If your business collects or uses information about people (personal data), you must comply with UK data protection law. This includes the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Personal data is any information relating to an identified or identifiable living person. This includes names, email addresses, phone numbers, IP addresses, employee records, and customer information.

Who must comply

All UK businesses that process personal data must comply, regardless of size. This includes:

Sole traders with customer records
Small businesses with employee data
Online retailers with customer orders
Service providers with client information
Any business using marketing lists or website cookies

The seven data protection principles

UK GDPR Article 5 sets out seven key principles that apply to all personal data processing. You must be able to demonstrate compliance with these principles.

1. Lawfulness, fairness and transparency

Process personal data lawfully, fairly and in a transparent manner. You need a lawful basis and must tell people what you're doing with their data.

2. Purpose limitation

Collect data for specified, explicit and legitimate purposes only. Don't use it for new purposes incompatible with the original reason.

3. Data minimisation

Only collect data that is adequate, relevant and limited to what's necessary for your purposes.

4. Accuracy

Keep personal data accurate and up to date. Take reasonable steps to correct or delete inaccurate information promptly.

5. Storage limitation

Keep personal data only for as long as necessary for your purposes. Define retention periods and delete data when no longer needed.

6. Integrity and confidentiality (security)

Process data securely with appropriate technical and organisational measures. Protect against unauthorised access, loss, or damage.

7. Accountability

Take responsibility for compliance and be able to demonstrate it. Keep records of processing activities and implement appropriate policies.

Penalties for non-compliance

Breaching the data protection principles can result in substantial fines. The ICO can also issue enforcement notices and stop you processing personal data. See the breach notification section below for penalty amounts.

Lawful bases for processing

You must have at least one lawful basis to process personal data. There are now seven lawful bases under UK GDPR (including the new 'recognised legitimate interests' added by the Data Use and Access Act 2025).

UK GDPR lawful bases for processing personal data

The 6 (now 7) lawful bases under UK GDPR Article 6 for processing personal data.

Under UK GDPR Article 6, you must have a valid lawful basis to process personal data. You cannot process personal data without identifying at least one lawful basis that applies to each processing activity.

1. Consent (Article 6(1)(a)): The individual has given clear, specific, informed consent for you to process their personal data for a specific purpose
2. Contract (Article 6(1)(b)): Processing is necessary to fulfil a contract with the individual, or to take steps at their request before entering a contract
3. Legal obligation (Article 6(1)(c)): Processing is necessary to comply with a common law or statutory obligation under UK law
4. Vital interests (Article 6(1)(d)): Processing is necessary to protect someone's life
5. Public task (Article 6(1)(e)): Processing is necessary for performing a task in the public interest or for official functions that have a clear basis in law
6. Legitimate interests (Article 6(1)(f)): Processing is necessary for your legitimate interests or those of a third party, unless overridden by the individual's interests, rights, or freedoms

Consent requirements: Must be freely given, specific, informed, and unambiguous. Must be as easy to withdraw as to give.

Legitimate interests: Requires a documented Legitimate Interest Assessment (LIA) balancing test. Not available to public authorities for their core tasks.

7. Recognised legitimate interests (NEW - from February 2026): Processing necessary for certain pre-approved purposes without requiring a balancing test (Data (Use and Access) Act 2025)
Recognised purposes include: National/public security, defence, emergencies, crime prevention/detection, safeguarding vulnerable individuals
Effective date: 5 February 2026

Note: Direct marketing and intra-group data sharing still require a Legitimate Interest Assessment even under recognised legitimate interests.

ICO guide to lawful basis

Document your decision: Record which lawful basis applies to each processing purpose and justify why. For legitimate interests, conduct a balancing test (Legitimate Interest Assessment). The new 'recognised legitimate interests' basis removes the need for a balancing test for specific pre-approved purposes.

ICO registration and fees

Most businesses must register with the Information Commissioner's Office (ICO) and pay an annual data protection fee. This is a legal requirement under the Data Protection (Charges and Information) Regulations 2018.

ICO data protection registration fees 2025

Three-tier fee structure for ICO registration under Data Protection (Charges and Information) Regulations 2018.

Under the Data Protection (Charges and Information) Regulations 2018, most organisations that process personal data must pay an annual data protection fee to the Information Commissioner's Office (ICO).

