Guide

GDPR for small businesses, in plain English

What GDPR actually requires if you hold customer data — without the legalese or the fear.

Get help with this All resources

GDPR sounds terrifying and reads worse. But the core of it is common sense: if you hold people's personal data, look after it and be honest about what you do with it.

The parts that matter most

  • Know what you hold. You can't protect data you can't list. Map what personal data you collect and where it lives.
  • Have a lawful reason. Collect data because you need it for a clear purpose — not "just in case."
  • Secure it. Reasonable technical protection: access controls, encryption where sensible, no keys in public code.
  • Be ready to respond. People can ask what you hold about them and ask you to delete it.
  • Report breaches. Serious breaches involving personal data must be reported, often within 72 hours.

The good news

For most small businesses, getting to a defensible position is far less work than it looks — and the security side overlaps almost entirely with simply not leaking data. Fix the exposures, write down what you do, and you're most of the way there.

This is general guidance, not legal advice — but our data-protection readiness work gets you to a place you can actually prove.

Want us to just handle it?

Send the details to [email protected] or book a call. We'll check it for you and fix what's exposed.

Request an audit Book a 15-min call