Data Privacy Day 2025: What UK Small Businesses Actually Need to Do

Every January 28th we're reminded about data privacy. But what does GDPR actually mean for a 15-person company? Less than you'd think, and more than you're doing.

Data Privacy Day rolls around every January 28th. Large enterprises issue press releases about their commitment to privacy. Small businesses wonder if any of it applies to them.

The answer: some of it does, but probably not the bits you're worried about.

What GDPR Actually Requires of Small Businesses

Let's cut through the noise. If you're a typical UK SMB (under 250 employees, not processing sensitive data at scale), here's your practical compliance checklist:

1. Know what personal data you hold

Customer names, emails, addresses. Employee records. Supplier contacts. You probably hold more than you think.

The exercise isn't complicated: list the systems where personal data lives. CRM, email, accounting software, shared drives, paper files.

2. Have a legal basis for holding it

For most business data, this is straightforward:

• Customer data: contractual necessity (you need it to provide your service)
• Employee data: legal obligation (payroll, tax, employment law)
• Marketing lists: consent (they opted in) or legitimate interest (existing customers)

You don't need complex legal opinions. Just be able to explain why you have what you have.

3. Keep it secure

This is where most small businesses actually fall short. GDPR requires 'appropriate security measures.' That means:

• Passwords on computers (obviously)
• Encryption on laptops (BitLocker, FileVault)
• Access controls (not everyone can see everything)
• Staff training (so they don't email customer lists to the wrong person)

4. Delete it when you don't need it

That customer who bought from you once in 2017 and never returned? You probably don't need their data anymore. Regular data housekeeping is a compliance requirement.

5. Have a privacy policy

On your website, explaining what data you collect and why. Template-based is fine for most small businesses.

What You Probably Don't Need

A Data Protection Officer (DPO)

Only required if you're a public authority or doing large-scale monitoring/processing of sensitive data. Most SMBs don't qualify.

Complex Data Protection Impact Assessments

Only for high-risk processing. Adding customers to your CRM doesn't count.

Expensive compliance software

A spreadsheet tracking your data assets and a decent set of policies will cover most SMB needs.

The Real Risks

The ICO (Information Commissioner's Office) does fine small businesses, but usually for:

• Marketing without consent (sending emails to bought lists)
• Security failures (leaving customer data exposed)
• Ignoring subject access requests (when people ask what data you hold on them)

They're not looking to catch small businesses on technicalities. They're looking for genuine harm or negligence.

Your Data Privacy Day Homework

This week, spend 30 minutes on:

1. List your data systems - where does personal data live?
2. Check your security basics - are laptops encrypted? When did you last review access permissions?
3. Review your website privacy policy - does it actually describe what you do?
4. Check your marketing consent - can you prove people opted in?

When to Get Help

Most small businesses can handle GDPR compliance themselves with some guidance. But consider getting help if:

• You handle sensitive data (health, financial, children's data)
• You're entering a regulated sector (NHS supply chain, legal, financial services)
• You've had a data breach and need to respond properly
• You're unsure about a specific processing activity

Our Cyber Security service includes data protection guidance as part of the package.

Get a data protection healthcheck