Tier 1 fee (micro organisations): £52 per year
Tier 1 threshold: Annual turnover up to £632,000 AND 10 or fewer staff
Tier 1 Direct Debit: £47 per year (£5 discount)
Tier 2 fee (SMEs): £78 per year
Tier 2 threshold: Annual turnover up to £36 million AND 250 or fewer staff
Tier 2 Direct Debit: £73 per year (£5 discount)
Tier 3 fee (large organisations): £3,763 per year
Tier 3 threshold: Annual turnover over £36 million OR over 250 staff
Tier 3 Direct Debit: £3,758 per year (£5 discount)
Effective from: 17 February 2025

Charities: Pay Tier 1 fee only (£52), regardless of size or turnover
Penalty for non-payment: Up to 150% of the highest charge payable (DPA 2018 section 158(3)), plus the fee owed
Payment deadline after notice: 28 days to pay or make representations
Renewal: Annual - ICO sends renewal reminder before expiry

Who must pay

You must register if your business:

Processes personal information about individuals (customers, employees, suppliers)
Uses CCTV (including smart doorbells or dashcams for business purposes)
Maintains marketing lists
Uses cookies on your website

Limited exemptions

Very few organisations are exempt. You may be exempt only if you:

Only process personal data for personal or household purposes (not business)
Are an MP, elected representative, or judge (specific exemptions)
Have no automated processing (no computers, no CCTV) - extremely rare

Most businesses are NOT exempt - if you have customer or employee data, you almost certainly need to pay.

Pay the data protection fee

ICO fee self-assessment tool

When to register

You must register before you start processing personal data. For most businesses, this means from day one. See the penalty for non-payment in the fee information above.

Registration process:

Self-assess your tier using ICO's online tool
Register online at ico.org.uk
Pay annual fee by Direct Debit or card
Receive confirmation (your registration appears on ICO's public register)
Renew annually when ICO sends reminder

Privacy notices

You must provide clear information to individuals about how you use their personal data. This is usually done through a privacy notice (also called a privacy policy).

What to include in your privacy notice

UK GDPR requires you to provide specific information when collecting personal data:

Your identity and contact details - Business name and how to contact you
Why you're using the data - The purposes of processing
Lawful basis - Which Article 6 (or Article 9 for special category data) basis applies
Who you share data with - Name specific recipients or detailed categories (avoid vague terms like "business partners")
International transfers - If you send data outside the UK and what safeguards apply
Retention periods - How long you'll keep the data (be specific, not just "as long as necessary")
Individual rights - Right to access, rectification, erasure, portability, objection
Right to complain - How to contact the ICO
Right to withdraw consent - If consent is your lawful basis

Format and timing

Your privacy notice must be:

Concise and transparent - Written in clear, plain language
Easy to access - Prominent link on your website, included in forms
Timely - Provided at the time of data collection (or within one month if obtained from third parties)

Free ICO tool: Small businesses can use the ICO's privacy notice generator to create a compliant privacy notice.

1

Use specific retention periods

Don't just say 'as long as necessary'. State actual timeframes: e.g., 'Customer orders: 7 years for tax purposes, then deleted'.
2

Name data recipients clearly

Avoid vague categories like 'analytics providers'. Name specific companies or provide detailed categories explaining who they are and why you share data.
3

Review and update regularly

Update your privacy notice whenever you change how you process data or add new processing activities.

Data subject rights

Individuals have specific rights over their personal data under UK GDPR. You must have processes in place to respond to these requests.

Right of access (Subject Access Request)

Individuals can request a copy of their personal data. You must respond within 1 month, free of charge (in most cases).

Right to rectification

Individuals can request inaccurate data be corrected or incomplete data completed. Respond without undue delay.

Right to erasure ('right to be forgotten')

Individuals can request deletion in certain circumstances. You must comply if a lawful ground applies (e.g., data no longer needed, consent withdrawn).

Right to restrict processing

Individuals can request you stop processing their data in certain situations (e.g., while verifying accuracy).

Right to data portability

Individuals can request their data in a structured, commonly-used format to move to another service. Applies when processing is based on consent or contract.

Right to object

Individuals can object to processing based on legitimate interests, direct marketing, or for research purposes.

Rights regarding automated decision-making

Individuals can request human intervention for decisions made solely by automated processing that significantly affects them.

1

Respond within 1 month

You have 1 month to respond to most data subject rights requests. Can be extended by 2 months for complex requests if you explain the delay.
2

Verify identity

You can request reasonable information to confirm the person's identity before responding to a subject access request.
3

Keep records

Document how you handle each request, your decision, and the outcome. This demonstrates accountability.
4

Inform third parties

If you've shared data with others, you must inform them of rectifications, erasures or restrictions (unless impossible or disproportionate).

