French (FR)
German (DE)
Spanish (ES)
Italian (IT)
Arabic (AR)
Chinese (ZH)
Worried your business is breaking data protection rules without knowing it? You are not alone. This GDPR compliance checklist UK guide gives you clear, tickable steps for 2026. UK data protection law changed this year under the Data (Use and Access) Act 2025. Some older checklists are now out of date. By the end, you will know what to do yourself and what to hand to a specialist. No jargon. No guesswork. Just the actions that keep your small business compliant.
What is a GDPR compliance checklist?
A GDPR compliance checklist is a list of practical steps a business follows to meet UK data protection law. It covers how you collect, store, use and protect personal data. For UK small businesses in 2026, it also includes new duties under the Data (Use and Access) Act 2025.
Use the quick list below to see the full picture. Each step is explained in detail later.
- Map the personal data you hold
- Set a lawful basis for using it
- Publish a clear privacy policy
- Get cookie consent right
- Register with the ICO
- Handle data requests and complaints
- Sign data processing agreements
- Plan for a data breach
Does GDPR apply to small businesses in the UK?
Yes, GDPR applies to almost every UK small business that handles personal data. This includes sole traders and online shops. There is no blanket exemption for being small. Your duties are proportionate, so a one-person firm does less than a 50-person company.
Personal data means any information that identifies a living person. Names, emails, addresses and payment details all count. If you store customer or staff data, the rules apply to you.
The UK GDPR and the Data Protection Act 2018 are still the core laws. The Data (Use and Access) Act 2025 changed parts of them in 2026. It did not replace them.
Trade with the EU stays simple too. The European Commission renewed the UK’s data adequacy in December 2025. That arrangement runs until late 2031.
What changed for GDPR in 2026? The Data (Use and Access) Act
Several rules changed in 2026 under the Data (Use and Access) Act 2025. Most updates took effect on 5 February 2026. A new right to complain directly to a business began on 19 June 2026.
| Area | What changed from 2026 |
|---|---|
| Complaints | You must offer a complaints route and acknowledge within 30 days |
| Cookies | A narrow opt-out now covers some analytics cookies |
| Lawful basis | New ‘recognised legitimate interests’ need no balancing test |
| PECR fines | Now aligned with UK GDPR, up to 17.5 million pounds |
Complaints are the biggest change for small firms. You must give people a clear way to raise concerns about their data. You must acknowledge each complaint within 30 days. No small-business exemption applies.
According to GOV.UK, these reforms aim to simplify the rules while keeping strong protection.
The GDPR compliance checklist for UK small businesses
Work through this GDPR compliance checklist UK businesses can use in 2026. Tackle the steps in order. Tick each one off as you go.
1. Map the personal data you hold
Start by listing what data you collect and where it lives. Note why you hold it and who can access it. This record is often called a ROPA. It is the foundation for every other step.
2. Choose a lawful basis for each activity
You need a legal reason to use personal data. Common bases include consent, contract and legitimate interests. The 2026 rules added ‘recognised legitimate interests’ for set tasks like fraud prevention. These need no balancing test, but the use must still be necessary.
3. Publish a clear privacy policy
Your privacy policy tells people how you use their data. It must be honest, specific and easy to read. From 2026 it should also explain how to complain to you. We often see small firms copy a generic template that misses key details, so consider ongoing compliance support to get it right.
4. Get cookie consent right
Cookie rules shifted slightly in 2026. You still need consent for most tracking and marketing cookies. A narrow opt-out now covers some analytics cookies. Your cookie banner and policy should reflect this.
5. Register with the ICO and pay the fee
Most UK businesses must register with the ICO. You also pay an annual data protection fee. The fee depends on your size and turnover. Check the current bands on the ICO website.
6. Handle data requests and the new complaints duty
People can ask to see, correct or delete their data. These are data subject rights, and you must respond promptly. From 19 June 2026 you must also handle data complaints directly. Set up a simple route, name an owner, and keep a log.
