Information Security Management
GDPR for Small Businesses
GDPR can feel like a fog of legal language, policies, and โjust in caseโ paperwork. This page is your hub for simple GDPR guidance that focuses on what small and medium organisations actually need to do.
Whether youโre trying to reduce risk, answer customer questionnaires, or simply stop worrying that youโve missed something important, youโll find two routes here:
- Learn GDPR: short, focused pages that explain key topics without the waffle
- Do GDPR: a practical toolkit (templates + guides) and a quick assessment to help you prioritise what matters
Learn more about the toolkit
GDPR Basics
Learning the very basics of GDPR for small-to-medium businesses.
GDPR Roles & Responsibilities
Exploring the various functions and key ownerships within GDPR.
The GDPR Toolkit (done-for-you templates + guidance)
If you want the quickest route to a credible GDPR foundation, the toolkit is designed for exactly that: minimal, practical compliance without turning your business into a paperwork factory.
What you get
- Ready-to-use templates: policies, procedures, logs, and registers you can actually maintain
- Implementation guidance: what to do first, what to skip, and what โgood enoughโ looks like
- A simple structure that helps you show progress to customers, partners, and auditors
Who itโs for
- small to medium organisations that need a pragmatic GDPR baseline
- teams without a full-time Data Protection Officer
- anyone who wants to stop staring at a blank Word document thinking โwhere do I even start?โ
What โgood GDPRโ looks like (for most SMEs)
For most organisations, GDPR success is not about having 70 documents. Itโs about being able to show, with confidence, that you:
- know what personal data you hold and why
- keep it secure (and can evidence basic controls)
- have sensible retention and deletion habits
- use suppliers responsibly (and have the right contractual basics)
- can respond to requests and incidents without panic
Thatโs the thread running through the guidance pages and the toolkit.
FAQs
Does GDPR apply to non-UK or EU organisations?
Yes. If you offer goods or services to people in the UK or EU, or monitor UK or EU individuals, then potentially both UK and EU GDPR may apply.
Weโre small. Do we still need all this?
Small organisations still have obligations, but the solution should match the risk. The goal is sensible, workable compliance, not bureaucracy.
Do we need a DPO?
Not always. Some organisations do, many donโt. If youโre unsure, use the assessment and then read the controllers/processors page.
Are templates enough?
Templates save time, but you still need to tailor them. I’m not pretending otherwise. The toolkit is designed to make tailoring straightforward and to prevent โpolicy theatreโ.
GDPR Articles
Everything you need to know about getting GDPR Ready.