Sign up to V-Hub

Do you need help with something?

Chat to an Advisor

Share this article

What is GDPR? Everything you need to know for your SME

05 Sep 2025
3 min
Save
ArticlesDigital SecurityProtecting the business

Quick summary

GDPR is a legal framework that protects personal data and applies to all SMEs dealing with customer information
Personal data under GDPR includes names and emails as well as IP addresses and cookie IDs
It’s crucial that businesses understand how to comply with GDPR

As a small business owner, understanding how to handle personal data responsibly is a legal requirement. The General Data Protection Regulation (GDPR) sets the gold standard for data privacy and protection across customers in the UK and EU. But what actually is GDPR and what does it mean for your business?

In this article, we’ll look at what GDPR is, outline what qualifies as personal data, explain the rules around storing it and how your SME can stay compliant.

What is GDPR in simple terms?

The General Data Protection Regulation (GDPR) is a legal framework that governs how organisations collect, store and use personal data. It was introduced in the EU in May 2018 and aims to protect peoples’ privacy and give them more control over their data.

Whether you’re a one-person startup or have 100 employees, you must comply if you handle customer data (like emails and payment information). Not doing so could mean fines of up to 20 million euros or up to 4% of global turnover.

When did GDPR come into effect?

GDPR was officially rolled out on 25 May 2018. Since then, businesses of all sizes have needed to look at how they manage and protect customer data.

What is considered personal data under GDPR?

Personal data under GDPR is classed as any information that can directly or indirectly identify a person. This includes:

  • Direct identifiers: names, phone numbers, email addresses and postal addresses

  • Indirect identifiers: IP addresses, device IDs and cookie data

  • Special category data: health records, racial or ethnic background, political opinions and biometric data

Business contact details linked to an organisation may not count as personal data, unless they also reveal something about a person. For example, johnsmith@business.com is not considered personal data, however, johnsmith@gmail.com does as it’s a personal email address.

It’s essential to understand what constitutes personal data under GDPR to make sure you stay compliant and avoid potential data breaches.

How long can personal data be stored?

While GDPR doesn’t put a time limit on how long personal data can be kept, it does say that it should only be stored for as long as necessary. Once the data is no longer needed for the original purpose, for example when a customer unsubscribes from a newsletter, it must be securely deleted or made anonymous.

In summary, how long you keep it depends on your business needs—but you’ll need a clear retention policy that explains the time period.

What are the 5 main principles of GDPR?

At the heart of GDPR are seven key principles that every business must follow:

  1. Transparency: Be clear about how and why you use personal data.

  2. Purpose: Only collect data for specific and legitimate reasons.

  3. Data minimisation: Collect only what you really need.

  4. Accuracy: Keep personal data up-to-date and fix errors quickly.

  5. Storage limitation: Don’t keep personal data longer than necessary.

  6. Integrity and confidentiality: Have security in place to protect personal data from breaches.

  7. Accountability: You must be able to show how you comply with GDPR.

How to comply with GDPR

Begin by auditing the personal data you collect in terms of the information you store, where it’s held and the reasons you have it.

Here’s a useful checklist to help ensure you comply:

  • Audit your data: Know what you have and where it’s stored.

  • Check the legalities: Assess if it’s legal to collect and use the data.

  • Get proper consent: Use clear language and avoid pre-ticked boxes.

  • Be transparent: Share your privacy policy.

  • Respect individual rights: People can access, correct or have their data erased.

  • Train staff: Everyone should understand the basics of what GDPR data protection is.

Keep your business and data secure

As part of a strong data protection strategy, it’s critical to comply with GDPR. SMEs also need to invest in robust cybersecurity policies and staff training.

Explore more advice on common cyber security mistakes.

Understanding what is considered personal data under GDPR and learning how long it can be stored helps build trust with your customer base.

If you’d like support on your data protection strategy, our V-Hub Digital Advisers are here to help.

Discover More

More news and insights

Digital Security
Cybersecurity assessment: How to keep your business safe

25 Aug 2025

Cybersecurity assessment: How to keep your business safe

60% of SMEs close within six months of a cyberattack. Download our free checklist and discover how a cybersecurity assessment can plug the gaps.

    Explore solutions related to this article

    Digital Security

    Cyber threats are constantly evolving, targeting businesses of all sizes.

    Our security solutions help protect your business, people and devices, ensuring your data stays secure.

    Digital Security
    IE -webimage-0193C8D5-B796-444E-AB483E472E78D661

    Lookout Mobile Security

    Protect and secure your mobile devices against app, device, network and phishing based threats.

    See more
    Digital Security
    IE - Vodafone CybSafe Image

    Vodafone CybSafe

    Reduce your people-related security risks with security awareness training, insights and phishing simulations.

    See more