Essentials explained
What small business owners need to know about GDPR
A guide for small businesses on which practices to follow to stay compliant with GDPR. Learn how to handle people’s personal data and what to do if there’s a data breach.
October 27, 2025
5 minutes
GDPR governs how organisations handle people’s personal data. The rules apply to your business if it holds information about any individual in the UK. Fines for breaches can be severe, so it’s essential to be clear on how to comply.
GDPR is founded on seven basic principles, including the need for transparency and to keep personal data secure. Individuals have the right to know what data you hold and to demand you delete it.
If you suffer a data breach, you must inform the Information Commissioner’s Office (ICO) within 72 hours. Usually, you also need to inform the individuals who are affected. The forthcoming Cyber Security and Resilience Bill will further strengthen reporting rules.
GDPR stands for General Data Protection Regulation. It is a set of rules that governs how organisations of any size or kind handle personal data. If your business holds information about individuals in the UK, it applies to you.
The rules have been in force since 2018 and are broadly similar to the regulatory framework in the EU, although some minor differences have emerged since Brexit. The UK’s Cyber Security and Resilience Bill (which is likely to be signed into law in 2026) will strengthen some aspects of data protection, particularly with regard to security.
The consequences of breaching GDPR can be very damaging. Companies committing the most serious offences can be fined up to 4% of their annual turnover or £17.5 million, whichever is greater. Additionally, they’re likely to lose the trust of their customers.
It’s therefore essential for all businesses to have a good understanding of GDPR and how to remain compliant.
The seven principles of GDPR
GDPR is based on seven core principles. They are:
- Lawfulness, fairness and transparency. You must have a legal basis for processing personal data and be open and honest about what you’re doing with it.
- Purpose limitation. You should only collect personal data for explicitly specified and legitimate purposes.
- Minimisation. You should only collect the data that’s necessary to achieve a specified purpose and should never collect more than you need.
- Accuracy. The data you hold should be accurate and kept up to date. You must take reasonable steps to correct or delete inaccurate data.
- Storage limitation. You should only hold personal data for as long as is necessary to achieve the purpose you collected it for. You should therefore delete the data you no longer need.
- Integrity and confidentiality. You must use appropriate measures to ensure personal data is not stolen, lost or used in any unauthorised way. This includes taking adequate tech security steps and having secure business processes in place.
- Accountability. Organisations are responsible for demonstrating compliance with the regulations. You must be able to show that you have a data policy in place and that you’re adhering to the rules.
The rights of individuals
GDPR entitles individuals to certain rights in relation to their personal data, including:
- The right to access. Individuals can request a copy of data you hold on them. This is known as a ‘subject access request’. They can also ask how you use their data, the categories of data you’ve collected and who you’re sharing it with.
- The right to rectification. Individuals can demand that you correct any inaccurate personal data you hold about them.
- The right to erasure. Also known as ‘the right to be forgotten’, this means individuals can request that you delete their personal data.
How to stay on the right side of GDPR
Since the penalties for non-compliance can be severe, it’s important to take steps to ensure your business doesn’t land a big fine. Try these:
- Carry out regular data audits. You can’t correctly manage data unless you know exactly what you have and where it’s held.
- Have a clear data policy. This should explain what personal data you collect, why you collect it, how you use it, how long you keep it and individuals’ rights under GDPR.
- Secure your data. Ensure you have effective data-protection practices in place, including using strong and unique passwords, enabling multi-factor authentication and limiting employees’ access to personal data to a ‘need to know’ basis.
If the worst happens and the personal data you hold is breached, you have a legal obligation to inform the Information Commissioner’s Office (ICO) within 72 hours. Usually, you’ll also need to tell the individuals who are affected. In addition, you must keep records of everything that has happened.
When the Cyber Security and Resilience Bill is introduced, the reporting rules are likely to be even stricter, so make sure you stay up to date with developments.
At BT, we’re able to offer our expertise to customers to help them with their own compliance challenges.
Key takeaways
If you only remember three things, make them these:
- Only hold people’s personal data for specified purposes and only keep it for as long as you need it.
- Ensure you have robust security procedures in place to keep data safe, as well as a clear data policy.
- If a data breach happens, you must inform the ICO within 72 hours and, usually, the people who are affected.
You may also be interested in
SMART SOLUTIONS
October 27, 2025
SMART SOLUTIONS
October 27, 2025