GDPR Policy Template for Small Business

Every organisation that handles personal data needs a GDPR policy — and that includes small businesses. Whether you collect customer email addresses, store employee records, or process invoices with contact details, GDPR applies to you. The good news is that your policy does not need to be a 40-page legal document. It needs to be clear, accurate, and followed in practice. This template gives you a solid starting point that you can customise for your team. It is not legal advice, and you should review it with a qualified adviser if your processing activities involve high-risk data or large-scale monitoring.

Aligned With: GDPR Articles 5, 6, 13-14, 15-22, 30, 33-34 | ICO Guidance | EDPB Recommendations

The following template covers the core sections your data protection policy should include. Each section maps to specific GDPR requirements. Copy and adapt the text to fit your organisation — replace the placeholders in square brackets with your own details.

Important: This template is a starting point. Every business processes data differently, and your policy must reflect what your organisation actually does. Do not adopt template wording that does not match your real practices.

1. Purpose and Scope

This Data Protection Policy sets out how [Organisation Name] collects, uses, stores, and protects personal data. It applies to all employees, contractors, and volunteers who handle personal data on behalf of the organisation.

The purpose of this policy is to ensure that personal data is processed lawfully, fairly, and transparently, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Policy Owner: [Name / Role, e.g. Managing Director]

Last Reviewed: [Date]

Next Review Due: [Date — recommend every 12 months]

2. Data Protection Principles (Article 5)

Your policy must reflect the seven data protection principles. These are not optional guidelines — they are legal obligations.

We process personal data in accordance with the following principles:

Lawfulness, fairness, and transparency — We have a valid legal basis for every processing activity and we tell people what we do with their data.

Purpose limitation — We collect data for specified, explicit, and legitimate purposes and do not use it for anything incompatible with those purposes.

Data minimisation — We only collect the personal data we actually need.

Accuracy — We take reasonable steps to keep personal data accurate and up to date.

Storage limitation — We do not keep personal data longer than necessary. Our retention periods are documented in our data retention schedule.

Integrity and confidentiality — We protect personal data using appropriate technical and organisational measures.

Accountability — We can demonstrate compliance with all of the above.

3. Lawful Basis for Processing (Article 6)

Every time you process personal data, you need a lawful basis. For most small businesses, the relevant bases are consent, contract, and legitimate interests.

We rely on the following lawful bases for processing personal data:

Contract — Processing necessary to perform a contract with the individual (e.g. delivering a service they have purchased, managing an employment contract).

Legitimate interests — Processing necessary for our legitimate business interests, provided those interests do not override the individual’s rights (e.g. fraud prevention, network security, direct marketing to existing customers).

Consent — Where we rely on consent, it is freely given, specific, informed, and unambiguous. Individuals can withdraw consent at any time.

Legal obligation — Processing necessary to comply with the law (e.g. tax records, employment law requirements).

We document the lawful basis for each processing activity in our Record of Processing Activities (ROPA).

4. Data Subject Rights (Articles 15-22)

Individuals have specific rights under GDPR. Your policy must explain how your organisation handles them.

Individuals whose personal data we process have the following rights:

Right of access (Article 15) — The right to request a copy of the personal data we hold about them.

Right to rectification (Article 16) — The right to have inaccurate data corrected.

Right to erasure (Article 17) — The right to request deletion of their data, where there is no compelling reason to continue processing.

Right to restrict processing (Article 18) — The right to request that we limit how we use their data.

Right to data portability (Article 20) — The right to receive their data in a structured, commonly used format.

Right to object (Article 21) — The right to object to processing based on legitimate interests or direct marketing.

How to make a request: Individuals can submit a request to [email address]. We will respond within one calendar month. If a request is complex, we may extend this by a further two months, but we will inform the individual within the first month.

Verification: We will verify the identity of anyone making a request before releasing personal data. This protects against fraudulent requests.

5. Data Retention and Deletion

Keeping data indefinitely is one of the most common GDPR failures in small businesses. Your policy needs clear retention periods.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Our standard retention periods include:

Data Type Retention Period Basis
Customer contact details Duration of relationship + 2 years Contract / Legitimate interests
Employee records Duration of employment + 6 years Legal obligation
Financial/tax records 6 years from end of tax year Legal obligation
Marketing consent records Until consent withdrawn + 1 year Consent
CCTV footage (if applicable) 30 days Legitimate interests

When the retention period expires, data is securely deleted or anonymised. Paper records are cross-cut shredded. Electronic records are permanently deleted from all systems including backups, in line with our documented process.

Data Type	Retention Period	Basis
Customer contact details	Duration of relationship + 2 years	Contract / Legitimate interests
Employee records	Duration of employment + 6 years	Legal obligation
Financial/tax records	6 years from end of tax year	Legal obligation
Marketing consent records	Until consent withdrawn + 1 year	Consent
CCTV footage (if applicable)	30 days	Legitimate interests

For a detailed guide to building your own retention schedule, see our data retention guide for small teams.

