GDPR Small Business Compliance: The 2026 UK Guide

GDPR small business obligations tightened in several places during 2026. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025, with most Part 5 data protection provisions commencing on 5 February 2026 under SI 2026/82. One headline consequence for SMEs: the maximum fine under the Privacy and Electronic Communications Regulations (PECR) rose from £500,000 to £17.5m or 4% of global turnover, whichever is higher. That change reaches any UK SME running outbound marketing through calls, texts or email.

The idea that small businesses sit outside UK GDPR remains one of the most persistent myths in UK data protection, and the ICO has consistently rejected it. UK GDPR applies to any controller or processor handling the personal data of people in the UK, regardless of headcount or turnover. The only size-related relief is a narrow exception in Article 30(5) for record-keeping. This small business GDPR compliance guide sets out what applies in 2026 and what the 2025 Act changed, then walks through the 12 steps a UK SME needs to stand up a defensible position.

Does UK GDPR apply to small businesses in 2026?

Yes. The Information Commissioner's Office (ICO) is unambiguous. UK GDPR and the Data Protection Act 2018 apply to every business that determines the purpose of personal data processing (a controller) or processes data on someone else's behalf (a processor). Employee records, customer contact details, supplier lists, CCTV footage, cookies with identifiers and CVs on your careers inbox are all personal data.

The size-based accommodation in Article 30(5) lets organisations with fewer than 250 staff omit routine, low-risk processing from their Record of Processing Activities (ROPA). The moment processing is occasional, poses a risk to rights and freedoms, or touches special category data (health, biometrics, trade-union membership, criminal offences), the ROPA obligation applies in full. Most SMEs handling customer data, HR data or marketing data meet that threshold immediately.

A second myth is worth putting to rest. Paying the annual ICO data protection fee is not GDPR compliance. The fee is a registration duty under the Data Protection (Charges and Information) Regulations 2018. Tier 1 micro organisations (ten or fewer staff, or turnover at or below £632,000) pay £52. Tier 2 SMEs (turnover at or below £36m, or 250 staff or fewer) pay £78. Tier 3 is £3,763. Paying it keeps you off the non-registration list, nothing more.

What the Data (Use and Access) Act 2025 changed for SMEs

The 2025 Act amended UK GDPR, the DPA 2018 and PECR. Four changes matter most for small business data protection.

PECR fines now align with UK GDPR. Outbound marketing teams at any size of business sit in scope. A fintech SME cold-emailing an unverified list, or a healthtech SME sending SMS follow-ups without a lawful basis, now faces the same maximum penalty band as an ISO 27001 security breach.

Subject Access Requests (SARs) received a "reasonable and proportionate" search standard in statute, alongside an explicit stop-the-clock provision for clarification. SMEs can answer SARs without open-ended trawling, provided the request log evidences the clarification.

Section 112 changed the cookie rules. Low-risk analytics, functional display (language and accessibility preferences) and emergency geolocation can run without prior consent, provided the user is told. Advertising, A/B testing and personalisation cookies still require opt-in consent. The ICO published draft cookie guidance in July 2025.

The recognised legitimate interests list was narrowed and codified. A small business cannot invent its own category. National security, crime prevention, safeguarding and emergency response qualify. Ordinary commercial processing still runs on the existing six Article 6 bases.

The seven GDPR small business principles in plain English

Article 5 of UK GDPR sets seven data-handling principles.

1. Lawfulness, fairness and transparency. Every processing activity has a named lawful basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests), is described honestly to the data subject, and is not used for a hidden purpose.
2. Purpose limitation. Data collected to onboard a patient cannot be reused for advertising without a fresh basis or a compatible-purpose test.
3. Data minimisation. Only what the stated purpose requires. If your intake form collects date of birth when age-band would do, cut the field.
4. Accuracy. Inaccurate data is corrected or erased without undue delay.
5. Storage limitation. Retention periods are set, documented and enforced.
6. Integrity and confidentiality (security). Article 32 requires appropriate technical and organisational measures; the ICO's enforcement pattern (below) shows what that looks like in practice.
7. Accountability. You can demonstrate the above at short notice, in writing.

