Main laws

United Kingdom Act

Data Protection Act 2018

The Data Protection Act 2018 sits alongside the UK GDPR and deals with UK data protection rules, exemptions, enforcement and special...

In forceUnited KingdomPlain-English guide4 practical checks

Plain-English explainers, not legal advice. Use the linked official source for section-level detail, and get advice for your situation.

Get legal help

Start here

Quick read

  • For small businesses, the practical point is to treat privacy as an operating system.
  • Know what data you collect, why you collect it, who receives it, how long you keep it and what you would do if it was lost or misused.

Likely relevant if

  • Businesses holding customer or staff data
  • Online stores and SaaS businesses
  • Employers processing HR records

Check first

  • Identify the lawful basis for using personal data
  • Keep privacy notices accurate
  • Use processor contracts where vendors handle data

What this means in practice

For small businesses, the practical point is to treat privacy as an operating system. Know what data you collect, why you collect it, who receives it, how long you keep it and what you would do if it was lost or misused.

Key points

  • Privacy compliance starts with a data map, not a policy template.
  • Vendor terms matter because processors often hold the riskiest data.
  • Data retention is easier to fix before there is a dispute or breach.

When this law usually matters

Most businesses do not need to memorise the whole law. The useful starting point is to know when it is likely to affect a contract, customer journey, employee process, data flow or company decision.

Key points

  • Businesses holding customer or staff data
  • Online stores and SaaS businesses
  • Employers processing HR records
  • Businesses using processors, analytics or marketing tools

What to check first

Sense check

  • Identify the lawful basis for using personal data
  • Keep privacy notices accurate
  • Use processor contracts where vendors handle data
  • Respond to rights requests and breaches properly

Documents and workflows to review

Key points

  • Privacy policy
  • Data processing agreements
  • Employee privacy notice
  • Data breach response plan
  • Retention schedule

Related topics

How Sprintlaw can help