6. Data Breach Procedures

A breach is not just a hacking incident. It includes accidental loss, destruction, or unauthorised access to personal data. An email sent to the wrong person is a breach. A lost USB drive containing client records is a breach.

Breach response process:

Contain — Stop the breach from getting worse. Disconnect affected systems, revoke access, or recover lost devices.

Assess — Determine what data was affected, how many individuals are involved, and the likely impact.

Record — Log every breach in the breach register, regardless of severity.

Notify the ICO — If the breach is likely to result in a risk to individuals’ rights and freedoms, notify the Information Commissioner’s Office within 72 hours of becoming aware. Use the ICO’s online reporting tool.

Notify individuals — If the breach is likely to result in a high risk to individuals, notify them directly without undue delay.

Review — After the breach is resolved, review what went wrong and update procedures to prevent recurrence.

Breach register location: [Specify where your breach log is kept — e.g. shared drive, HR system]

Breach reporting contact: [Name / Role / Email]

Our full guide to GDPR breach notification procedures walks through the 72-hour timeline, decision criteria, and template wording for supervisory authority notifications.

For broader incident handling — including ransomware, phishing, and system compromise — see our incident response plan template.

7. Staff Responsibilities

All staff who handle personal data are responsible for:

Following this policy and any related procedures

Only accessing personal data they need for their role

Keeping personal data secure — locking screens, using strong passwords (three random words, 12 or more characters, in line with NCSC guidance), and enabling multi-factor authentication

Reporting any suspected data breach immediately to [breach reporting contact]

Completing data protection awareness training on joining and annually thereafter

Not sharing personal data with unauthorised individuals, internally or externally

Managers are additionally responsible for:

Ensuring their team members understand and follow this policy

Conducting access reviews to ensure permissions remain appropriate

Approving any new processing activities before they begin

Yes. If your organisation processes personal data of individuals in the UK or EU, GDPR applies regardless of your size. There is no small business exemption.

GDPR Article 5(2) establishes the accountability principle: you must not only comply with the data protection principles, but you must also be able to demonstrate that you comply. A written policy is the most straightforward way to meet this requirement. Without one, you cannot show an auditor, an insurer, or a regulator that your organisation takes data protection seriously.

The ICO has been clear that small organisations are expected to have appropriate policies in place. The depth and complexity should be proportionate to what you do — a five-person consultancy does not need the same documentation as a hospital — but having nothing at all is not acceptable.

There are also practical reasons beyond legal compliance. Cyber insurance providers increasingly ask whether you have a data protection policy when you apply or renew. Clients in regulated sectors may require evidence of GDPR compliance before they will work with you. And if a breach does occur, having a documented policy and evidence that staff were trained on it makes a material difference to how regulators assess your response. Our law firm case study shows how proper GDPR documentation led to a first-attempt audit pass.

For a broader overview of what SMB cybersecurity compliance involves and why it matters, our introductory guide covers the key frameworks and expectations.

Privacy Notice Template

A privacy notice is different from your internal data protection policy. The policy tells your staff how to handle data. The privacy notice tells your customers, clients, and website visitors what you do with their data. GDPR Articles 13 and 14 set out exactly what must be included.

Here is a simplified privacy notice template:

Privacy Notice — [Organisation Name]

Who we are: [Organisation Name], [registered address]. You can contact us at [email address].

What data we collect: We collect [list the types — e.g. name, email address, phone number, payment details, IP address].

Why we collect it: We use your data to [list purposes — e.g. provide our services, send invoices, respond to enquiries, send marketing communications you have opted into].

Our lawful basis: We process your data on the basis of [contract / legitimate interests / consent — specify which applies to each purpose].

Who we share it with: We may share your data with [list categories — e.g. our payment processor, our email marketing platform, our accountant]. We do not sell your data to third parties.

International transfers: [State whether data is transferred outside the UK/EU. If yes, explain the safeguards in place.]

How long we keep it: We retain your data for [refer to your retention schedule or state specific periods].

Your rights: You have the right to access, correct, delete, restrict, or port your data. You also have the right to object to processing and to withdraw consent. To exercise any of these rights, contact us at [email address].

Complaints: If you are unhappy with how we handle your data, you can complain to the Information Commissioner’s Office at ico.org.uk.

Place your privacy notice where people can find it before you collect their data: on your website footer, in your email signature, on paper forms, and in contracts.

Record of Processing Activities (ROPA)

GDPR Article 30 requires organisations with 250 or more employees to maintain a Record of Processing Activities. However, smaller organisations must also maintain one if their processing is not occasional, involves special category data, or could result in a risk to individuals’ rights and freedoms. In practice, most small businesses that process customer or employee data regularly should keep a ROPA.