Data breach notification

If you experience a personal data breach, you must assess the risk to individuals and report it to the ICO if required. A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data.

UK GDPR data breach notification requirements

72-hour breach notification requirement under UK GDPR Article 33. Pure data reference.

UK GDPR requires data controllers to report certain personal data breaches to the ICO and, in some cases, to the individuals affected.

ICO notification deadline: Within 72 hours of becoming aware of the breach
Clock starts when: You have 'reasonable certainty' a breach has occurred, not when you know full details
When notification required: If the breach is likely to result in a risk to people's rights and freedoms
When notification NOT required: If breach is unlikely to result in any risk to individuals - but must still record internally
Individual notification: Required without undue delay if risk to individuals is HIGH
Legislation: UK GDPR Articles 33 and 34

Required notification content (Article 33(3))

Nature of the breach (what happened)
Categories and approximate numbers of individuals affected
Categories and approximate numbers of records affected
Name and contact details of your DPO or other contact point
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate harm

Phased reporting: If full information unavailable within 72 hours, report what you know and provide details later 'without undue further delay'
Internal record-keeping: ALL breaches must be documented (whether notified to ICO or not) for audit purposes
Penalty for notification failure: Up to £8.7 million or 2% of global annual turnover (whichever is higher)

Report a breach to the ICO

The 72-hour rule explained

The 72-hour clock starts when you have reasonable certainty that a security incident has compromised personal data - not when you know all the details.

Phased reporting is allowed: If you can't complete a full investigation within 72 hours, report what you know initially and provide additional information in phases "without undue further delay". The ICO actively encourages this "report early, update later" approach.

When to report

If the breach is likely to result in a risk to people's rights and freedoms (financial loss, identity theft, discrimination, distress).

When NOT to report

If the breach is unlikely to result in any risk to individuals. Still document it internally for ICO audits.

High-risk breaches

If high risk to individuals, you must also notify them directly without undue delay, in clear language.

How to report

Use ICO's online breach reporting tool or call 0303 123 1113 (office hours).

1

Document ALL breaches

Keep internal records of all breaches, whether reported to ICO or not. Record nature, effects, and remedial action taken.
2

Include required information

Breach notification must include: nature of breach, categories/numbers of people affected, DPO contact details, likely consequences, and measures taken.
3

Have an incident response plan

Prepare in advance with clear procedures for detecting, investigating, and reporting breaches within tight timeframes.

Penalties for non-compliance

The ICO has significant enforcement powers under UK GDPR and DPA 2018. Fines operate on a two-tier structure depending on the nature of the infringement.

UK GDPR maximum fines scale

Two-tier penalty structure under UK GDPR Article 83 and DPA 2018 Section 157.

The ICO can issue administrative fines under UK GDPR Article 83 and DPA 2018 Section 157. There are two tiers of maximum fines depending on the type of infringement.

Higher tier maximum: £17.5 million or 4% of annual worldwide turnover, whichever is HIGHER
Higher tier applies to: Breaches of data protection principles (Article 5), lawful basis requirements (Articles 6, 7, 9), data subject rights (Articles 12-22), unlawful international transfers (Articles 44-49)
Standard tier maximum: £8.7 million or 2% of annual worldwide turnover, whichever is HIGHER
Standard tier applies to: Failure to comply with controller/processor obligations, processing children's data incorrectly, certification failures, breach notification failures

Infringements attracting higher tier fines (£17.5m / 4%)

Breaching data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability)
Processing without valid lawful basis
Failing to obtain valid consent where required
Processing special category data without a valid condition
Failing to respect data subject rights (access, rectification, erasure, portability, objection)
Unlawful transfers of personal data to third countries

Infringements attracting standard tier fines (£8.7m / 2%)

Failure to comply with controller or processor obligations under Chapter IV
Processing children's data incorrectly (Article 8)
Failure to notify data breaches to ICO within 72 hours
Failure to notify individuals of high-risk breaches
Failure to comply with certification requirements

Multiple infringements: For same or linked processing operations, total fine cannot exceed amount for gravest infringement
Unlinked operations: Separate fines for unlinked operations can exceed statutory maximum when summed
ICO approach: Fines should be effective, proportionate, and dissuasive in each individual case
Legislation reference: UK GDPR Article 83, DPA 2018 Sections 155-157

ICO fining guidance

ICO enforcement actions

Beyond fines: The ICO can also issue enforcement notices requiring you to stop processing, reprimands, orders to communicate breaches to individuals, and orders to comply with data subject requests. Serious non-compliance can result in criminal prosecution.

