Checklists

UK data protection compliance checklist for small businesses

5 min read ·26 April 2026 ·By Trust Center

The UK's data protection regime is governed by UK GDPR (retained from EU GDPR post-Brexit) and the Data Protection Act 2018. The ICO enforces these rules and expects organisations of all sizes to comply. Here is what small businesses need to have in place.

ICO registration

  • Check whether your business needs to pay the ICO data protection fee (most UK businesses that process personal data do — fee is £40–£2,900 depending on size)
  • Register with the ICO at ico.org.uk/registration if required
  • Update your registration annually

Lawful basis for processing

  • Identify the lawful basis for each type of personal data processing your business does
  • Document this in a Record of Processing Activities (RoPA)
  • If relying on consent, ensure records of consent are maintained
  • If relying on legitimate interests, complete a Legitimate Interests Assessment (LIA)

Privacy information

  • Privacy notice published on your website (covers UK GDPR Articles 13 and 14 requirements)
  • Privacy notice provided to employees and job applicants
  • Privacy notice provided at the point of data collection in all contexts

Individual rights

  • Process in place to respond to Subject Access Requests (SARs) within one calendar month
  • Process for handling right to erasure requests
  • Process for handling objections to direct marketing (must be actioned immediately)
  • SAR contact route published on your website

Contracts with processors

  • Written contracts (including DPA clauses) in place with all data processors
  • Contracts include the required clauses specified in UK GDPR Article 28

International transfers

  • Identify any personal data transfers to countries outside the UK
  • Confirm appropriate safeguards: UK adequacy regulations, International Data Transfer Agreements (IDTAs), or Addendum to Standard Contractual Clauses
  • US transfers: check if the provider is certified under the UK-US Data Bridge

Security

  • Technical measures: HTTPS, access controls, encryption at rest for sensitive data
  • Organisational measures: staff training, data handling policies, clear desk policy
  • Security reviewed and tested periodically

Breach notification

  • Incident response procedure documented
  • Ability to identify a personal data breach within 72 hours
  • Process to report to ICO within 72 hours of becoming aware
  • Process to notify affected individuals without undue delay where required

Children's data

  • If your service may be accessed by under-18s, consider the ICO's Children's Code (Age Appropriate Design Code)
  • High privacy settings by default for children; no profiling of children for commercial purposes

Ready to simplify your compliance?

Trust Center manages your privacy policies, cookie consent, and DSARs — one platform, all your brands, always up to date.

Get early access →

Related articles

Checklists

GDPR compliance checklist for small businesses

A practical GDPR compliance checklist for small and medium businesses — covering data mapping, privacy notices, consent, security, and ongoing obligations.

6 min read · 26 April 2026
Checklists

Website launch legal checklist — what you need before you go live

Before launching your website, these are the legal requirements you must have in place. Missing any of these can expose you to fines, complaints, or liability.

5 min read · 26 April 2026