7. Sign data processing agreements with suppliers
Chances are you share data with other companies. Examples include email tools, your CRM and payment providers. Each one needs a data processing agreement with your suppliers, or DPA. Owners often forget these contracts exist until something goes wrong.
Some providers store data outside the UK. Read our guide on transferring data internationally before you sign.
8. Tighten your data security
Strong security protects data and proves you take it seriously. Use strong passwords, two-factor login and limited access. Encrypt sensitive files and update software often. Good habits here prevent most common breaches.
9. Have a data breach plan
Breaches happen even to careful firms. Report serious ones to the ICO within 72 hours. Write a simple plan now so you can act fast. Know who to call and what to record.
10. Train your team
Human error causes most data breaches. Train staff to spot phishing and handle data with care. Cover handling employee personal data too. Short, regular sessions work better than one long talk.
11. Decide if you need a DPO
Few small businesses need a formal Data Protection Officer. The duty applies mainly to large-scale monitoring or sensitive data at scale. Still, give one person clear responsibility for data protection.
Extra steps for e-commerce and marketing businesses
Online shops and marketing-led firms handle extra-sensitive data flows. A few targeted steps cut your risk. Focus on the points below alongside the main checklist.
E-commerce data
Card payments and customer accounts need tight security and clear retention limits. Only keep order data for as long as you need it. Check that your payment provider and platform sign a DPA.
Email and SMS marketing
Marketing messages fall under PECR as well as GDPR. You usually need consent before emailing or texting consumers. Include an easy unsubscribe link in every message.
How much are GDPR fines in the UK?
GDPR fines in the UK can reach 17.5 million pounds or 4% of global turnover. The higher figure applies. Most small businesses face reprimands or notices rather than huge fines. Since 2026, cookie and marketing penalties match these limits.
Regulators usually help smaller firms fix problems first. Big fines target serious or repeated failures. Lost trust often costs more than the fine itself.
What to do yourself, and when to get legal help
Many checklist steps are easy to do alone. Others carry real risk if the wording is wrong. The table below shows where to draw the line.
| Do yourself | Get expert help |
|---|---|
| Mapping your data | Drafting privacy and cookie policies |
| Basic staff training | Data processing agreements |
| Access and password controls | The new complaints procedure |
| A simple breach plan | Lawful basis for marketing |
Nouveau Legal drafts these documents for small businesses every week. We offer fixed fees and plain English, with no surprise bills. You can get ongoing compliance support tailored to your size.
Frequently asked questions
Does GDPR apply to small businesses in the UK?
It applies to almost any UK business that handles personal data, including sole traders. There is no blanket small-business exemption. Your duties stay proportionate to your size and risk.
What changed for GDPR in the UK in 2026?
Updates came under the Data (Use and Access) Act 2025 in stages. Most started on 5 February 2026. The new complaints duty began on 19 June 2026.
Do I need to register with the ICO as a small business?
Almost all businesses that handle personal data must register with the ICO and pay a yearly fee. The amount depends on your size and turnover. Check the current bands on the ICO website.
How much are GDPR fines in the UK?
UK GDPR allows fines up to 17.5 million pounds or 4% of global turnover, whichever is higher. The ICO often uses reprimands for smaller firms. Since 2026, cookie and marketing fines match these limits.
Do small businesses need a Data Protection Officer?
Small businesses rarely need a formal DPO. One is required only for large-scale monitoring or sensitive data at scale. Even so, give one person clear responsibility for data protection.
Get your GDPR compliance sorted
Data protection feels daunting, but it breaks down into clear steps. Work through this checklist, fix the easy wins, and update for the 2026 rules. Get expert help for the parts that carry real risk.
For more practical small-business legal guides, visit our blog.
Want peace of mind that your business is compliant? Book a call with our team for affordable, plain-English support. We will handle the tricky parts so you can focus on running your business. Where does your business stand on the checklist today?