SecurSentry
← All notes
UK GDPR

The GDPR Starter Pack Every Small Business Needs

You don't need a legal department to get GDPR right — you need a handful of documents and habits. Here is the practical starter pack, in plain English.

The short version

If you run a small business in the UK, GDPR can feel like a wall of obligations written for someone with a compliance team. It isn’t. For most small organisations it comes down to a practical set of documents and habits you can genuinely build yourself: a privacy notice, a simple record of the data you hold, a lawful basis, basic security, and a plan for breaches and requests. No fear, no jargon. And if you already take reasonable care with your customers’ details, you’ve started. The job is turning that into something you can point to.

What GDPR actually asks of a small business, in plain English

GDPR asks you to be clear about the personal data you hold, have a good reason for using it, keep it reasonably secure, and respect people’s rights over it — and to be able to show you do these things.

The General Data Protection Regulation (GDPR) became part of UK law after Brexit. The version that applies in Britain is UK GDPR, which sits alongside the Data Protection Act 2018, with the ICO (the Information Commissioner’s Office) as regulator. There’s a common myth that small businesses are off the hook. They aren’t. The ICO is clear there’s no general small-business exemption — if you hold personal data (names, emails, staff files, customer lists), UK GDPR applies to you.

But “applies to you” doesn’t mean “buries you.” For a typical small business the law’s principles translate into the five-piece starter pack below. Several pieces are documents you can write in an afternoon. The rest are habits one named owner can hold. (For the fuller picture, including when you might need a Data Protection Officer, our guide to GDPR for small businesses covers it in detail.)

The privacy notice — your front-facing document

A privacy notice is the public-facing document that tells people what personal data you collect, why, how long you keep it, who you share it with, and what rights they have.

This is the one piece of the starter pack the world actually sees, usually the “Privacy Policy” page on your website. The ICO is explicit that every business, however small, needs one, written in simple, open language so people know exactly where they stand.

At minimum it should cover: who you are and how to contact you about data; what you collect and where it comes from; why you use it and your lawful basis for each (more below); how long you keep it and who you share it with; and people’s rights, including the right to access their data and, where consent is your basis, to withdraw it.

The ICO even offers a free privacy notice generator for small organisations, which is a sensible place to start. The important thing is that the finished notice describes what your business actually does. A template promising practices you don’t follow is worse than none. Give it to people when you first collect their details, and keep it easy to find afterwards.

TEMPLATE, THEN TAILOR

A good GDPR policy template gets the structure right so you're not staring at a blank page, but every line still has to be true for your organisation. Treat the template as scaffolding, then walk through your real systems and make each statement match reality. That tailoring is the part that protects you.

Knowing what data you hold (a simple record)

A simple record of the personal data you hold — what it is, why you have it, where it lives, how long you keep it, and who you share it with — is the quiet backbone that makes every other GDPR task easier.

You can’t write an honest privacy notice, answer a data request, or assess a breach if you don’t know what you’re holding. This record (often called a Record of Processing Activities, or ROPA) needn’t be elaborate. A single spreadsheet is fine. Start with your biggest categories and work outwards:

For each, note why you hold it, where it’s stored, how long you keep it, and who you share it with. A full formal ROPA is strictly required mainly for higher-risk processing, but a simple version is strongly advisable regardless. It turns every later task from guesswork into a lookup.

You can’t protect, justify, or honestly describe data you haven’t first mapped. The record is dull to make and invaluable to have.

Lawful basis — why you are allowed to use the data

A lawful basis is the legal reason you’re allowed to use a particular set of personal data — and UK GDPR gives you six to choose from, with most small businesses relying on just two or three.

Under UK GDPR, every use of personal data needs a lawful basis: a documented justification for processing it. Article 6 sets out six:

In practice, most small businesses lean on contract (a delivery address to fulfil an order), legal obligation (payroll records for tax), and legitimate interests (a relevant update to existing customers). Consent matters most for marketing to people who aren’t yet your customers.

The work here isn’t choosing. It’s writing it down. The ICO expects you to determine your lawful basis before you start processing and to record which basis applies to each purpose. That’s an afternoon’s job, and once done it slots straight into your privacy notice and data record, closing one of the quietest gaps in small-business GDPR.

