Do Small Companies Need a Data Protection Policy?

The GDPR applies to any organisation processing the personal data of EU residents, regardless of size. In the UK, data protection is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The only notable concession for smaller organisations is that those with fewer than 250 employees may be exempt from maintaining a full Record of Processing Activities, but only if their processing is occasional, low-risk, and doesn't involve special category data, which excludes most businesses. All the core obligations (lawful basis, privacy notices, security measures, breach reporting, data subject rights) apply in full.

Compliance can be proportionate and right-sized to your organisation, but it cannot be skipped.