3 min read
Establish Your Lawful Basis for Processing
Under UK GDPR you must have a documented lawful basis for every type of personal data processing your company carries out. The six lawful bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Most B2B companies rely primarily on contract and legitimate interests for processing customer and supplier contact data. Consent is often the weakest basis — do not default to it unless it is genuinely the most appropriate choice.
- Map every category of personal data you process to a lawful basis
- If using legitimate interests, complete and document a Legitimate Interests Assessment (LIA)
- Do not rely on implied or pre-ticked consent for marketing — explicit opt-in is required
Data Mapping and the Record of Processing Activities
You must maintain a Record of Processing Activities (ROPA) — a documented inventory of what personal data you hold, where it came from, why you hold it, who you share it with, how long you retain it, and where it is stored. The ROPA does not need to be complex but must be kept up to date. Businesses with fewer than 250 employees are exempt from the formal ROPA requirement in some limited circumstances, but maintaining one is still strongly recommended. Confirm your obligations with a data protection adviser.
- List every data type: customers, employees, website visitors, suppliers, contractors
- Record storage locations: CRM, payroll software, email server, cloud storage
- Note retention periods and deletion or anonymisation procedures
- Identify any transfers outside the UK and the transfer mechanism used
Privacy Notices and Transparency
You must provide individuals with a privacy notice (sometimes called a privacy policy) at or before the point you collect their personal data. For a website, this means a publicly accessible privacy policy. For employees, a separate employee privacy notice is required before or at the start of employment. Privacy notices must be in plain language and cover specific required points under UK GDPR Articles 13 and 14.
Review and update privacy notices whenever you start a new processing activity. Confirm the required contents with your data protection adviser — a template downloaded from the internet may not cover your specific processing activities accurately.
Data Subject Rights
UK GDPR grants individuals eight rights over their personal data including the right to access (Subject Access Request), rectification, erasure, restriction of processing, data portability, and objection. You must be able to respond to these requests within one month of receipt (extendable by two months for complex requests). Establish a process for receiving, logging, and responding to requests before you need it.
- Designate a named contact point for data subject requests
- Create a log to record all requests, dates received, and response dates
- Ensure you can locate all data held on an individual across all systems
- Confirm with your solicitor or DPO the appropriate response to erasure requests where legal or contractual retention applies
Breach Response Plan
A personal data breach must be notified to the ICO within 72 hours of you becoming aware of it, where the breach is likely to result in risk to individuals' rights and freedoms. In more serious cases you must also notify the affected individuals without undue delay. Having a written breach response plan in place before an incident occurs is essential — responding under pressure without a process is how notification deadlines are missed.
- Designate who is responsible for assessing and reporting breaches
- Maintain a breach log even for breaches that do not meet the reporting threshold
- Test your breach response procedure at least annually
- Confirm ICO reporting obligations and exemptions with your data protection adviser
Frequently asked questions
Does UK GDPR apply to my company if we only deal with other businesses?
Yes, to the extent you process personal data of individuals — including employees, sole trader customers, and named contacts at business customers. The rules apply to any personal data about living individuals regardless of whether your customers are companies.
Do I need to appoint a Data Protection Officer?
A formal DPO is required under UK GDPR for public authorities and for companies whose core activities involve large-scale systematic monitoring or large-scale processing of special category data. Most SMEs do not legally require a DPO but should designate a responsible person internally and may benefit from an external data protection adviser. Confirm your specific obligations with a qualified adviser.
How long should I retain personal data?
There is no single prescribed retention period under UK GDPR. Retention should be the minimum necessary for the purpose you collected the data, balanced against any legal or regulatory requirements to retain records — for example, HMRC requires financial records to be kept for at least six years. Document your retention periods in your ROPA and confirm them with your accountant and solicitor.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.