The short version
GDPR is the UK law that governs how organisations handle personal data. If you collect any information about identifiable individuals — names, email addresses, phone numbers, customer references, anything that ties back to a real person — it applies to you. Fines for serious breaches go up to £17.5 million or 4% of global annual turnover, whichever is higher. The good news is that compliance is mostly common sense if you take it in pieces.
What is GDPR, actually?
GDPR stands for General Data Protection Regulation. It started life in 2018 as an EU law that replaced a patchwork of older national rules with one consistent framework across all 27 member states. The UK was a member when the regulation took effect, so it became part of UK law automatically. When the UK left the EU, the same rules were kept in place under a slightly renamed version called UK GDPR, supported by the Data Protection Act 2018.
In practice, the two regimes — EU GDPR and UK GDPR — are nearly identical. If you do business only in the UK, you follow UK GDPR. If you also handle data about people in the EU (selling to EU customers, employing EU staff, running a website that EU residents use), you need to follow both. The Information Commissioner's Office, or ICO, is the UK regulator that enforces the law.
Who does GDPR apply to?
In one word: you. Almost every business in the UK, no matter how small, falls within scope. If you keep a list of your customers, you process personal data. If you send marketing emails, you process personal data. If you have employees, you process personal data. The threshold isn't size or revenue; it's whether you handle information about identifiable individuals.
There are two roles in GDPR that matter:
- A data controller decides what personal data is collected and why. If you're running your own business, you're almost certainly a controller for your customers' and employees' data.
- A data processor handles personal data on behalf of a controller, under their instructions. Your cloud accounting software, your email provider, your payroll service — those companies are processors acting for you.
You can be both at the same time. You're the controller for your own customer list and the processor for any data your own customers ask you to handle for them.
The seven principles
GDPR is built on seven principles. They sound abstract written down, but they're really just common sense translated into legal language.
| Principle | What it means in practice |
|---|---|
| Lawfulness, fairness and transparency | You need a valid reason to process someone's data, and you have to tell them you're doing it |
| Purpose limitation | Use data only for the reason you collected it. If you got someone's email to send an order confirmation, you can't suddenly start using it for marketing |
| Data minimisation | Collect only what you need. If a form has a "date of birth" field that no part of your business actually uses, take it off the form |
| Accuracy | Keep data correct and up to date. If someone tells you their address has changed, you update it |
| Storage limitation | Don't keep data forever. Set a retention period and stick to it |
| Integrity and confidentiality | Keep data secure. Encryption, access controls, all the usual security stuff |
| Accountability | Be able to show you've done all the above. Keep records, write policies, train your team |
If you ever sit down to write a privacy policy, this is the structure people will expect you to address.
The rights data subjects have
A "data subject" is whoever the data is about — your customer, your employee, the person who filled in your contact form. Under GDPR they have a set of rights you have to honour:
- Right to be informed — they get to know what you're doing with their data (this is what privacy notices are for)
- Right of access — they can ask for a copy of all the data you hold about them. You usually have a month to respond. This is called a Subject Access Request or SAR
- Right to rectification — they can ask you to correct anything wrong
- Right to erasure — sometimes called the "right to be forgotten". They can ask you to delete their data, and you have to unless you've got a good legal reason to keep it
- Right to restrict processing — they can ask you to stop using their data while a dispute is sorted
- Right to data portability — they can ask for their data in a format that lets them take it to a competitor
- Right to object — they can object to specific uses, particularly direct marketing
- Rights about automated decision-making — if a computer is making decisions about them that have a significant effect (loan approvals, recruitment screening), they have rights to challenge it
In practice, the SAR is the right you'll see most often. The right to erasure is the one people get most worried about. Both are entirely manageable if you've kept your data organised.
What happens if you ignore GDPR?
The fines are real and they're not theoretical. A few UK examples from recent years that are worth knowing about:
- British Airways was fined £20 million in 2020 for a security breach that exposed half a million customers' personal and payment details
- Marriott was fined £18.4 million in 2020 for failing to spot that a hotel chain it acquired had been compromised
- TikTok was fined £12.7 million by the ICO in 2023 for failures around children's data
- Clearview AI was fined £7.5 million by the ICO in 2022 for scraping public photos to train facial recognition
You don't have to be a multinational to be on the ICO's radar. The ICO publishes its enforcement actions, and the list includes plenty of small businesses fined £2,000 to £100,000 for issues like unwanted marketing texts, lost laptops, and poorly-secured customer databases.
