K
KornerIQ
Small Business OS
Start free →
Small business owner reviewing GDPR data protection requirements

GDPR for Small Business UK — Complete Guide (2026)

Everything UK small businesses need to know about GDPR: what it covers, your obligations as an employer, how long to keep employee records, and how to handle data subject requests.

K
KornerIQ Compliance Team
·6 min read·Updated 2026-06-22✓ Reflects UK law 2026

UK GDPR applies to every business that holds personal data — including employee names, addresses, payslips and right-to-work documents. As a small business owner, your key obligations are: tell employees what data you hold and why, keep it secure, only keep it as long as necessary, and respond to data subject requests within 30 days.

Does GDPR apply to my small business?

Yes. UK GDPR (the UK's post-Brexit version of the EU regulation) applies to any organisation that processes personal data about individuals — including your employees. There is no minimum size threshold.

As an employer, you process personal data when you:

  • Store employee names, addresses and contact details
  • Process payroll (National Insurance numbers, bank details, salary)
  • Hold right-to-work documents and visa information
  • Record holiday, sick leave and disciplinary matters
  • Store training records and certifications

Your key GDPR obligations as an employer

1. Lawful basis for processing

You must have a lawful basis for holding employee data. For employment purposes, the main bases are:

  • Contract — data needed to fulfil the employment contract (payroll, contracts)
  • Legal obligation — data required by law (right-to-work records, payroll records)
  • Legitimate interests — data you have a genuine business need for (training records, disciplinary records)

2. Privacy notice

You must tell employees what data you hold, why, how long you'll keep it, and their rights. This is typically done via a staff privacy notice given at the start of employment.

3. Data retention

| Record type | Keep for | |---|---| | Right-to-work documents | Duration of employment + 2 years | | Payroll records | 3 years (HMRC) | | Employment contracts | Duration of employment + 6 years | | Disciplinary records | Duration of employment + 6 years | | Sick leave / medical records | Duration of employment + 6 years | | Training records | Duration of employment + 6 years | | Application forms (unsuccessful) | 6–12 months |

4. Data security

Personal data must be kept secure — whether physical or digital. For digital records, this means:

  • Password protection and access controls (only authorised staff can access records)
  • Encrypted storage
  • Secure deletion when records are no longer needed

5. Data subject rights

Employees have the right to:

  • Access their data (Subject Access Request — you must respond within 30 days)
  • Rectification of inaccurate data
  • Erasure of data you no longer have a legitimate reason to hold
  • Restriction of processing in certain circumstances

Do I need to register with the ICO?

Most businesses that process personal data must pay the ICO's data protection fee — £40/year for most small businesses (Tier 1). You can check if you need to register and pay at ico.org.uk.

How KornerIQ helps with GDPR

Keeping employee data compliant manually — spreadsheets, paper files, email attachments — is risky. KornerIQ provides:

  • Secure, encrypted storage per employee
  • Full audit trail — who accessed what, and when
  • Retention management — flag records that should be reviewed for deletion
  • Data export and erasure — respond to Subject Access Requests and right-to-erasure requests in minutes
  • Row-level security — your data is never visible to other businesses on the platform

Start your free 14-day trial →

Ready to automate your compliance?

14-day free trial · No credit card required · Setup in under 10 minutes

Start your free trial →