What does UK GDPR require from an early-stage startup?

By SuLe · Updated 8 June 2026

UK GDPR asks an early-stage startup for a handful of concrete things: a lawful basis for each use of personal data, a clear privacy notice, security proportionate to the risk, a way to handle people's rights, contracts with your processors, and a breach procedure. None of it requires a big compliance team — it requires knowing what data you hold and why.

Get expert legal advice before you sign.

Book a free 20-minute call

Key facts

  • You need a lawful basis for every purpose you use personal data for — consent, contract, legitimate interests and others.
  • A privacy notice is mandatory under the transparency rules (Articles 13–14) whenever you collect data.
  • You must answer a data subject access request (DSAR) within one month.
  • UK GDPR Article 28 requires a written contract with every processor that handles personal data for you.
  • Notifiable personal-data breaches must reach the ICO within 72 hours of awareness.

What is UK GDPR, and does it apply to my startup?

UK data protection law is UK GDPR plus the Data Protection Act 2018 plus PECR for marketing and cookies, all regulated by the ICO and now amended on a phased basis by the Data (Use and Access) Act 2025.

It applies the moment you process personal data — any information about an identifiable living person. A name, an email, an IP address or a user ID all count, so almost every startup is in scope from its first sign-up.

Size gives no exemption. A solo founder with a waitlist has the same core duties as a scale-up; the difference is proportionality, not whether the rules apply at all.


What are the core duties in practice?

Six things carry most of the load. First, a lawful basis for each purpose — the legal justification, usually consent, contract or legitimate interests. Second, a privacy notice telling people what you do with their data.

Third, security appropriate to the risk: access controls, encryption where sensible, no shared logins. Fourth, honouring individual rights, including answering a DSAR within one month. A DSAR is a person's request for a copy of the data you hold on them.

Fifth, Article 28 contracts with every processor — your host, analytics and email tools. Sixth, a breach procedure, because notifiable breaches must reach the ICO within 72 hours.


What paperwork does an early startup actually need?

Less than founders fear, but not nothing. A privacy notice is non-negotiable. So is a basic record of processing under Article 30 — the small-organisation carve-outs are only partial and fall away for regular or higher-risk processing.

You also need data processing agreements with suppliers, and, if you use non-essential cookies, a consent mechanism. High-risk processing — large-scale profiling or handling special-category data — additionally needs a data protection impact assessment, a structured risk review done before you start.

Special-category data means sensitive information like health, ethnicity or biometrics, which carries extra conditions. Most seed-stage startups can capture all this in a short, honest data map plus a few templates kept up to date.

RequirementApplies whenWhat it looks like
Lawful basisEvery use of personal dataA decision recorded per purpose
Privacy noticeYou collect any personal dataPublic privacy policy page
Records of processing (Art. 30)Most processing; carve-outs partialA simple data map
Processor contracts (Art. 28)A supplier processes data for youSigned DPA per processor
DPIAHigh-risk processingRisk assessment before launch
Breach procedureAlways72-hour ICO notification plan

How do I handle people's rights and requests?

You have to recognise a request when it lands and act inside the deadline. Rights include access (the DSAR), correction, erasure, objection and, in some cases, portability.

The headline clock is the DSAR: one month to respond, extendable by up to two months for complex or numerous requests if you tell the person within the first month. Erasure and objection requests have their own logic but similar urgency.

The practical failure is not refusing requests — it is missing them because they arrived by DM or support ticket rather than a formal letter. Train whoever reads your inboxes to spot and escalate them.


Worked example

Tomas builds Fitloop, a fitness-tracking app, and collects names, emails and workout logs. Some of that — health-related activity data — is close to special-category data, so he treats it carefully.

He sets a lawful basis for each use (contract for running the app, consent for marketing), publishes a privacy notice, and signs Article 28 DPAs with his host and email provider. He writes a one-page data map to satisfy Article 30 and runs a short DPIA because he is profiling health-adjacent data at scale.

Three months in, a user emails asking for all their data. Tomas recognises it as a DSAR, exports the records, and replies inside the one-month window — no drama, because he built the muscle early.


Where founders go wrong

  • Skipping the lawful-basis step.

    "We'll sort compliance later" means you are processing without a justification the law requires from day one.
  • Assuming small means exempt from records.

    Article 30's carve-outs are partial; regular or risky processing still needs a data map.
  • Missing a DSAR in the support queue.

    Requests rarely arrive labelled — the one-month clock starts whether you notice or not.
  • Treating sensitive data casually.

    Health, biometric or similar data triggers extra conditions and often a DPIA.

Related questions

What is the difference between UK GDPR and the Data Protection Act 2018?

UK GDPR sets the core principles and rights; the Data Protection Act 2018 fills in the UK-specific detail and exemptions, and together with PECR they form UK data protection law, regulated by the ICO. The Data (Use and Access) Act 2025 then amends this framework on a phased basis, so some rules are still bedding in.

How long do I have to answer a data subject access request?

One month from receiving the request. A data subject access request, or DSAR, is someone asking for a copy of the personal data you hold on them. You can extend by up to two further months for complex or numerous requests, but you must tell the person within the first month if you do.

Do small startups have to keep records of processing?

Yes, in most cases. Article 30 requires records of your processing activities, and the small-organisation carve-outs are only partial — they fall away where processing is regular, risky or involves special-category data, which covers a lot of what startups do. A simple, honest data map is the practical answer.

When does a startup need a DPIA?

A data protection impact assessment is required for high-risk processing — for example large-scale profiling, tracking, or handling special-category data at scale. It is a structured risk assessment you do before you start. Many early startups never trigger it, but anything involving sensitive data or systematic monitoring should be assessed. [More: What is a data processing agreement (DPA) and when do I need one?]


UK GDPR rewards founders who map their data early and punishes those who bolt compliance on after a breach or a due diligence request. A SuLe solicitor can turn "we should probably look at GDPR" into a short, right-sized set of documents and habits. Book a free compliance check call and get compliant without overbuilding.

Keep reading: Does my startup need to register with the ICO? · What is a data processing agreement (DPA) and when do I need one? · What happens if my startup has a data breach? · Do I need a data protection officer (DPO)? · Can I transfer user data outside the UK? · Do I need terms and conditions and a privacy policy for my startup?

Primary sources: ICO — For organisations · GOV.UK — Data protection

AI-generated content. General information, not legal advice.