GDPR Compliance for UK and EU Businesses: A Plain-Language Guide
A plain-language guide to GDPR for UK and EU businesses. Learn what you must do, what the penalties are, and how to get compliant without expensive lawyers.
GDPR still catches businesses off guard — seven years in
The General Data Protection Regulation came into force on 25 May 2018. The UK retained it post-Brexit as UK GDPR. Between them, EU and UK regulators have issued billions in fines — including to businesses that genuinely believed they were compliant.
Most small and medium businesses are not breaking GDPR deliberately. They simply don't know exactly what's required. This guide explains it clearly.
Does GDPR apply to your business?
GDPR applies to you if you are established in the EU or UK, if you offer goods or services to people in the EU or UK, or if you monitor the behaviour of people in the EU or UK through analytics or cookies. If any of these apply, GDPR applies — including to sole traders and micro-businesses.
What counts as personal data?
Personal data is any information that can identify a living individual, directly or indirectly: names, email addresses, phone numbers, IP addresses, cookie identifiers, location data, photos, and financial details. If your CRM contains client records, your website has a contact form, or you send a marketing newsletter, you are processing personal data.
The six lawful bases for processing data
You must have a lawful reason to process personal data. GDPR provides six: Consent — freely given, specific, informed agreement; Contract — necessary to fulfil a contract; Legal obligation — required by law; Vital interests — to protect someone's life; Public task — in the public interest; Legitimate interests — your interests, provided they are not overridden by individual rights. Most businesses use contract for client data, legal obligation for financial records, and legitimate interests for prospect follow-up.
Your core GDPR obligations
Privacy notice
You must tell people what personal data you collect, why, how long you keep it, who you share it with, and how they can exercise their rights — in plain, accessible language.
Data subject rights
Individuals have eight rights under GDPR you must respond to within one calendar month: right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights related to automated decision-making.
Data breach notification
If you suffer a personal data breach, you have 72 hours to notify the ICO (UK) or your national supervisory authority (EU). If the breach is likely to cause high risk to individuals, you must also notify them directly without undue delay.
Data Processing Agreements
Any third-party service that processes personal data on your behalf must have a Data Processing Agreement (DPA) in place. Most reputable providers offer these in their terms or on request.
What the fines actually look like
GDPR has two tiers. Lower tier: up to €10 million or 2% of global annual turnover. Upper tier (most serious violations): up to €20 million or 4% of global annual turnover. UK GDPR mirrors this with GBP equivalents of £8.7 million and £17.5 million respectively.
Three things to do this week
- Audit your data — list every type of personal data you hold, where it lives, and why you have it
- Check your privacy policy — if it's vague, copy-pasted, or hasn't been updated since 2018, it needs attention
- Review your third-party tools — confirm every service handling client data has a GDPR-compliant privacy policy and offers a DPA