has seven data protection principles. These include:

1. Lawfulness, fairness and transparency – You must use personal data in a way that complies with the law (see ‘lawful basis’), aligns with expectations and is openly disclosed to individuals about how and why you’re using their data.
2. Purpose limitation – Only collect personal data for the reason you collected it in the first place.
3. Data minimisation – Only collect as much data as you need. Less is more. 
4. Accuracy – Keep personal data up to date and accurate.  
5. Storage limitation – Store data only for as long as you need it. After this,  you must destroy or delete the data. 
6. Integrity and confidentiality – Personal data must be processed securely to protect it from unlawful or unauthorised access, destruction, damage or loss.
7. Accountability  – Refers to your ability to demonstrate compliance. It’s about taking responsibility and having the right measures in place to protect personal data.

6. What Are Individual Rights Under the UK GDPR?

Individuals, or data subjects, hold eight rights relating to how their personal data is handled:

1. The right to be informed – You must provide individuals with information about the data you’re collecting, including how long you’ll store it and what you intend to do with it. 
2. The right of access – Individuals have the right to request copies of the personal data you hold about them. This is known as a data subject access request (DSAR, or SAR). 
3. The right to rectification – When requested, you must correct any inaccurate or incomplete data you have on an individual.
4. The right to erasure – Also known as the ‘right to be forgotten’, this right allows individuals to have their personal data deleted under certain circumstances.
5. The right to restrict processing – Your organisation can be limited by the individual over which data you process from them. 
6. The right to data portability – Individuals must have access to their personal data in a usable format (e.g., CSV) that can be reused for whatever purpose. 
7. The right to object – If an individual objects to data processing, you must obey it. 
8.  Rights to automate decision-making and profiling – UK individuals have the right to object to data processing that is automated.

7. What Is Considered a Data Breach?

A personal data breach is an unlawful or accidental loss, destruction, modification, unauthorised disclosure or access of personal data. Here are common ways a breach can happen:

• Emailing personal data to the wrong recipient
• Falling for a phishing attack
• Losing a work device with sensitive information
• Failing to use Blind Carbon Copy (BCC)
• Being infiltrated by cyber criminals, e.g., through malware or ransomware
• Not updating software, which creates openings for hackers to exploit
• Vulnerabilities in your supply chains, leading to a cyber criminal infiltrating a company network

In most cases, accidental mistakes lead to data breaches. You can find out how to prevent human error in our guide. 

More information on data breaches:

• Data Breach Guide: What Is a GDPR Breach?
• How Serious Are Personal Data Breaches?
• What Should You Do After a Data Breach? A Guide for Businesses

8. What’s the Difference Between a Data Processor & a Data Controller? 

If your business handles personal data, you’re either a data processor or a data controller. A data controller is an individual or legal entity that controls how personal data is collected, used, altered, stored and disclosed. 

A data processor is an external third party to the data controller’s business who processes data on the controller’s behalf. As such, a data controller faces more compliance regulations as they bear greater risk.  

Learn more about the differences between a data controller and a data processor in our guide. 

9. What GDPR Documents Does My Business Need?

Documentation is how you demonstrate accountability. It works as an audit trail, should you ever be inspected and keeps everyone aligned with best practices.

Mandatory documentation includes:

• Data Protection Policy
• Privacy Notice
• Employee Privacy Notice
• Data Retention Policy & Schedule
• Data Breach Notification & Response Procedure
• Register of DPIAs
• Data Sharing agreement

For a full list, head to our guide on GDPR policies and procedures.  

As a data controller or processor, you will also have to document your processing activities (see Article 30) if they:

• Are a one-off occurrence 
• Are likely to result in a risk to the rights and freedoms of individuals
• Include special category data or information, including criminal conviction or offence data

10. Does a Small Business Need a DPO?

A small organisation will unlikely need a data protection officer (DPO). You’re only required to appoint a DPO if:

• You’re a public authority or body
• Your core activities consist of large-scale processing of special category data or data including criminal convictions and offences 
• You conduct large-scale, regular and systematic monitoring of individuals 

While you may not be required to do so, you can choose to appoint one voluntarily. You may find it more cost-effective to outsource your data protection responsibilities on an ad-hoc basis to a consultancy instead. 

Confused About the UK GDPR? 

If you need guidance, our data protection consultancy is here to assist you. We offer cost-effective support packages tailored to your organisation’s needs to help maintain GDPR compliance. Reach out to us for a free consultation.