For small businesses, the practical point is to treat privacy as an operating system. Know what data you collect, why you collect it, who receives it, how long you keep it and what you would do if it was lost or misused.
Main laws
United Kingdom Act
Data Protection Act 2018
The Data Protection Act 2018 sits alongside the UK GDPR and deals with UK data protection rules, exemptions, enforcement and special...
In forceUnited KingdomPlain-English guide4 practical checks
Plain-English explainers, not legal advice. Use the linked official source for section-level detail, and get advice for your situation.
Get legal helpStart here
Quick read
- For small businesses, the practical point is to treat privacy as an operating system.
- Know what data you collect, why you collect it, who receives it, how long you keep it and what you would do if it was lost or misused.
Likely relevant if
- Businesses holding customer or staff data
- Online stores and SaaS businesses
- Employers processing HR records
Check first
- Identify the lawful basis for using personal data
- Keep privacy notices accurate
- Use processor contracts where vendors handle data
What this means in practice
Key points
- Privacy compliance starts with a data map, not a policy template.
- Vendor terms matter because processors often hold the riskiest data.
- Data retention is easier to fix before there is a dispute or breach.
When this law usually matters
Most businesses do not need to memorise the whole law. The useful starting point is to know when it is likely to affect a contract, customer journey, employee process, data flow or company decision.
Key points
- Businesses holding customer or staff data
- Online stores and SaaS businesses
- Employers processing HR records
- Businesses using processors, analytics or marketing tools
What to check first
Sense check
- Identify the lawful basis for using personal data
- Keep privacy notices accurate
- Use processor contracts where vendors handle data
- Respond to rights requests and breaches properly
Documents and workflows to review
Key points
- Privacy policy
- Data processing agreements
- Employee privacy notice
- Data breach response plan
- Retention schedule