GDPR compliance checklist for UK SMEs

Most UK SMEs know they need to comply with GDPR. Far fewer have a clear, documented picture of exactly where they stand. This GDPR compliance checklist for UK businesses gives you a structured way to assess your obligations, identify gaps, and prioritise remediation - without wading through 88 pages of ICO guidance to find the parts that actually apply to a business your size.

UK GDPR (the UK's post-Brexit version of the EU regulation, retained in domestic law via the UK GDPR and the Data Protection Act 2018) applies to any organisation that processes personal data in the UK or handles data about UK residents. That covers almost every SME operating today. The Information Commissioner's Office (ICO) is the supervisory authority, and fines for serious breaches can reach £17.5 million or 4% of global annual turnover, whichever is higher.

The checklist below covers the core areas. It is not a substitute for legal advice on complex situations, but it will give you a working view of your compliance posture and a clear action list.

Key obligations under UK GDPR

Before working through the checklist, it helps to understand the six principles UK GDPR requires you to comply with:

1. Lawfulness, fairness and transparency - you must have a valid legal basis for processing, and individuals must understand how their data is used
2. Purpose limitation - data collected for one purpose cannot be repurposed without justification
3. Data minimisation - collect only what you need for the stated purpose
4. Accuracy - personal data must be kept up to date
5. Storage limitation - do not retain personal data longer than necessary
6. Integrity and confidentiality - appropriate security must protect the data

These principles underpin every item in the checklist below.

GDPR compliance checklist for UK SMEs

1. Establish your lawful basis for processing

• Identify every category of personal data your organisation processes
• Document the lawful basis for each processing activity (consent, legitimate interests, contract, legal obligation, vital interests, or public task)
• Where you rely on consent, ensure it is freely given, specific, informed, and unambiguous - pre-ticked boxes do not count
• Where you rely on legitimate interests, conduct and document a Legitimate Interests Assessment (LIA)
• Do not rely on consent as a default where another basis is more appropriate

2. Complete a data mapping exercise

• Identify all personal data your organisation holds (customers, employees, suppliers, prospects)
• Map where data originates (web forms, email, paper, third-party systems)
• Document how data flows through your organisation and to third parties
• Identify where data is stored (cloud services, CRMs, HR systems, email platforms, physical files)
• Record how long each category of data is retained

This exercise is the foundation of your Record of Processing Activities (ROPA).

3. Maintain a Record of Processing Activities (ROPA)

The ROPA is a mandatory document for most organisations. It must include:

• The name and contact details of your organisation (and your Data Protection Officer, if you have one)
• The purposes of processing for each activity
• A description of categories of data subjects and personal data
• Categories of recipients (including third-party processors)
• Details of international data transfers, if any
• Retention periods or criteria for deletion
• A general description of technical and organisational security measures

The ICO provides a template ROPA that works well for SMEs. Review and update it at least annually, or whenever processing activities change significantly.

4. Review and update your privacy notices

Privacy notices (sometimes called privacy policies) must be provided to individuals at the point their data is collected, or as soon as reasonably possible.

• Publish a privacy notice on your website covering all processing activities
• Ensure the notice includes: who you are, what data you collect, why, the lawful basis, retention periods, individuals' rights, and how to contact you
• Provide a separate, specific privacy notice at each data collection point (web forms, job applications, customer contracts)
• Use plain language -- avoid legal jargon where possible
• Review notices annually and update them when processing changes

5. Respect data subjects' rights

UK GDPR gives individuals eight rights. Your organisation needs a documented process for handling each:

• Right of access -- respond to Subject Access Requests (SARs) within one calendar month
• Right to rectification -- correct inaccurate data promptly when requested
• Right to erasure -- delete personal data when the individual requests it and there is no overriding legal obligation to retain it
• Right to restrict processing -- pause processing when an individual contests accuracy or objects
• Right to data portability -- provide data in a structured, machine-readable format where processing is based on consent or contract
• Right to object -- stop direct marketing immediately when an individual objects; assess other objections within one month
• Rights related to automated decision-making -- inform individuals when decisions are made solely by automated means and provide meaningful human review where required
• Train staff to recognise rights requests and escalate them correctly
• Document all rights requests and your responses

6. Appoint a Data Protection Officer (if required)

A DPO is mandatory for:

• Public authorities
• Organisations that carry out large-scale systematic monitoring of individuals
• Organisations that process special categories of data (health, biometric, criminal records) on a large scale

For most UK SMEs, a DPO is not legally required, but it is good practice to designate a named person responsible for data protection compliance. Document who that is and ensure they have adequate time and authority to do the role.

7. Implement appropriate technical and organisational security measures

UK GDPR requires security that is appropriate to the risk. For most SMEs, that means:

• Enforce strong, unique passwords across all systems (use a password manager)
• Enable multi-factor authentication (MFA) on all systems that hold personal data
• Apply encryption to personal data at rest and in transit (particularly for laptops and portable devices)
• Keep software, operating systems, and firmware patched and up to date
• Limit access to personal data on a need-to-know basis (role-based access control)
• Conduct regular backups and test restoration procedures
• Implement and document a clear acceptable use policy for staff
• Review third-party access and ensure it is removed when no longer needed
• Maintain an asset register covering devices that hold or access personal data

If you are working through a more structured approach to security, Cyber Essentials certification covers the five foundational controls and aligns well with GDPR's security requirements.

