Does GDPR still apply after Brexit?
Yes. The UK adopted GDPR into domestic law as the UK GDPR, which works alongside the Data Protection Act 2018. The requirements are essentially the same as EU GDPR, with minor modifications for UK context. If you were compliant before Brexit, you should still be compliant now.
For UK SMEs, data protection compliance can feel overwhelming. The regulations are lengthy, the terminology is technical, and the potential fines are attention grabbing. But here is what many small businesses do not realise: most GDPR compliance is common sense data handling, formalised into law.
This checklist breaks down what UK SMEs actually need to do. Not theoretical best practice, but practical steps that bring you into compliance without drowning in paperwork.
The fundamentals: what GDPR requires
GDPR establishes seven key principles for processing personal data. Everything else flows from these:
- Lawfulness, fairness, and transparency – Have a legal basis for processing, be fair, and be clear about what you do with data
- Purpose limitation – Only use data for specified, explicit purposes
- Data minimisation – Only collect data you actually need
- Accuracy – Keep data accurate and up to date
- Storage limitation – Do not keep data longer than necessary
- Integrity and confidentiality – Keep data secure
- Accountability – Be able to demonstrate compliance
If your data handling practices align with these principles, you are most of the way there.
GDPR compliance checklist for UK SMEs
1. Know what data you hold
You cannot protect data you do not know you have. Conduct a data audit covering: what personal data do you collect, where is it stored, who has access to it, how long do you keep it, and do you share it with anyone else.
2. Establish your lawful bases
Every piece of personal data you process needs a lawful basis. The six options are: contract, legal obligation, vital interests, public task, legitimate interests, and consent. Many SMEs default to consent when other bases would be more appropriate.
3. Write a privacy notice
You must tell people what you do with their data. A privacy notice should explain who you are, what data you collect, why you need it, who you share it with, how long you keep it, their rights, and how to complain. Put this on your website and write it in plain English.
4. Implement appropriate security
GDPR requires security measures appropriate to the risk. For most SMEs, this means password protection, access controls, encryption for sensitive data, regular software updates, antivirus and firewall protection, secure disposal, and staff training.
Related resource: The National Cyber Security Centre offers free guidance for small businesses at ncsc.gov.uk
5. Train your staff
Everyone who handles personal data should understand data protection basics: what personal data is, your organisation policies, how to recognise and report breaches, and how to respond to data subject requests.
See how it works: MyTrainingTracker helps you track data protection training completion across your team.
6. Prepare for subject access requests
Individuals can ask what data you hold about them, and you must respond within one month. Have a process for recognising requests, verifying identity, finding all relevant data, and providing it in a commonly used format.
7. Know how to handle data breaches
A data breach is any security incident affecting personal data. You must assess the breach, report to the ICO within 72 hours if it poses risk, notify affected individuals if the breach poses high risk, and document all breaches.
MyRiskLog provides a structured workflow for documenting and responding to data breaches.
8. Review your contracts
If you use third parties to process data on your behalf, you need written contracts with specific GDPR clauses covering what processing they will do, security measures, what happens when the contract ends, breach obligations, and sub-processing arrangements.
9. Consider whether you need a DPO
Most SMEs do not need a formal Data Protection Officer. However, you should designate someone responsible for data protection, even if it is part of a broader role.
Common GDPR mistakes SMEs make
Relying on consent when it is not needed
Consent has strict requirements and can be withdrawn at any time. If another lawful basis applies, use that instead.
Keeping data forever
Define retention periods for different types of data and stick to them. Keeping data just in case violates the storage limitation principle.
Ignoring employee data
GDPR applies to employee data too – application forms, performance reviews, absence records, payroll. Many SMEs focus on customer data and forget their obligations to staff.
FAQs: GDPR compliance for SMEs
Do I need to register with the ICO?
Most organisations processing personal data must pay an annual data protection fee to the ICO. Fees range from £40 to £2,900 depending on size and turnover. Check the ICO self assessment tool at ico.org.uk.
What are the penalties for non compliance?
The ICO can issue fines up to £17.5 million or 4% of annual global turnover. In practice, fines for SMEs are typically much lower and the ICO often uses warnings or enforcement notices before fining.
Does GDPR apply to paper records?
Yes. GDPR applies to personal data in structured filing systems, whether digital or paper.
Taking action on GDPR compliance
A GDPR compliance checklist is only useful if you work through it. The steps above are not overwhelming when taken one at a time. Most SMEs can achieve reasonable compliance within a few weeks of focused effort.
Start with the data audit – understanding what you have and where it is. Everything else becomes easier once you have that foundation.
Ready to get your compliance organised? Join the Founding Partner waitlist to see how Compliance Cover helps SMEs manage policies, training, and compliance documentation in one place.