Money fines aren't the only consequence. The other one — sometimes worse — is reputational damage. The ICO publishes enforcement actions; tech press picks them up; potential customers Google your name and find the story. For a small business reliant on trust, that can do more damage than the cheque.
GDPR and AI — the bit nobody warned you about
When ChatGPT, Claude, Gemini and Copilot landed in 2023-2024, they changed the data protection picture without changing the law. The law still says you can't disclose personal data to a third party without a lawful basis, and that you have to know who has your customers' data.
Here's the problem. Every time someone in your business pastes a contract, an email thread, a customer query, or a CV into ChatGPT to "summarise this" or "draft a reply to this", they are disclosing personal data to OpenAI (or Anthropic, or Google). Most of the time, that disclosure has no lawful basis. The customer didn't consent. The contract doesn't permit it. The privacy notice doesn't mention it. Your DPO certainly hasn't authorised it.
This is the most common GDPR breach happening in UK businesses in 2026, and the people doing it usually have no idea. A solicitor pastes a client matter into ChatGPT to summarise for a colleague — that's a Solicitors Regulation Authority issue and a GDPR issue. An estate agent pastes a buyer's offer letter into Claude to draft an acceptance — same problem. A recruiter pastes a CV into Gemini to compare it to a job spec — same again.
The ICO's position is consistent: if you're sending personal data to an AI provider, you need lawful basis, you need to update your privacy notice, you need to evaluate the risk (a DPIA), and you need a Data Processing Agreement with the provider. Most businesses tick none of these boxes.
This is why Trinito exists, and it's why we wrote this page. The technical answer is to put a filter between your team and the LLM that strips identifying data before it leaves your office. The legal answer is the same: redact before you send.
What practical compliance looks like
If GDPR feels overwhelming, here's a sane place to start:
- Know what data you hold. A simple spreadsheet listing every system that contains personal data, what's in it, and why, is the foundation of everything else. The ICO calls this a "record of processing activities" or ROPA, and Article 30 of GDPR requires it.
- Write a privacy notice. Whatever you're doing with data, tell people about it. The ICO has a free template that's a good starting point.
- Get the basics of security right. Encrypted laptops, multi-factor authentication, regular backups, strong passwords, and trained staff. The five technical controls of Cyber Essentials are a good baseline.
- Get DPAs in place with your processors. Your cloud provider, your accountant, your email marketing tool. Most of them will have a standard template ready to sign.
- Have a plan for SARs and breach response. If a customer asks for their data, you have a month to provide it. If you have a security breach involving personal data, you've got 72 hours to notify the ICO. Have a written process for both.
- Address AI use head-on. This is the new frontier. Audit what your team is pasting into LLMs. Put a redaction layer in place. Update your privacy notice. Update your acceptable-use policy.
- Review annually. GDPR isn't a one-shot project. Data, systems, and your business all change. Set a calendar reminder to walk through your ROPA once a year.
Further reading
| Resource | What it covers |
|---|---|
| ICO guide for small businesses | The official UK regulator's plain-English guidance. Free, comprehensive, and what your local rep at the ICO will likely point you to |
| ISO/IEC 27701:2025 | The international standard for evidencing your GDPR compliance. See our ISO 27701 explainer |
| Statement of Applicability on request | A worked example of how to map your technical controls to UK GDPR Articles 5, 25, 28, 30, 32, and 33 |
| How AI changes the GDPR picture | Our specific take on where the new risk sits — the privacy controls your auditor wants |
The one-sentence summary
If you handle data about identifiable individuals — and almost every business does — UK GDPR applies to you, the ICO will hold you to it, and the most common breach happening in 2026 is pasting client data into ChatGPT without thinking. Get the basics right and put a sensible filter between your team and the public LLMs, and the rest is mostly common sense.