Breaches of the principles sit in the higher UK GDPR fining tier: up to £17.5m or 4% of global annual turnover.

The eight data-subject rights and how a small business should respond

UK GDPR gives individuals eight rights: to be informed, to access (the SAR), to rectification, to erasure, to restrict processing, to data portability, to object, and rights relating to solely automated decision-making. The standard response period is one calendar month, extendable by two months for complex or multiple requests, with the extension and reason communicated to the requester inside the first month.

Practical failure points for SMEs are almost always process failures rather than legal ones. The request lands in a support inbox no one monitors against a compliance clock, or the clarification email is not logged against the stop-the-clock provision. Output sometimes overruns because no one scoped the search before producing. The fix is a named responder, a logged start-date and a template covering acknowledgement, clarification, production and closure.

GDPR compliance small business checklist: 12 steps from zero

1. Register with the ICO and pay the data protection fee, unless you fall inside a narrow exemption documented on ico.org.uk.
2. Build a Record of Processing Activities, grouped by purpose (HR, customer, marketing, supplier, website). The Article 30(5) carve-out still requires you to record anything non-routine, risky, or involving special category data.
3. Assign a lawful basis to every processing activity. Document the reasoning, particularly where you rely on legitimate interests (a Legitimate Interests Assessment is expected).
4. Publish a privacy notice meeting Articles 13 and 14: controller contact details, purposes, lawful basis, recipients, retention, rights and the ICO complaint route.
5. Stand up a Data Protection Impact Assessment (DPIA) process for high-risk processing. A DPIA is mandatory for large-scale special category processing, systematic monitoring and other triggers in the ICO's screening checklist.
6. Put a data-subject-rights response process behind a single inbox, with the one-month clock tracked from day one.
7. Create a breach-response runbook covering detection, triage, containment, ICO notification inside 72 hours where the threshold is met, and an internal incident log for non-notifiable events.
8. Sign Article 28 processor contracts with every processor. For transfers outside the UK or EEA, apply the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, with a Transfer Impact Assessment on file.
9. Implement Article 32 security: multi-factor authentication on privileged and customer-facing accounts, timely patching, encrypted backups, quarterly access reviews and a tested incident response plan.
10. Align cookies and electronic marketing with PECR and the ICO's July 2025 draft guidance. Consent Management Platform categories should reflect the new strictly-necessary exceptions without drifting to cover advertising or personalisation.
11. Decide on a Data Protection Officer. Article 37 makes DPO appointment mandatory only for public bodies, or where core activities involve large-scale systematic monitoring or large-scale special category processing. Most SMEs do not hit the threshold; voluntary appointment is allowed, with the same independence obligations attaching if you use the title publicly.
12. Review annually. A gdpr policy for small businesses that is not revisited after material changes drifts out of date quickly.

Small business GDPR compliance by sector: fintech, healthtech, defence

The seven principles apply to every sector. The evidence you have to produce, and the frameworks it ties into, vary sharply by vertical.

A fintech SME operates inside a double regulatory frame. The FCA Consumer Duty (PRIN 2A, in force from 31 July 2023 for new and existing products and 31 July 2024 for closed books) requires firms to act on customer vulnerability. ICO and FCA guidance confirms that data protection law is not a barrier to collecting vulnerability data, provided the firm identifies a valid lawful basis and handles it proportionately. PECR marketing rules add another layer: soft opt-in applies only to existing customers for similar products; cold B2C marketing requires prior consent. UK fintechs with EU operations also come into scope of the Digital Operational Resilience Act (DORA), which overlaps with ISO 27001 on ICT risk management and with GDPR on incident reporting.

