Insights · GDPR · 6 min read

A GDPR baseline for a small UK business, in five steps.

You do not need a 40-page policy. You need the right five documents and a written sense of who reads what. This is the minimum, in plain English. If you have a website, a customer list and a few employees — this applies to you.

Step 1. Register with the ICO and pay the fee

Most UK businesses that process personal data are legally required to pay the Information Commissioner's Office a small annual data protection fee (currently £40 for most micro-organisations, payable by direct debit at £35). Registration takes about 15 minutes online and you get a registration number that goes on your website.

This is the single most-skipped step among small UK businesses. The fine for not registering is £4,350 and the ICO publishes the names of non-payers. It is not optional. Self-assessment tool here.

Step 2. Write (or buy) a privacy notice and put it on your website

The privacy notice tells visitors and customers what data you collect, why, how long you keep it, and what their rights are. It should be in plain English, visible from every page (usually a footer link), and updated when material things change.

What goes in it, at minimum:

  • Who you are (legal name, address, contact email)
  • What categories of personal data you collect (name, email, payment details, etc.)
  • Why you collect each category (the "lawful basis" — usually contract, legitimate interest, or consent)
  • How long you keep the data
  • Who you share it with (your hosting provider, your accountant, etc.)
  • The rights customers have under UK GDPR (access, correction, deletion, complaint to the ICO)
  • How to contact you about any of the above

Step 3. Build a Record of Processing Activities (ROPA)

A ROPA is an internal document — clients never see it — listing every "activity" in which you handle personal data and the basics of how. For most small UK businesses it is a single spreadsheet with one row per activity. Typical rows:

  • Sending customer invoices
  • Managing the customer mailing list
  • Holding employee records (HR)
  • Responding to enquiries from the website
  • Handling supplier accounts

For each row: what's collected, why, on what lawful basis, how long it's kept, where it's stored, who it's shared with. Half an A4 page total. The point is not the paperwork — it's that you have a clear sense of where personal data lives in your business.

Step 4. Decide how you respond to subject-access and deletion requests

Under UK GDPR, any individual can ask you "what data do you hold about me?" (a Subject Access Request, or SAR) or "please delete it" (right to erasure). You must respond within one calendar month, free of charge in normal cases.

You do not need a 20-page procedure. You need one paragraph that says:

  1. Who at the business receives the request (your email address — for a sole trader, you).
  2. How you confirm the identity of the person asking.
  3. What you check (CRM, email archive, accounting system, HR file).
  4. What you send back (the data in a readable format) or what you tell them you cannot delete (regulatory record-keeping reasons).

Write it down once. Stick it in the same folder as the ROPA.

Step 5. Have a breach-response note

If personal data is lost, stolen or accidentally exposed — laptop left on a train, email sent to the wrong address with a customer list attached, supplier database breach you're notified about — you may be required to notify the ICO within 72 hours.

The breach-response note is half a page. It says:

  • Within an hour of discovery: stop the bleed (revoke access, change passwords, lock the file).
  • Within 24 hours: assess what data was affected, how many people, and whether it is "high risk" (e.g. financial information, health data).
  • Within 72 hours: if it's reportable, notify the ICO at ico.org.uk/report-a-breach. If not reportable, document why you decided that.

That's the baseline. ICO registration + privacy notice + ROPA + SAR procedure + breach-response note. Five documents, half an afternoon's work if you have a template, the start of GDPR compliance that will stand up to scrutiny.

What's not in the baseline (but you'll be asked about)

If you grow, the next steps are: Data Processing Agreements with any third party that handles personal data on your behalf (cloud providers, payroll bureau, marketing agency); cookie / consent banner if you use analytics or tracking beyond strictly-necessary; and a DPIA (Data Protection Impact Assessment) if you launch anything genuinely new with personal data, like a CCTV system or a customer behavioural-tracking platform.

What we do. A full GDPR baseline package — privacy notice, ROPA, SAR workflow, breach-response note, and a one-page staff training summary — is fixed-fee from £1,200, typically delivered in two weeks. Get in touch if you need it.


Taran Legal is not a firm of solicitors and is not regulated by the SRA. This briefing is for general information only and is not legal advice on any specific matter.

Want a tailored GDPR baseline?

Five documents, plain English, fixed fee, two weeks to delivery.

Ask about the package