Checklists

GDPR compliance checklist for small businesses

6 min read ·26 April 2026 ·By Trust Center

GDPR compliance is not a one-time project — it's an ongoing programme. This checklist covers the essential steps for a small business to establish a baseline of compliance.

Data mapping — know what you have

  • List all the personal data your business collects (customers, prospects, employees, suppliers)
  • Identify where each type of data is stored (CRM, email platform, spreadsheets, paper files)
  • Document why you collect each type of data and your lawful basis for processing it
  • Identify all third parties who receive personal data and confirm Data Processing Agreements are in place
  • Note which data transfers go outside the UK or EU and what safeguards apply

Privacy notices

  • Privacy policy published on your website and kept up to date
  • Privacy policy written in plain language (not just legal boilerplate)
  • Cookie notice or policy in place if you use non-essential cookies
  • Privacy notice provided to employees (for HR data processing)
  • Cookie consent banner in place — consent obtained before non-essential cookies are set
  • Marketing consent obtained via opt-in (not pre-ticked boxes)
  • Consent records kept — who consented, when, and to what
  • Easy mechanism for users to withdraw consent

Data subject rights

  • Process in place for handling Subject Access Requests within 30 days
  • Process for handling erasure requests
  • DSAR form or contact route published on your website
  • Ability to provide data in a portable format (CSV or similar)

Data security

  • All websites use HTTPS (SSL/TLS)
  • Passwords stored as hashed values, never plaintext
  • Access to personal data limited to those who need it
  • Regular data backups with tested restore procedures
  • Staff with access to personal data have received basic data protection training
  • Data breach response plan in place

Data retention

  • Retention periods defined for each category of personal data
  • Process in place to delete data when retention period expires
  • Inactive accounts and contact lists reviewed and purged regularly

Third-party processors

  • DPA in place with every company that processes personal data on your behalf
  • Third-party processors reviewed for GDPR compliance (especially US providers — check DPF certification)

Breach preparedness

  • Incident response plan documented
  • Staff know how to recognise and report a potential data breach
  • 72-hour notification obligation to supervisory authority understood
  • Process to notify affected individuals when required

Ongoing maintenance

  • Privacy policy reviewed at least annually and when processing activities change
  • Cookie policy updated when new tools are added to your website
  • Staff training kept current
  • DPAs renewed if processors change their terms

Ready to simplify your compliance?

Trust Center manages your privacy policies, cookie consent, and DSARs — one platform, all your brands, always up to date.

Get early access →

Related articles

Checklists

UK data protection compliance checklist for small businesses

A practical checklist for UK businesses to meet ICO requirements under UK GDPR and the Data Protection Act 2018.

5 min read · 26 April 2026
Checklists

Website launch legal checklist — what you need before you go live

Before launching your website, these are the legal requirements you must have in place. Missing any of these can expose you to fines, complaints, or liability.

5 min read · 26 April 2026