A healthtech SME handling patient data is in Article 9 territory from day one. Patient data is special category, so an Article 6 lawful basis plus an Article 9(2) condition is required, and a DPIA is likely mandatory rather than optional. The NHS Data Security and Protection Toolkit (DSPT) is a contractual requirement for any supplier processing patient data through NHS infrastructure. Version 8 of DSPT carries a 30 June 2026 deadline, and its evidence items tie directly to UK GDPR Article 32 controls. GDPR and DSPT evidence come out of the same underlying controls; treating them separately duplicates work.

A defence sub-contractor SME runs a third model. MOD DEFCON 658 has required cyber risk flow-down to sub-contractors at the appropriate risk level since October 2017, under the Defence Cyber Protection Partnership framework. DefStan 05-138 sets technical controls across five risk levels. Primes including BAE Systems, Leonardo, Thales and Babcock route supplier pre-qualification through JOSCAR, operated by Hellios, which treats Cyber Essentials certification and a current GDPR position as gating criteria. The same controls reappear across different buyer questionnaires under different evidence schemas.

Real ICO fines against UK small businesses in 2024 and 2025

The ICO enforcement record since January 2024 shows the pattern clearly. Poxell Ltd was fined £150,000 that month for 2.6 million unlawful marketing calls under PECR regulation 21, and Skean Homes Ltd £100,000 for 600,000 unlawful calls made under various aliases. Later in 2024, LADH Limited was fined £50,000 for 31,329 unsolicited SMS under PECR regulation 22.

In April 2025 the ICO fined DPP Law Ltd £60,000 after a ransomware attack exfiltrated 32.4 GB of data from a legal SME. The notice cited access control failures and, for the first time, explicitly named late breach notification as an aggravating factor: DPP Law reported the breach 43 days after awareness. Article 33 requires without-undue-delay notification, and where feasible inside 72 hours.

In March 2025 the ICO fined Advanced Computer Software Group Ltd £3.07m, the first UK fine issued against a data processor rather than a controller. 79,404 health records were exfiltrated after a ransomware incident. The ICO notice identified the root cause as a single customer-facing account without multi-factor authentication. Most SME Article 32 failures trace back to the same category of problem.

Cookies, PECR and electronic marketing: GDPR small business rules

PECR sits alongside UK GDPR and applies to any website placing cookies or using electronic marketing channels. The 2025 Act extended strictly-necessary exceptions to low-risk analytics, functional display and emergency geolocation, while retaining the consent requirement for advertising, A/B and personalisation cookies.

Marketing consent rules are unchanged. Soft opt-in covers existing customers marketed similar products, with a clear opt-out on every message. Cold B2C marketing through calls, texts or email requires prior consent. B2B is more permissive for generic corporate addresses, though individual work emails and sole traders are treated as individuals under the soft opt-in regime. With PECR fines capped at £17.5m or 4% of turnover, an enrichment-list campaign to an unverified audience is no longer a £500,000 ceiling problem.

How Naq supports small business data protection

The Naq platform is built to automate UK GDPR evidence under Articles 5, 13, 14, 28, 30, 32, 33 and 35 alongside ISO 27001, Cyber Essentials, NHS DSPT and DTAC V2 from a single dashboard. Controls are mapped across frameworks, so one Article 32 control satisfies ISO 27001 Annex A and Cyber Essentials at the same time, rather than being collected three times. Adjacent frameworks supported include Cyber Essentials Plus, DCB 0129, MOD Secure by Design and JOSCAR-aligned defence evidence.

Where SME owners want named expert support, Naq's in-house virtual DPOs and Clinical Safety Officers sit alongside the platform for the controller decisions an SME owner cannot delegate to software.

To see how UK GDPR evidence maps across your existing tooling and frameworks, book a 15-minute demo.

Further reading

• The Naq guide to GDPR after Brexit
• Do I need an EU representative?
• The 7-step guide to GDPR compliance for small businesses