Skip to content

GDPR Data Protection Checklist for Small Business

Updated

What Is GDPR and Why Does It Matter?

The General Data Protection Regulation (GDPR), implemented in the UK through the Data Protection Act 2018 and retained as UK GDPR post-Brexit, governs how organisations collect, store, process, and protect personal data. It applies to every UK business that handles personal data — regardless of size.

For small businesses, GDPR can feel daunting. But the core principles are straightforward, and compliance is achievable with the right approach. The consequences of non-compliance, however, are serious: fines of up to £17.5 million or 4% of annual global turnover, plus significant reputational damage.

GDPR Compliance Checklist

Use this checklist to assess your current compliance and identify gaps that need addressing.

1. Understand What Personal Data You Hold

  • Audit the personal data your business collects — customer details, employee records, supplier contacts, marketing lists
  • Document where this data is stored — databases, email, spreadsheets, cloud platforms, physical files
  • Identify who has access to this data and whether that access is appropriate
  • Map data flows — understand how data enters, moves through, and leaves your organisation

2. Establish a Lawful Basis for Processing

Every piece of personal data you process must have a lawful basis. The six lawful bases under GDPR are:

  • Consent — The individual has given clear, informed consent
  • Contract — Processing is necessary to fulfil a contract with the individual
  • Legal obligation — Processing is required to comply with the law
  • Vital interests — Processing is necessary to protect someone's life
  • Public task — Processing is necessary for a task in the public interest
  • Legitimate interests — Processing is necessary for your legitimate business interests, balanced against the individual's rights

For most small businesses, contract, legitimate interests, and consent are the most commonly used bases. Document which basis applies to each processing activity.

3. Review Your Privacy Notices

  • Ensure your website privacy policy clearly explains what data you collect, why, how long you keep it, and who you share it with
  • Provide a privacy notice to employees explaining how their personal data is used
  • Include privacy information in forms, contracts, and communications where you collect personal data
  • Use plain, clear language — avoid legal jargon

4. Implement Data Security Measures

GDPR requires 'appropriate technical and organisational measures' to protect personal data. For small businesses, this means:

  • Encryption — Encrypt data at rest and in transit (email encryption, disk encryption, HTTPS)
  • Access controls — Limit data access to staff who need it for their role
  • Multi-factor authentication — Enable MFA on all systems that hold personal data
  • Endpoint protection — Install and maintain antivirus/EDR on all devices
  • Regular backups — Back up data regularly and test that backups can be restored
  • Patch management — Keep all software, operating systems, and firmware up to date
  • Firewalls — Protect your network with properly configured firewalls

5. Manage Consent Properly

  • Consent must be freely given, specific, informed, and unambiguous
  • Pre-ticked boxes are not valid consent
  • Keep records of when and how consent was obtained
  • Make it easy for individuals to withdraw consent at any time
  • Review consent mechanisms regularly — especially for marketing communications

6. Handle Data Subject Requests

Individuals have rights under GDPR that your business must be prepared to fulfil:

  • Right of access — Provide a copy of their personal data within one month
  • Right to rectification — Correct inaccurate data promptly
  • Right to erasure — Delete data when there is no longer a lawful basis to keep it
  • Right to data portability — Provide data in a machine-readable format on request
  • Right to object — Stop processing data for direct marketing immediately upon request

Ensure you have a documented process for handling these requests and that relevant staff know what to do.

7. Prepare for Data Breaches

  • Have a data breach response plan in place before an incident occurs
  • Reportable breaches must be notified to the ICO within 72 hours
  • If the breach poses a high risk to individuals, you must also notify the affected individuals
  • Keep a breach register documenting all incidents, even those not reported to the ICO
  • Train staff to recognise and report breaches promptly

8. Review Third-Party Processors

  • Identify all third parties that process personal data on your behalf — cloud providers, payroll, marketing platforms, IT support
  • Ensure you have Data Processing Agreements (DPAs) in place with each processor
  • Verify that processors have adequate security measures and are GDPR compliant
  • Check where data is stored — if outside the UK, ensure adequate safeguards are in place (e.g., Standard Contractual Clauses)

9. Train Your Staff

  • All staff who handle personal data should receive GDPR awareness training
  • Training should cover data handling, recognising breaches, phishing awareness, and the importance of security hygiene
  • Refresh training at least annually and when policies change
  • Keep records of who has been trained and when

10. Document Everything

GDPR's accountability principle requires you to demonstrate compliance, not just achieve it:

  • Maintain a Record of Processing Activities (ROPA) listing all personal data processing
  • Document your lawful basis for each processing activity
  • Keep records of consent, DPAs, breach reports, DPIAs, and training
  • Review and update documentation regularly

GDPR and Cyber Essentials

Achieving Cyber Essentials certification demonstrates that your business has baseline technical controls in place — which directly supports your GDPR compliance. Many of the security measures required by GDPR (firewalls, patching, access controls, malware protection) are also Cyber Essentials requirements.

For a broader view of IT compliance frameworks relevant to UK businesses — including GDPR, Cyber Essentials, and ISO 27001 — our detailed guide explains how they fit together.

Getting Expert Help

GDPR compliance is an ongoing responsibility, not a one-off project. If you are unsure where your business stands, or you need help implementing the technical and organisational measures required, a managed IT provider can assess your current setup and put the right controls in place.

Need IT Support?

Get GDPR-ready with the right IT security measures — speak to a specialist.

Get a Free IT Quote

Other articles in IT Policies & Compliance

Acceptable Use Policy Template for Business ITBYOD Policy for UK Business: What to Include & Template Guide

©Connection Technologies 2026. All Rights Reserved.

Connection Technologies Limited is authorised and regulated by the Financial Conduct Authority, reference FRN 958225

Registered office: Fareham Innovation Centre, Merlin House, 4 Meteor Way, Fareham, Lee-on-the-Solent, PO13 9FU.

Registered in England and Wales, Company No. 11630924

Connect with Us

Linkedin
Sitemap