8. Manage third-party processors

When you share personal data with a third party that processes it on your behalf (cloud providers, payroll bureaus, marketing platforms, IT support companies), UK GDPR requires a written Data Processing Agreement (DPA).

• Identify all third-party processors that handle personal data on your behalf
• Ensure a signed DPA is in place with each processor
• Verify that processors provide sufficient guarantees about their security measures
• Check whether any processors transfer data outside the UK and, if so, what transfer mechanism is in place
• Review processor relationships when contracts renew or change

9. Manage international data transfers

Since Brexit, transfers of personal data from the UK to countries outside the UK require appropriate safeguards.

• Identify any transfers of personal data to organisations outside the UK
• Check whether the destination country has an adequacy decision from the UK (the EU, EEA, and several others have this)
• If no adequacy decision exists, implement an alternative transfer mechanism such as the International Data Transfer Agreement (IDTA) or binding corporate rules
• Document all international transfers in your ROPA

10. Establish a data breach response procedure

Under UK GDPR, you must report certain personal data breaches to the ICO within 72 hours of becoming aware of them. Breaches that pose a high risk to individuals must also be communicated directly to those affected.

• Define what constitutes a personal data breach (not just hacking -- also accidental disclosure, loss of devices, sending data to the wrong recipient)
• Document a breach response procedure: who to notify, how to assess severity, when the 72-hour clock starts
• Train staff to report suspected breaches to the designated data protection lead immediately
• Maintain a breach log even for incidents that do not require ICO notification
• Test your breach response procedure at least annually

11. Conduct Data Protection Impact Assessments (DPIAs)

A DPIA is required before starting any processing activity that is likely to result in a high risk to individuals. This is mandatory, not optional, in high-risk situations.

• Identify processing activities that may require a DPIA (new systems, profiling, large-scale processing of sensitive data, surveillance)
• Conduct DPIAs before implementing high-risk processing, not after
• Document DPIA outcomes and any mitigations applied
• Consult the ICO before processing if a DPIA identifies a high residual risk that cannot be mitigated

12. Train staff

The majority of data breaches involve human error. Training is not a box-tick exercise -- it is one of the most effective risk controls available.

• Provide GDPR awareness training to all staff who handle personal data
• Cover: what personal data is, staff obligations, how to handle rights requests, and how to report a breach
• Deliver refresher training at least annually
• Maintain training records
• Provide role-specific training for staff with elevated access or responsibility (HR, finance, IT)

Common GDPR failure points for UK SMEs

Based on recurring patterns in ICO enforcement and advisory work, these are the areas where SMEs most often fall short:

Inadequate consent mechanisms. Pre-ticked boxes, bundled consent, and vague wording remain common. Consent must be specific to each purpose, freely given, and easy to withdraw.

Missing or outdated privacy notices. Many organisations have a privacy policy page but have not reviewed it since GDPR came into force in 2018. Notices need to reflect current processing activities.

No Data Processing Agreements with processors. Using a cloud CRM, payroll software, or email marketing platform without a signed DPA is a compliance gap. Most major providers offer these, but you need to actively sign them.

Weak breach response. Organisations often discover they have no documented process for handling a breach only when one occurs. By then, the 72-hour notification window is already running.

Over-retention of data. Keeping personal data "just in case" is not lawful. Retention periods must be defined, justified, and enforced.

For a broader view of how compliance fits into your IT strategy, the IT governance framework for UK SMEs covers how to embed accountability for compliance into your organisational structure.

How our IT compliance services can help

Working through a GDPR checklist is straightforward when your data estate is well-understood. For many SMEs, the challenge is that the underlying picture is unclear -- data is scattered across systems, third-party relationships lack documentation, and the person responsible for compliance is already wearing multiple hats.

Our IT compliance consulting service helps UK organisations establish a clear compliance baseline, identify gaps, and implement controls that are proportionate to the actual risk. We also work with organisations on their broader security consulting needs, where GDPR's security requirements overlap with wider cybersecurity obligations.

If you are assessing your compliance posture for the first time, or preparing for an audit or due diligence process, get in touch for a no-commitment conversation about where you stand.

Frequently asked questions

Does UK GDPR apply to my small business?

Yes, if your organisation processes personal data in the UK or handles the data of UK residents, UK GDPR applies regardless of your size. There are some reduced obligations for smaller organisations (for example, you may not need a mandatory DPO), but the core principles and rights obligations apply universally.

What is the difference between UK GDPR and EU GDPR?

UK GDPR is the UK's domesticated version of the EU regulation, retained in law following Brexit. The substantive requirements are almost identical. The key practical differences are: the ICO is the supervisory authority (not EU data protection authorities), and the transfer mechanisms for sending data outside the UK follow the UK adequacy framework rather than the EU's. Organisations operating in both the UK and EU need to comply with both regimes.

How long do I have to respond to a Subject Access Request?

You must respond to a Subject Access Request within one calendar month of receiving it. You can extend this by a further two months for complex or numerous requests, but you must inform the individual within the first month that you are extending the deadline and explain why. There is no charge for responding to a SAR in most circumstances.

What should I do if I have a data breach?

First, contain the breach and preserve evidence. Assess whether the breach is likely to result in a risk to individuals' rights and freedoms. If it is, notify the ICO within 72 hours of becoming aware of the breach. If it poses a high risk to individuals directly, notify the affected individuals without undue delay. Log the breach regardless of whether it meets the notification threshold. A documented breach response procedure, tested in advance, makes this process significantly less chaotic under pressure.