UK GDPR: Keeping your small business compliant
  1. Blog
  2. Day to Day HR
  3. UK GDPR: Keeping your small business compliant

With the General Data Protection Regulation (UK GDPR) being in force since 2018 it’s tempting to think all the fuss that surrounded its introduction has gone away. But UK GDPR is still very much with us.

People are more aware of their individual rights, and data breaches by organisations are often in the news. For your small business, breaching UK GDPR could lead to severe fines, bad publicity, and the cost of putting things right afterwards. The Information Commissioner’s Office (ICO) is also now publishing details of reprimands it has issued on its website – resulting in negative publicity even where a fine has not been issued.

Another reason to ensure good personal data protection is that it will create trust in both your employees and your customers. Both groups want to know that their private information is as safe as possible in your hands, and that you’ll always be open and honest about how it will be used.


There are seven essential principles of UK GDPR compliance:

  1. Be transparent about the data you hold and what you do with it

Right from the start, it’s essential that you’re always truthful and open about how you’ll be using people’s personal data and why. This includes data about your workforce and your customers. You should write your privacy notices in clear, plain language that’s easy to understand and accessible to all.

…and ensure you respect individuals’ rights.

Individuals have certain rights surrounding their personal data, two of which are the ‘right to be informed’ and the ‘right of access’. This means a person should be told about how their data is being used, and they can request a copy of all their data that you have stored. This information must be provided within one month of the request and you can’t normally charge a fee for it.

  1. Be clear about the purpose for collecting and holding data and not use it for any other purpose

Whenever you need to collect, store or access personal data, this counts as “processing”, and you need to define your purpose for processing it. This will help individuals to understand how their data is being used and decide if they’re happy to share their details with you.

Your purposes for processing personal data must fall within one or more of the “lawful bases” for processing. These are:

  • Consent
  • Contract
  • Legal Obligation
  • Vital interests
  • Public Task
  • Legitimate interests

Although there is a limited exemption to record-keeping requirements for small businesses, it’s still best practice to document how you’re complying with the UK GDPR. You’ll also need to lay out the purpose for processing personal data in your privacy notices.

If you want to use some data for another purpose that you did not originally specify, you can only do so if:

  • The new purpose is compatible with the original purpose (e.g., if they are similar and won’t negatively impact the individual)
  • You get the individual’s specific consent (which can be revoked at any time)
  • There is a legal basis, for example, a new function for a public authority

“Special category” data is any piece of personal information that is extra-sensitive, for example medical information. To be able to process this type of data, you need to have both a legal basis and a separate category condition, which can be chosen from a list of ten options.

  1. Hold as little personal data as possible and only sufficient to do what you need

The “data minimisation principle” means that you should only collect personal data that is relevant and necessary to fulfil your purpose or purposes. To do this, you must first decide on what the minimum amount of data you need for that purpose is. You should hold that much information and no more.

Every person, in certain circumstances, has the ‘right to be forgotten’, which means they can request that you delete all of the data you hold about them. This right is subject to exceptions, including the need to retain data to meet legal requirements.

  1. Keep data accurate and up to date

It’s your responsibility to make sure the personal data you hold isn’t misleading, which means keeping it accurate and up to date. Carrying out periodic checks and audits on the data you have will help you to recognise any discrepancies or errors. It’s a good idea to document any changes you make to the data.

Individuals have the ‘right to rectification’ if they believe any data you are holding about them is inaccurate. Having HR software means that employees can log in and change some personal details such as their home address themselves, which cuts down on your admin time for routine tasks.

  1. Only store personal data for as long as necessary

The principle of data “storage limitation” means that you must only keep an individual’s personal data for as long as necessary. This period of time may vary according to what you are using the data for, which will need to be defined (see the purpose limitation principle).

You must be able to justify why you are keeping the data for as long as you are. It’s a good idea to create a standard policy of retention periods for each type of data, which can be adjusted if needed.

With HR software, personal data can be deleted automatically after a set period of time, which means that you won’t have to go looking for it. This will help to save time and stress, while ensuring your compliance with this principle of the UK GDPR.

  1. Keep personal data secure

You must make sure that all appropriate measures have been taken to ensure people’s personal data is safe. To do this, you must consider physical factors such as the security of your workplace, storage and disposal of paper documents, security of your IT equipment and who has access to personal data.

Carry out a risk analysis to identify any areas where data security could be lax. Are files left on desks when not in use? Are all computers password protected? It’s best practice to install HR software in which documents can be stored safely, and to use encryption to minimise the risk of sensitive details being read by the wrong person.

Another element to consider is any third parties you may share data with, for example if you sub-contract your payroll to another company. We recommend creating a data sharing agreement between your business and any third-party business to lay out the expectations and responsibilities of each in terms of UK GDPR compliance.

  1. You’re accountable for complying with data protection law

As an individual, business or organisation which holds personal data, you’re responsible for ensuring you stay compliant with the UK GDPR, to protect your employees and customers from harm. This involves creating effective data protection policies, implementing security measures, and reporting any data breaches.

You must report any data breaches which pose a risk to individuals’ rights within 72 hours to the ICO. However, you can significantly reduce the risk of a breach happening by training your staff to follow your policies and use common sense to keep personal data safe.

Reiterating simple measures to all staff, such as not clicking suspicious links in emails or text messages, shredding confidential documents when no longer needed and password protecting documents can go a long way to preventing a serious data breach.

At citrus HR we love supporting our customers and ensuring their small businesses remail compliant so they can focus on what they do best! If you’d like support and unlimited advice on tricky HR and compliance issues, please do get in touch with us today at

You might also want to read these articles

Get help with your HR

Take the stress out of HR with help from our friendly experts and easy to use HR software.
Find out more


  • Get free employment law alerts

    Keep up to date with employment law changes that might affect your business.