Compliance, Standards and Contracts
UK GDPR and the Data Protection Act 2018: A Guide for Small Businesses
If you handle any customer, staff or supplier information, the Data Protection Act 2018 and UK GDPR are the two rules that govern how you do it. They are not separate regimes fighting each other. The UK GDPR sets out the core principles and rights, and the Data Protection Act 2018 is the UK law that enacts and tailors it, filling in exemptions and the parts GDPR left to member states. This guide explains how the two fit together, what a small business actually has to do, and what changed under the Data (Use and Access) Act 2025.
How the two laws fit together
When people say “GDPR” in the UK they now mean the UK GDPR, the retained version of the EU regulation kept after Brexit. The Data Protection Act 2018 and UK GDPR are designed to be read side by side: the UK GDPR gives you the seven principles, the six lawful bases and the individual rights, while the Data Protection Act 2018 handles UK-specific detail such as the age of consent for online services (13 here), law enforcement processing, and exemptions for things like journalism and research.
For a typical shop, agency or trades business, the practical point is simple. You need a lawful basis to use personal data, you must keep it secure, and you must be able to answer people who ask what you hold about them. The Information Commissioner’s Office (ICO) enforces both laws.
The seven principles you have to follow
Under UK GDPR you must handle personal data in line with seven principles. In plain terms:
- Lawfulness, fairness and transparency. Have a valid reason and tell people what you do.
- Purpose limitation. Only use data for the reason you collected it.
- Data minimisation. Collect only what you need.
- Accuracy. Keep it correct and up to date.
- Storage limitation. Do not keep it longer than necessary.
- Integrity and confidentiality. Keep it secure.
- Accountability. Be able to show you comply.
That last one, accountability, is where most small businesses fall short. It is not enough to comply; you have to be able to prove it with records, policies and a lawful basis you can point to. Our guide to the 8 principles of data protection breaks each one down further, and the six lawful bases guide helps you pick the right justification for each activity.
What a small business actually has to do
You do not need a compliance department. For most SMEs the core tasks are:
- Register with the ICO and pay the data protection fee unless you are exempt (more below).
- Write a privacy notice telling people what data you collect, why, your lawful basis, and how long you keep it.
- Keep a basic record of processing: what data you hold, where it lives, and who you share it with.
- Set retention periods so you are not hoarding old data. See what a data retention policy is.
- Secure the data with the everyday controls insurers and Cyber Essentials also expect: multi-factor authentication, patched software, backups and access control.
- Be ready to handle rights requests, especially subject access requests, within one month.
- Know your breach duties. A notifiable personal data breach must be reported to the ICO within 72 hours.
The ICO data protection fee
Almost every organisation that processes personal data electronically must pay an annual fee to the ICO, set by the Data Protection (Charges and Information) Regulations 2018. There are three tiers based on size and turnover:
- Tier 1 (micro): £40, for turnover up to £632,000 or 10 or fewer staff.
- Tier 2 (small and medium): £60, for turnover up to £36 million or 250 or fewer staff.
- Tier 3 (large): £2,900.
A £5 discount applies if you pay by direct debit. Failing to pay when you should can lead to a penalty of up to £4,350, so it is cheap insurance to register. Some organisations, such as certain charities and small pension schemes, may be exempt, and the ICO’s data protection fee guide has a self-assessment to check.
What the Data (Use and Access) Act 2025 changed
The Data (Use and Access) Act 2025 (DUAA) does not replace the Data Protection Act 2018 or UK GDPR. It amends them, mostly to reduce administration and add clarity, with changes phased in through 2025 and 2026. The points that matter most to a small business:
- A statutory complaints process. Organisations must now have a route for people to complain about how their data is handled, acknowledge complaints and respond within set timeframes. This became a firm requirement in mid-2026, so if you have not added a data complaints route to your privacy notice, do it now.
- Recognised legitimate interests. The DUAA adds a new lawful basis covering specific public-interest activities such as crime prevention and safeguarding, where you no longer have to run the usual balancing test.
- Automated decision-making. The rules on solely automated decisions have been loosened, with safeguards, which matters if you start using AI tools that make decisions about people.
Most SMEs can carry on much as before, but the complaints process is the one action worth taking straight away. The ICO’s DUAA guidance for organisations tracks each change as it takes effect.
Getting it wrong: fines and breaches
The headline maximum fine under UK GDPR is £17.5 million or 4% of worldwide annual turnover, whichever is higher. In practice the ICO reserves that scale for serious, large-scale failures; small businesses are far more likely to face enforcement notices, reprimands and the reputational damage of a breach than a record fine. The bigger everyday risk is a data breach that triggers reporting duties and, potentially, compensation claims. See our guides on types of GDPR data breaches and how to run a GDPR audit to find gaps before an incident does.
Cyber insurance sits alongside compliance rather than replacing it: it funds the response, legal costs and any claims after a breach, while your data protection obligations are about preventing and managing that breach in the first place. Our cyber insurance for UK small businesses guide covers how the two connect.
Frequently asked questions
Is the Data Protection Act 2018 the same as GDPR? No, but they work together. UK GDPR sets the principles, lawful bases and rights. The Data Protection Act 2018 is the UK law that enacts UK GDPR and adds British-specific detail and exemptions. You have to comply with both.
What happened to the Data Protection Act 1998? It was replaced. The Data Protection Act 1998 was the old UK data law; it was superseded by the Data Protection Act 2018, which brought UK law in line with GDPR. The 1998 Act no longer applies.
Does a small business have to register with the ICO? Usually yes. If you process personal data electronically you normally must pay the annual data protection fee, from £40 for a micro business, unless you qualify for a specific exemption. Check with the ICO’s self-assessment.
What is the maximum GDPR fine in the UK? Up to £17.5 million or 4% of worldwide annual turnover, whichever is higher, for the most serious breaches. Small businesses more commonly receive reprimands or enforcement notices rather than large fines.
Did GDPR change in 2025? The Data (Use and Access) Act 2025 amended UK GDPR and the Data Protection Act 2018 rather than replacing them. The main practical change for SMEs is a required data protection complaints process, plus new rules on automated decisions and a recognised-legitimate-interests basis.
How long do I have to report a data breach? You must report a notifiable personal data breach to the ICO within 72 hours of becoming aware of it. If it is likely to cause a high risk to the people affected, you must also tell them without undue delay.