Data Protection Basics for SMEs

UK GDPR is built around six core data protection principles. Every business handling personal data must ensure their processing complies with all six:

• Lawfulness, fairness and transparency: You must have a lawful basis for processing; you must be open about what you do with data
• Purpose limitation: Collect data for specific, explicit and legitimate purposes — and do not use it for something incompatible with those purposes
• Data minimisation: Only collect data you actually need — do not gather information "just in case"
• Accuracy: Keep personal data accurate and up to date; correct inaccuracies promptly
• Storage limitation: Do not keep personal data longer than necessary — define and apply retention periods
• Integrity and confidentiality (security): Protect personal data against unauthorised access, loss, or destruction using appropriate technical and organisational measures

A seventh principle — accountability — requires you to be able to demonstrate compliance. This is why documentation such as privacy notices, processing records, and data protection policies matter.

Before you can process personal data, you need a lawful basis. UK GDPR provides six lawful bases:

• Consent: The individual has given clear, freely given, specific, informed consent. Consent must be documented and easy to withdraw.
• Contract: Processing is necessary to perform a contract with the individual, or to take steps before entering a contract.
• Legal obligation: Processing is required to comply with a legal duty (e.g. payroll records for HMRC).
• Vital interests: Protecting someone's life — rarely used in business contexts.
• Public task: Mainly relevant to public authorities.
• Legitimate interests: Processing is necessary for your legitimate interests (or those of a third party), balanced against the rights of the individual. A common basis for business-to-business marketing and fraud prevention.

For special category data (health, race, religion, sexual orientation, trade union membership, biometrics, criminal records), you need both a lawful basis and an additional condition. Most businesses use the "employment law obligations" condition for health data about employees.

UK GDPR grants individuals a number of rights over their personal data. As a business, you must be able to respond to these rights requests within one month:

• Right of access (Subject Access Request): The right to receive a copy of all personal data held about them, free of charge
• Right to rectification: Correct inaccurate or incomplete personal data
• Right to erasure ("right to be forgotten"): In certain circumstances, delete personal data — though this is not an absolute right
• Right to restrict processing: Pause processing in certain circumstances while a dispute is resolved
• Right to data portability: Receive data in a portable format (applies mainly to automated processing based on consent or contract)
• Right to object: Object to processing based on legitimate interests or for direct marketing — direct marketing objections must always be honoured

You should have a clear process for receiving and responding to data rights requests. Document each request and your response.

A personal data breach is any event that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include:

• Sending an email containing personal data to the wrong recipient
• A cyberattack resulting in customer data being stolen
• A laptop containing unencrypted personal data being stolen
• Accidentally deleting important records

Not every breach needs to be reported to the ICO. You must report a breach within 72 hours only if it is likely to result in a risk to individuals' rights and freedoms. If the risk is high, you must also notify the affected individuals without undue delay.

You must keep a record of all data breaches — even those that do not need to be reported to the ICO. This internal breach log should describe what happened, the data involved, the impact, and the remedial action taken. The ICO can request to see it during an investigation.