GDPR Policy Template for Small Businesses: What You Actually Need
What GDPR Actually Requires of Small Businesses
GDPR applies to any organisation handling personal data of EU/UK residents — regardless of size. But small businesses with fewer than 250 employees have some exemptions from record-keeping requirements, and the ICO takes a proportionate approach to enforcement.
The 4 Documents Every UK Small Business Needs
1. Privacy Notice (Privacy Policy)
Public-facing document telling customers/users what data you collect, why, how long you keep it, and their rights. Must be written in plain English.
Required content under UK GDPR Article 13:
- Who you are and contact details
- What personal data you collect and why
- Your legal basis for processing (consent, contract, legitimate interest, etc.)
- Who you share data with
- How long you keep data
- Rights of data subjects (access, deletion, portability, objection)
- How to complain to the ICO
2. Data Retention Policy
How long do you keep each category of data? Must be justified. Common UK retention periods:
- Employee records: 6 years after employment ends
- Financial records: 7 years (HMRC requirement)
- Customer contacts (marketing): until consent withdrawn
- CCTV footage: 30 days (unless needed for investigation)
3. Data Breach Response Plan
Under UK GDPR, you must report certain breaches to the ICO within 72 hours. Your plan should define: who assesses breaches, when to report, how to notify affected individuals.
4. Data Processing Agreement (DPA) for Suppliers
If you share personal data with suppliers (email marketing tools, cloud storage, accountants), you need a DPA. Most major providers (Google, Mailchimp, etc.) provide standard DPAs — you just need to sign them.
Generate GDPR Policies with PolicyForge
PolicyForge generates GDPR-compliant privacy notices, data retention policies, and breach response plans — written in plain English and tailored to your business type and sector.