Does my small business need a privacy policy?

Yes. If your business collects any personal data — including names, email addresses, or website cookies — you must have a privacy policy under UK GDPR. This applies regardless of business size.

UK GDPR is the UK version of the EU General Data Protection Regulation, retained in UK law after Brexit. It is enforced by the Information Commissioner's Office (ICO). The principles are almost identical to EU GDPR.

What is a Data Processing Agreement?

A DPA is a contract required under UK GDPR Article 28 when you share personal data with a third-party processor such as a payroll provider, email marketing platform, or cloud service. It sets out each party's obligations for protecting the data.

UK GDPR for Small Business 2026

Q: Do I need to register with the ICO?

Most organisations that process personal data must pay the ICO's data protection fee, which ranges from £40 to £2,900 per year depending on size and turnover. Some exemptions apply for small charities and individuals processing data for personal purposes.

Get the document

GDPR & Data Protection Compliance Pack

Download — £39.99 →

Does My Business Need a Privacy Policy?

Yes — if your business collects any personal data from individuals, including customers, website visitors, or employees, UK GDPR requires you to publish a privacy policy explaining what you collect and how you use it. This applies to sole traders, partnerships, and limited companies of any size.

⚠️ ICO enforcement is real The ICO issued over £7.5 million in fines in 2025 alone, including fines against small businesses. Non-compliance is not just a big-company problem — a data breach or complaint can trigger an ICO investigation regardless of your size.

The Six UK GDPR Principles

Every business that processes personal data must comply with six principles. Personal data must be:

Lawfully, fairly, and transparently processed — you need a lawful basis and must tell people what you are doing with their data
Collected for specified, explicit, and legitimate purposes — you cannot use data for purposes beyond what you originally stated
Adequate, relevant, and limited — only collect what you actually need
Accurate and kept up to date — take reasonable steps to correct or erase inaccurate data
Kept only as long as necessary — define and stick to retention periods
Processed securely — technical and organisational measures must be in place

What Your Privacy Policy Must Include

A UK GDPR-compliant privacy policy must clearly explain:

Who you are and your contact details (and your Data Protection Officer, if applicable)
What personal data you collect
Why you collect it and your lawful basis (consent, legitimate interests, contract, legal obligation)
Who you share it with and why
How long you keep it
Individual rights: access, rectification, erasure, restriction, portability, objection
How to make a complaint to the ICO

Cookie Policy — PECR

If your website uses cookies (including analytics cookies like Google Analytics), you must also comply with the Privacy and Electronic Communications Regulations (PECR). This means:

Obtaining consent before setting non-essential cookies
Providing clear information about the cookies used
Giving users a genuine choice to accept or reject non-essential cookies
Having a separate cookie policy (or section within your privacy policy)

Data Processing Agreements

If you share personal data with any third-party service that processes it on your behalf — a payroll provider, email marketing platform (Mailchimp, Kit), cloud storage (Google Drive, Dropbox), or CRM system — you must have a Data Processing Agreement (DPA) in place under UK GDPR Article 28.

Common examples requiring a DPA Email marketing software · Payroll and HR systems · Accounting software handling customer data · CRM systems · Cloud storage services · Website hosting providers · Payment processors

Subject Access Requests

Individuals have the right to request a copy of all personal data you hold about them — a Subject Access Request (SAR). You must respond within one month and provide the information free of charge in most cases. An extension of two further months is allowed for complex or numerous requests, but you must inform the individual within the first month.

Do I Need to Register with the ICO?

Most businesses that process personal data must pay the ICO's annual data protection fee: £40 for most sole traders and micro-organisations, £60 for small and medium businesses, £2,900 for large organisations. Check the ICO's self-assessment tool at ico.org.uk to confirm whether you need to register.

Get the documents

GDPR & Data Protection Compliance Pack — 6 Core Documents