I had a call with a local consultancy last year. They were using a CRM, growing nicely, and completely unaware that they had not paid the ICO fee in three years. Not malicious, not reckless, just hadn’t been told. The fine was not catastrophic, but the cleanup was painful: a backlog of subject access requests, unclear retention periods, and a marketing list built on dubious consent.
GDPR compliance is not glamorous. It is also not optional, and for a small business, it is not as complicated as the 2018 press coverage suggested. Here is what you actually need to have in place if your CRM holds personal data about UK individuals.
The Five Things That Actually Matter
The UK GDPR is a long document. For a small business with a CRM, the operational bar comes down to five areas. Get these right and you are most of the way there:
- A lawful basis for every contact in the CRM.
- A retention rule for every type of record.
- A way to handle subject rights requests within 30 days.
- Reasonable security controls and a breach response plan.
- A paid ICO data protection fee and a privacy notice that reflects reality.
Everything else flows from these. The ICO’s own guidance for organisations ↗ is the definitive source, but it assumes you have time to read 80 pages. This article is the five-page version aimed at people who actually run a business.
1. Lawful Basis: Why Is Each Contact in Your CRM?
Under UK GDPR, you need a specific lawful reason to hold someone’s personal data. You cannot scrape names off LinkedIn and drop them into your CRM “just in case”. For most small businesses, three lawful bases do almost all the work.
| Lawful basis | When it applies | Typical CRM use case |
|---|---|---|
| Consent | The contact actively agreed | Marketing lists, newsletter signups |
| Legitimate interest | You have a genuine business purpose that does not override the contact’s rights | Business-to-business prospecting, existing enquirers |
| Contract | The data is needed to deliver a service | Active clients paying for work |
In practice, a small CRM often contains all three. That is fine, as long as you know which basis applies to which group of contacts. Tag them (see our guide on tags and custom fields) so you can filter by basis and act differently for each.
Getting consent right
If you are relying on consent, it must be a clear, specific, affirmative action. Pre-ticked boxes do not count. Consent for marketing emails is different from consent for cookies or data sharing with third parties; you cannot bundle them.
For existing contacts where you are unsure, the safest move is to ask again. A one-off “we want to keep sending you this, click here to confirm” campaign is better than sitting on a list you cannot defend.
Getting legitimate interest right
Legitimate interest is the most misunderstood basis. It does not mean “I’m interested in their data”. It means you have a clear business purpose, the processing is necessary for that purpose, and the contact’s rights do not override it.
B2B prospecting usually qualifies. Scraping a personal email address from a consumer context usually does not. If you rely on legitimate interest, write a short Legitimate Interest Assessment (LIA) once per activity. Half a page is fine. The ICO’s direct marketing guidance ↗ sets out the specifics for marketing communications.
2. Retention: How Long Can You Keep It?
UK GDPR requires that you do not keep personal data longer than necessary. Vague, but the operational translation is concrete: every type of record in your CRM needs a retention rule.
A reasonable starting point:
| Record type | Typical retention | Why |
|---|---|---|
| Active client | Duration of relationship + 6 years | HMRC records typically need to be held for 6 years |
| Former client | 6 years from last transaction | Tax, legal, and complaint windows |
| Prospects (enquired but never converted) | 12 to 24 months | Any longer is hard to justify under data minimisation |
| Dormant newsletter subscribers | 12 months of inactivity, then re-consent or delete | Consent expires in spirit, not on a fixed date |
| Unsuccessful job applicants | 6 to 12 months | Long enough to consider for future roles |
Set these as CRM tags, custom fields, or segments, and schedule a quarterly review to delete or anonymise anything past its window. Combine this with regular data cleanup and the list stays fresh, legal, and genuinely useful.
3. Subject Rights: The 30-Day Clock
UK GDPR gives individuals specific rights over their data. You have one calendar month from receipt of a valid request to respond. For a CRM, three rights come up most often:
- Right of access (SAR). The contact asks what data you hold. You provide a copy, plus an explanation of why you hold it.
- Right to erasure (right to be forgotten). The contact asks you to delete. You must, unless you have a legal reason to keep some of it (for example, tax records).
- Right to object to marketing. If someone unsubscribes or asks not to be marketed to, you must stop immediately, not at the next marketing cycle.
Making these practical
To handle requests without drama, you need two capabilities:
- Find everything. A request covers every system, not just the CRM. Check the CRM, email, accounting software, support tickets, integrations, and backups. A contact’s data tends to be in more places than you expect.
- Delete cleanly. Deleting in the CRM does not remove exports sitting on a laptop or in a marketing platform. A well-maintained CRM with tight segmentation and a clear list of integrations is the difference between a 30-minute task and a full day of panic.
Document a simple SAR/erasure process once, even if it is a one-page Google doc. When a request arrives, you follow the checklist instead of inventing the process under time pressure.
4. Security: The Baseline, Not Fort Knox
You do not need SOC 2 certification for a five-person business. You do need reasonable security controls that match the sensitivity of the data. In practice, that means:
- Strong unique passwords on every CRM account. No shared logins. Ever.
- Two-factor authentication enabled. The NCSC’s 2SV guidance ↗ is a good reference for how to explain this to a team.
- Role-based access. Not everyone needs admin. Most people need view/edit on their own records only.
- A record of who has access. Review quarterly. Revoke on the day someone leaves.
- Encrypted connections. Your CRM should be HTTPS-only. Managed CRMs handle encryption at rest; confirm yours does.
- A breach response plan. Written down. Three pages is plenty.
If you are starting from zero on CRM security, our CRM security guide covers this in more depth. The UK Government’s Cyber Security Breaches Survey 2025 ↗ puts the incidence of small-business attacks at around 43%. Baseline controls block most of that.