Keeping data secure — the overlap with Cyber Essentials

GDPR requires “appropriate” security for personal data without prescribing the exact controls — and the everyday basics in Cyber Essentials are precisely the controls that satisfy it.

This is where many small businesses don’t realise how far along they already are. GDPR’s security principle asks for measures “appropriate” to the risk but deliberately doesn’t hand you a checklist, and the practical answer is the basics you’d put in place anyway. The controls behind Cyber Essentials, the UK government-backed scheme covering the fundamentals, map almost directly onto the security GDPR expects:

Do these, and you’re not running two separate programmes. Your security work is your GDPR security work. That’s the honest efficiency at the heart of the starter pack. And remember: saying your data is secure and being secure are two different things. The controls above are how you move from the first to the second.

Breaches and requests — having a plan before you need one

A breach-and-request plan is a short, written procedure for the two moments you can’t improvise under pressure: a personal data breach, and someone asking for their data.

These two events share a feature: they arrive without warning and both run on a clock. The time to decide who does what is now, calmly, not in the middle of one.

For a breach: if personal data is lost, stolen, or accidentally disclosed and the risk to people meets the threshold, you may need to tell the ICO without undue delay, and where feasible within 72 hours of becoming aware. The ICO is reassuring for small organisations here. You don’t need every detail straight away, just to let them know before the 72 hours are up, with more to follow. So write a one-page procedure naming who’s told first, who decides whether it’s reportable, who contacts the ICO, and who tells affected people. That single page is the difference between a controlled response and a scramble.

For a request: anyone, whether a customer, a former employee, or a prospect, can ask to see the personal data you hold about them. This is a Subject Access Request, and you generally have one calendar month to respond, free of charge. (For a complex request, or several from the same person, that month can be extended by up to a further two, but plan around the one-month default.) A simple process makes it routine rather than alarming: who receives it, where to look, how to collate it, a template reply. Our walkthrough on how to handle a subject access request takes you through it step by step.

WRITE IT WHILE IT'S BORING

Both plans are easy to draft when nothing is going wrong and almost impossible to draft well when something is. An hour now writing two short procedures buys you a clear head at exactly the moment you'll need one most. Mark any gaps honestly: a known gap with a plan beats an unknown one every time.

Putting the starter pack together

Build the five pieces in order — privacy notice and lawful basis first, then your data record, then security basics, then the breach-and-request plan — because each draws on the same picture of what you hold and why.

You don’t have to do it all at once. The goal isn’t a perfect, audit-proof binder by Friday — it’s an honest, working starter pack you can stand behind and improve over time. Lead with the progress you’ve made, mark the gaps plainly, and close them one focused session at a time.

SecurSentry is launching soon to help UK SMEs build genuine, evidence-backed compliance. It maps the documents and controls you actually need, and pulls your privacy notice, data record, lawful basis and breach plan into one joined-up programme. We’re putting together a downloadable GDPR starter pack for the businesses on our list. Join the waitlist to get it first when we open.


This article is general information, not legal or compliance advice. Your obligations depend on your specific circumstances. If you’re unsure about your position, seek qualified guidance from a data protection professional or solicitor.

Frequently asked questions

Does GDPR apply to my small business in the UK?

Almost certainly yes. UK GDPR — which sits alongside the Data Protection Act 2018 and is overseen by the ICO — applies to any organisation that handles personal data, whatever its size. There is no general small-business exemption. If you hold customer names, email addresses, or staff records, you have obligations.

What documents does a small business actually need for GDPR?

The core set is short: a privacy notice for the public, an internal record of what personal data you hold and why, a written note of your lawful basis for each use, basic security measures, and a simple plan for handling breaches and data requests. Most of these are documents you can draft yourself; a few are ongoing habits.

Is a GDPR policy template enough on its own?

A template is a great starting point, but it isn't the finish line. A privacy notice has to honestly describe what your business actually does with data, and a record of processing has to reflect your real systems. Use a template to get the structure right, then tailor every line to your organisation.

How does GDPR connect to Cyber Essentials?

GDPR requires 'appropriate' security for personal data but doesn't prescribe exactly how. Cyber Essentials gives you a concrete, recognised set of basics — access control, patching, secure configuration — that directly support the security part of GDPR. Doing one makes the other easier to evidence.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.