Record keeping and documentation

UK GDPR requires most organisations to maintain records of processing activities. This demonstrates accountability and helps you comply with transparency obligations.

When records are required

You must keep processing records if:

You have 250 or more employees, OR
Your processing is likely to result in a risk to individuals (even with fewer than 250 employees), OR
You process special category data or criminal conviction data (even with fewer than 250 employees)

In practice: Most businesses should maintain processing records regardless of size, as it helps demonstrate compliance.

What to record

Purposes of processing, categories of data subjects and personal data, categories of recipients, retention periods, security measures, international transfers.

Format

No prescribed format. Can be a spreadsheet, database, or ICO's template. Must be available to ICO on request.

Review frequency

Review and update whenever you change processing activities or add new purposes.

Data Protection Officer (DPO)

Some organisations must appoint a Data Protection Officer. For most small businesses, this is optional.

DPO requirements (if appointed)

A DPO must:

Have expert knowledge of data protection law and practices (proportionate to your processing)
Be independent - no conflict of interest, can't be dismissed for performing duties
Report to highest management level
Be adequately resourced to perform tasks
Be accessible to individuals, staff, and the ICO

Key tasks: Inform and advise on compliance, monitor compliance, train staff, advise on data protection impact assessments, cooperate with the ICO, act as contact point.

Can be internal or external: You can appoint a staff member (if qualified and no conflicts) or outsource to a service provider. Groups of companies can share a single DPO if easily accessible.

Practical compliance checklist

Use this checklist to ensure basic GDPR compliance:

1

Register with ICO and pay fee

Complete registration before processing personal data. Use the tier information earlier in this guide to identify your correct fee tier.
2

Identify your lawful bases

Document which lawful basis applies to each processing purpose. Conduct legitimate interest assessments where needed.
3

Create privacy notice

Draft clear privacy notice with all required information. Display prominently on website and in customer communications.
4

Implement security measures

Use appropriate technical and organisational measures: encryption, access controls, secure passwords, regular backups, staff training.
5

Plan for data subject requests

Create processes to handle access requests, rectifications, erasures within required timeframes (1 month standard).
6

Set up breach procedures

Establish incident response plan to detect, assess, and report breaches within 72 hours if required.
7

Maintain processing records

Document: purposes, data categories, retention periods, recipients, security measures, transfers.
8

Review and update regularly

Schedule annual reviews of privacy notices, processing records, security measures, and staff training.
9

Train your staff

Ensure everyone handling personal data understands their responsibilities and knows how to spot security risks.
10

Consider data protection by design

Build privacy into new projects and systems from the start. Conduct Data Protection Impact Assessments for high-risk processing.

Healthcare & Social Care Requirement

Healthcare & Social Care businesses only

Healthcare providers process 'special category data' under UK GDPR, requiring enhanced protection:

Lawful basis plus special category condition: You need both Article 6 lawful basis AND an Article 9 condition (typically 'health or social care purposes' under Article 9(2)(h))
Caldicott Principles: NHS organisations and larger private providers must appoint a senior Caldicott Guardian to oversee patient data protection
Common law duty of confidentiality: Applies alongside GDPR - patients reasonably expect their health information to be kept confidential
Professional obligations: Clinical staff have additional duties under their professional codes (GMC, NMC, etc.)

Breaching patient confidentiality can result in ICO enforcement, professional misconduct proceedings, and civil liability.

Who this applies to: CQC-registered healthcare providers, GP practices, dental practices, pharmacies

ICO special category data guidance

Related guides in Compliance & Legal

Who must comply

The seven data protection principles

Penalties for non-compliance

Lawful bases for processing

ICO registration and fees

When to register

Privacy notices

What to include in your privacy notice

Format and timing

Use specific retention periods

Name data recipients clearly

Review and update regularly

Data subject rights

Respond within 1 month

Verify identity

Keep records

Inform third parties

Data breach notification

The 72-hour rule explained

Document ALL breaches

Include required information

Have an incident response plan

Penalties for non-compliance

Record keeping and documentation

When records are required

Data Protection Officer (DPO)

DPO requirements (if appointed)

Practical compliance checklist

Register with ICO and pay fee

Identify your lawful bases

Create privacy notice

Implement security measures

Plan for data subject requests

Set up breach procedures

Maintain processing records

Review and update regularly

Train your staff

Consider data protection by design

Healthcare & Social Care businesses only