What to do if you have a breach
If personal data is exposed in a way that risks individuals’ rights and freedoms, you must report it to the ICO within 72 hours. The ICO’s breach reporting portal ↗ is the place to do it. You may also need to tell affected individuals directly. Not every breach requires notification. When in doubt, report: the ICO is generally more lenient with businesses that come forward than with ones that get caught concealing.
5. The Administrative Bits
Two things most small businesses overlook, both of which the ICO will check first in any enquiry:
Pay the data protection fee
Any organisation that processes personal data electronically for commercial purposes pays an annual fee to the ICO. Tier 1 is £52 for most small businesses (under 10 staff and £632k turnover), Tier 2 is £78, and Tier 3 is £3,763 for larger organisations. It is a legal requirement. The ICO maintains a public enforcement register ↗ that includes fines for non-payment.
Publish a privacy notice
Your website must have a privacy notice that tells visitors, in plain English:
- Who you are and how to contact you
- What data you collect and why
- Your lawful basis
- How long you keep it
- Who you share it with (including your CRM provider)
- The rights the individual has
- How to complain to the ICO
A 500-word page is plenty. Update it when your CRM provider or marketing stack changes. The notice has to reflect what you actually do, not a generic template from 2018.
A 12-Point Quick Audit
If you want to check your position in 30 minutes, run through this list:
- Can you state the lawful basis for every contact group in your CRM?
- Is there a Legitimate Interest Assessment for any group relying on that basis?
- Do you have a written retention rule per record type?
- Is there a process for deleting or anonymising data past its retention window?
- Can you find every place a contact’s data lives in under 10 minutes?
- Do you have a written SAR and erasure procedure?
- Is 2FA enabled on every CRM user account?
- Do all users have unique logins (no sharing)?
- Are access permissions reviewed at least quarterly?
- Do you have a written breach response plan?
- Is the ICO data protection fee paid and up to date?
- Does your privacy notice match what you actually do?
A “no” on any of these is not a disaster. It is a task on next week’s to-do list. Work through them in order. The first five cover the substantive obligations; the last seven cover the practical controls and paperwork.
Where People Get This Wrong
Three patterns I see repeatedly in small businesses:
Treating GDPR as a one-time project. It is an ongoing discipline. New clients, new integrations, new team members: every change is a potential compliance event. Build a quarterly half-hour review into your calendar. Fifteen minutes of maintenance beats a week of firefighting after a request or incident.
Overclaiming on consent. Consent requires clear, affirmative action. A contact form with a “by submitting this form you agree to receive marketing” sentence underneath is not consent. If you want consent, make it an unticked opt-in checkbox.
Ignoring integrations. Your CRM might be compliant. Your email platform might be compliant. But if your Zapier flow syncs data to a third tool whose privacy notice you have never read, you have created a problem. Review every integration at least annually.
Compliance Is a CRM Feature, Not a Tax
A well-run CRM with clear segmentation, documented retention, and tight access control is easier to use and more valuable to the business. It also happens to be compliant. Most of the “GDPR work” people dread is the same work that turns a messy spreadsheet into a useful system.
If your CRM is already organised, this article is a checklist. If it is not, start with a cleanup, then add the governance on top. The businesses I have seen do this well treat compliance as a side-effect of good data hygiene, not a separate initiative. That framing makes it a lot less painful, and a lot more effective.
Next steps if you are behind: pay the ICO fee today, write your three-page privacy notice this week, and schedule a quarterly review recurring forever. Everything else slots in around those three anchors.
Frequently asked questions
Does GDPR apply to my CRM if I only have a handful of contacts?
Yes. UK GDPR applies to any organisation that processes personal data of individuals in the UK, regardless of size. A CRM with even 10 contacts is covered. There is no small-business exemption, although the rules on record-keeping are lighter for organisations with fewer than 250 employees.
What lawful basis should I use for holding clients in my CRM?
Most small businesses rely on either consent (the contact actively agreed to hear from you) or legitimate interest (you have an ongoing business relationship). Contract is the right basis for existing paying clients. Document which basis you are using for which group of contacts. Do not mix them inside the same list without clear records.
How long can I keep client data in my CRM?
Only as long as you have a lawful reason to. For active clients, that is as long as the business relationship continues. For past clients, align retention with your tax and legal obligations (typically 6 years in the UK). For prospects who never became clients, a shorter window such as 12 to 24 months is usually appropriate. Set retention rules per contact type, not per database.
Do I need to register with the ICO if I use a CRM?
In most cases, yes. Any UK business that processes personal data electronically is required to pay a data protection fee to the ICO unless it qualifies for an exemption. The fee depends on your size and turnover. It is a legal requirement, not optional, and failing to pay can result in a fine.
What do I do if a client asks me to delete their data?
You have one month to respond to a deletion request (or a subject access request). Confirm the request in writing, find every place the data lives (CRM, email, accounting, backups), and delete or anonymise it. If you have a lawful reason to keep some data (for example, HMRC tax records), you can retain that portion but must explain why to the requester.
Enjoyed this article? Get more CRM tips straight to your inbox.
Related articles
CRM Security: Keeping Your Client Data Safe
A practical guide to CRM data security for small UK businesses, covering GDPR, access controls, backups, and breach response.
Gareth Clubb 8 min read How to Build a Client Health Score in Your CRM
Learn how to build a client health score in your CRM to spot at-risk clients early and improve retention. A practical guide for small businesses.
David White 10 min read How to Measure Client Lifetime Value in Your CRM
Learn how to calculate and track client lifetime value in your CRM. A practical guide for small UK businesses to identify top clients and grow revenue.
Gareth Clubb 8 min read
Comments
Join the conversation. Share your experience or ask a question below.
No comments yet. Be the first to share your thoughts.