A ROPA does not need to be complicated. A simple spreadsheet works. Here is what to include for each processing activity:

Field Example Entry
Processing activity Sending monthly newsletter
Purpose Marketing to existing customers
Categories of individuals Customers, website subscribers
Categories of personal data Name, email address
Lawful basis Consent
Recipients Mailchimp (email platform)
International transfers Yes — Mailchimp (US, Standard Contractual Clauses)
Retention period Until consent withdrawn + 1 year
Technical/organisational measures Platform access restricted to two staff, MFA enabled

Field	Example Entry
Processing activity	Sending monthly newsletter
Purpose	Marketing to existing customers
Categories of individuals	Customers, website subscribers
Categories of personal data	Name, email address
Lawful basis	Consent
Recipients	Mailchimp (email platform)
International transfers	Yes — Mailchimp (US, Standard Contractual Clauses)
Retention period	Until consent withdrawn + 1 year
Technical/organisational measures	Platform access restricted to two staff, MFA enabled

Create one row per processing activity. Common activities for small businesses include: payroll, customer invoicing, email marketing, website analytics, CCTV monitoring, recruitment, and client file storage.

Review your ROPA at least annually, and update it whenever you start a new processing activity or change an existing one.

The consequences range from regulatory fines to lost business and uninsurable risk. The absence of a documented policy does not just create a compliance gap — it creates a practical problem when something goes wrong.

Regulatory enforcement

The ICO can issue fines of up to 17.5 million pounds or 4 per cent of annual global turnover, whichever is higher. In practice, small business fines are typically much lower — often in the thousands or low tens of thousands of pounds — but they are real. The ICO has issued reprimands and enforcement notices to organisations with fewer than ten employees. The deciding factor is not your size but whether you have taken reasonable steps to comply.

Beyond fines, the ICO can issue enforcement notices that require you to stop processing data in a particular way or to take corrective action within a set timeframe. For a small business, being ordered to stop processing customer data can be existentially damaging.

Insurance implications

Cyber insurance and professional indemnity insurers are asking more pointed questions about data protection policies during applications and renewals. If you cannot demonstrate that you have a policy, your premiums may increase, your coverage may be limited, or your application may be declined. Worse, if you experience a breach and the insurer discovers that you had no data protection policy in place, they may argue that you failed to take reasonable precautions — potentially voiding your coverage when you need it most.

Breach consequences without a policy

When a breach happens — and eventually, something will go wrong — your response is assessed against what a reasonable organisation would have done. If you have no policy, no training records, and no breach procedure, the regulator’s view is clear: you were not prepared, and you were not compliant. That assessment affects the severity of any enforcement action.

Staff also need clear guidance. Without a policy, employees do not know how to handle a subject access request, how long to retain data, or who to contact when they suspect a breach. This leads to inconsistent practices, delayed responses, and avoidable mistakes.

How to Customise This Template

Copying a template without adapting it to your organisation is worse than having no policy at all. A regulator or auditor will immediately see that the document does not match your actual practices. Follow these steps to make this template your own:

Audit your data — Before you fill in any template, list what personal data you collect, why you collect it, where you store it, and who has access. You cannot write an accurate policy without knowing what you actually do.
Choose your lawful bases — For each processing activity, decide whether you rely on consent, contract, legitimate interests, or legal obligation. Document your reasoning, especially for legitimate interests, where you need to demonstrate you have balanced your interests against the individual’s rights.
Set retention periods — Do not guess. Check legal requirements (e.g. six years for financial records, duration of employment plus six years for employee data) and set proportionate periods for everything else. Our data retention guide includes a practical schedule you can adapt.
Name your contacts — Replace every placeholder with real names, roles, and email addresses. A policy that says “[contact person]” throughout has never been implemented.
Define your breach process — Decide who in your organisation is responsible for assessing and reporting breaches. Make sure they know how to contact the ICO and have access to the breach register.
Train your staff — A policy that sits in a shared drive unread does not satisfy the accountability principle. Ensure every staff member reads the policy, understands their responsibilities, and signs an acknowledgement. Refresh training annually.
Review regularly — Set a calendar reminder to review the policy at least once a year, or whenever you start a new processing activity, adopt a new tool, or experience a breach.

A GDPR data protection policy does not exist in isolation. It works alongside other policies that govern how your team handles technology, data, and security. If you are building out your documentation, consider these:

Our acceptable use policy template covers rules for devices, internet use, and company systems — the operational side of data security.
The remote work policy template addresses data protection when staff work outside the office, including device security, network requirements, and secure file access.

Having a coherent set of policies shows regulators and insurers that your organisation takes a structured approach to compliance, not a piecemeal one.

Simple Data Retention Guide for Small Teams — Build a retention schedule that satisfies GDPR’s storage limitation principle.
GDPR Breach Notification Procedures for Small Business — 72-hour timeline, decision criteria, and template wording for supervisory authorities.
Incident Response Plan Template — Step-by-step response plan covering breach containment, communication, and recovery.
Acceptable Use Policy Template — Device, internet, and software usage rules for small teams.
Remote Work Policy Template — Secure remote working guidelines covering devices, networks, and data handling.
SMB Cybersecurity Compliance Kit — Pre-built policy and documentation bundle designed for small teams who need to get compliant without hiring a consultant.