Eight years after GDPR came into force, most UK SMEs are still operating with significant data protection gaps. Not because they don’t care, but because the guidance available is either too legal or too vague to act on.

Here’s a plain-English commercial view.

GDPR came into force in May 2018. Eight years on, the majority of UK SMEs are still operating with significant data protection gaps.

Not because they are reckless or indifferent. But because the guidance available is either written by lawyers for lawyers, or so high-level as to be practically useless. “You must have a lawful basis for processing personal data” is accurate. It is also not actionable without a great deal more context.

This post attempts a more useful approach: a plain-English, commercially oriented view of what GDPR actually requires of a UK SME, where the most common gaps are, and what proportionate action looks like.

What GDPR actually requires – the commercial essentials

The UK GDPR (which retained the EU regulation post-Brexit with minor modifications) applies to any organisation that processes personal data about individuals in the UK. For virtually every SME, that means it applies to you.

The core obligations, in practical terms:

**Know what data you hold** – you must be able to identify what personal data your organisation holds, where it is stored, what it is used for, who has access to it, and how long you keep it. This is typically documented in a Record of Processing Activities (ROPA). Most SMEs do not have one.

**Have a lawful basis for processing** – for each category of personal data you process, there must be a legitimate legal basis. For most SME data processing, this is either a contractual necessity (you need the data to fulfil a contract), a legal obligation (you are required by law to hold it), or legitimate interests (you have a genuine business reason that is proportionate and not overridden by the individual’s rights).

**Be transparent** – individuals whose data you hold must be told what you are doing with it. This is typically communicated through a Privacy Notice on your website and in your contracts and onboarding materials.

**Protect the data** – appropriate technical and organisational measures must be in place to protect personal data from loss, theft or unauthorised access. This overlaps significantly with cyber security – which is why data protection and cyber risk are best addressed together.

**Respect individual rights** – individuals have rights over their personal data, including the right to access it, correct it, and in certain circumstances, have it deleted. You must have a process for handling these requests.

**Report breaches** – if personal data is lost, stolen or accessed without authorisation, and the breach is likely to result in risk to individuals, you must report it to the ICO within 72 hours of becoming aware of it.

Where most SMEs have gaps

In my experience, the most common data protection gaps in UK SMEs fall into five areas:

**No data register** – the organisation does not have a clear picture of what personal data it holds, where it lives, or who can access it. This makes it impossible to respond meaningfully to a subject access request, demonstrate compliance to a client, or assess the impact of a breach.

**Inadequate privacy notices** – the website has a Privacy Policy (often copied from a template) that does not accurately reflect actual data processing practices. Template policies are better than nothing, but they create a gap between what the business says it does and what it actually does.

**Third-party risk not managed** – personal data shared with suppliers, cloud platforms, and SaaS tools without adequate contractual protections or due diligence.

GDPR requires that when you share personal data with a third party processor, there is a Data Processing Agreement in place. Most SMEs do not have these.

**Retention periods not enforced** – personal data is kept indefinitely because nobody has defined retention periods or built a process for deleting data when it is no longer needed. Old customer records, historic employee data, and archived email are common examples.

**Breach response not planned** – the 72-hour reporting requirement is one of the most commercially consequential aspects of GDPR, and most SMEs do not have a process for identifying, assessing and reporting breaches within that window.

What proportionate compliance looks like

GDPR compliance for a 20 to 100-person SME does not require a dedicated data protection officer or an expensive consultancy programme. It requires:

– A data register that accurately reflects what personal data you hold and why

– A Privacy Notice that reflects your actual practices

– Data Processing Agreements with key suppliers who process personal data on your behalf

– Defined retention periods and a process for enforcing them

– A basic breach response process that ensures incidents are identified, assessed and reported appropriately

– Staff awareness – the people handling personal data understand the basics of what is and is not acceptable

None of this is particularly complex. But it does require someone to own it, and it does need to be kept current as the business changes.

The commercial imperative is real. Enterprise clients increasingly include data protection requirements in supplier questionnaires. Cyber insurers ask about GDPR compliance as part of underwriting. And the ICO, while primarily focused on larger organisations, has demonstrated a willingness to act against SMEs where breaches result from obvious neglect. Getting this right is not a legal exercise. It is a commercial one.

← All Insights
← Previous Next →

More Insights

Supplier Management

The MSP Contract Renewal Playbook: How to Negotiate from Strength

Most SMEs accept their MSP's renewal offer without negotiation. This is almost always a commercial mistake. Here is how to approach contract renewal in a way that produces better terms, better service commitments and better value.

17 July 2026 · 4 min read
Cyber Risk

Business Email Compromise: The Cyber Threat Most SME Boards Have Never Heard Of

Ransomware gets the headlines. Business email compromise quietly costs UK businesses more money every year. Here is what it is, how it works, and why it is particularly dangerous for SMEs.

9 July 2026 · 4 min read
IT Governance

The IT Governance Checklist Every SME Board Should Work Through Once a Year

Most SME boards have no structured way to review their IT governance position. This practical checklist gives you a framework for doing exactly that in plain English, without technical jargon, in under an hour.

1 July 2026 · 5 min read