All advice

Compliance · 6 min read

GDPR basics for small organisations: the practical version

You don't need a data protection officer or a 40-page policy. You do need a handful of things in the right places.

Magnifying glass over a GDPR document beside a laptop in blue lighting, representing UK data protection basics for small organisations

UK GDPR feels intimidating when you read it in full. In practice, for a small organisation, it comes down to a handful of consistent habits and a small stack of documents. Get those in place and you'll cope with almost any question a funder, client or the ICO asks you.

I'm not a lawyer. This is what I put in place for small business and charity clients so they're on solid ground. Take specialist advice if you handle sensitive categories of data (health, criminal, safeguarding) or process personal data at scale.

1. Register with the ICO

Most UK organisations that process personal data need to pay the ICO data protection fee. For most small businesses that's £40–£60 per year. It takes 10 minutes online and it's the first thing any auditor checks.

2. Know what personal data you hold, and why

You don't need a spreadsheet the size of a phonebook. You need a short, honest data inventory that answers:

  • What personal data do we hold? (Staff, clients, suppliers, mailing list subscribers, website visitors.)
  • Where is it stored? (Microsoft 365, Google Workspace, CRM, accounting software, backups, laptops, paper.)
  • Why do we hold it? (Contract, legal obligation, legitimate interest, consent.)
  • How long do we keep it?
  • Who has access?

One page per system is usually enough. Review it once a year.

3. Have a plain-English privacy notice

On your website. It should explain, in language a normal human can read:

  • Who you are and how to contact you.
  • What personal data you collect, and how.
  • Why you use it, and the legal basis for each purpose.
  • Who you share it with (Microsoft, Google, Stripe, your CRM, etc.).
  • How long you keep it.
  • What rights people have and how to exercise them.

Templates from the ICO website are a fine starting point. Don't copy a bank's privacy policy, it will confuse everyone.

4. Lock down the basics technically

The vast majority of GDPR-relevant incidents in small organisations are not sophisticated. They're a lost laptop, a shared spreadsheet emailed to the wrong person, or a compromised account. The controls that prevent those are the same ones on any good IT security checklist:

  • MFA on every account.
  • Device encryption on every laptop and phone.
  • A password manager, no shared credentials in spreadsheets.
  • Automatic updates on every device.
  • Backups you have tested.
  • Access removed promptly when someone leaves.

If you're doing these, you're already ahead of most small organisations.

5. Handle data subject requests calmly

People have the right to ask what personal data you hold about them, and to request corrections or deletion. In a small organisation this doesn't happen often, but when it does, you need to respond within a month.

The practical setup:

  • A single inbox or contact form for privacy requests.
  • A short internal note describing who handles them and how.
  • A search plan for each of your key systems, how would you actually find and export one person's data from your CRM, mailbox, file store and accounting tool?

Do a dry run on yourself. If you can find your own data cleanly, you can find anyone's.

6. Have a simple breach process

If personal data is lost, exposed or stolen, you may need to notify the ICO within 72 hours. You don't need a 20-page incident response plan. You need:

  • A named person who owns the response.
  • A short template for capturing what happened, when, who's affected and what you've done.
  • A clear rule for when to escalate to legal advice.

Practise it once. Most breaches feel manageable when you know who does what.

7. Contracts with your data processors

If a third party processes personal data on your behalf (email platform, CRM, hosting, accounting, backup provider), you should have a Data Processing Agreement in place with them. The good news: for all mainstream providers, this is a click-through in their admin console. Do it once, keep a note of when.

What good looks like

For a small organisation, "good" is: registered with the ICO, a one-page data inventory, a plain-English privacy notice, MFA and encryption on everything, a clean process for requests and breaches, and DPAs with your main providers. That's usually enough to satisfy funders, insurers, most clients and the ICO.

If you'd like a hand putting this in place, or reviewing what you already have, get in touch.

Need a hand with this?

I help small organisations across the UK with exactly this kind of work. Honest advice, plain English, no pressure.

Get in touch