Quick answer: Almost every Devon small business must register with the ICO, publish a current privacy notice, name a lawful basis for each processing purpose, keep records of what it does with personal data, respond to subject access requests within one month, and report serious breaches inside 72 hours. AI tools have made the rules tighter, not looser.
Why this still matters in 2026
UK GDPR has been in force since 2018, first as the EU Regulation and from 2021 as the Retained Regulation (EU) 2016/679 that sits alongside the Data Protection Act 2018. Eight years in, the rules are no longer new, but small business compliance is still patchy. The Information Commissioner's Office has spent 2025 and 2026 sharpening its focus on smaller operators, partly because public complaints have risen and partly because AI tools have changed the risk picture overnight.
For a Devon business, the practical question is simple. If a customer, a former employee, a care resident's family member, or a competitor decided to complain to the ICO tomorrow, would your paperwork hold up? In most of the businesses we audit, the honest answer is no, not yet. The good news is that none of this is hard once you know what is required. The rest of this article walks through it.
ICO registration and the data protection fee
Every organisation that processes personal data on a computer must pay an annual data protection fee to the ICO and appear on the public register. There are limited exemptions, mainly for some not-for-profits, members' clubs and certain processing carried out for personal or household reasons, but they are narrow. A sole trader hairdresser holding client contact details on a phone needs to register. A Devon holiday let owner taking guest bookings on a laptop needs to register. A small care provider almost always needs to register.
The fee structure has three tiers:
- Tier 1: micro organisations with a turnover under £632,000 or 10 or fewer staff. Fee is around £40 to £60 a year
- Tier 2: small and medium organisations with up to 250 staff. Fee is around £60 to £70 a year
- Tier 3: larger organisations or those carrying out specific types of processing. Fee is up to £2,900 a year
Failure to pay is itself a breach. The ICO publishes the names of organisations it has issued penalties to for non-payment, and once you appear on that list it is the first thing a journalist or a worried customer finds when they search your name. The fee is paid online at ico.org.uk and takes around 15 minutes. There is no reason to be exposed on this point.
Privacy notices: what they must say
A privacy notice is the document that tells people how you use their personal information. It is the single most-checked document in any ICO investigation because it sits in public on your website. If it is missing, out of date, or generic, the ICO will know within minutes of opening a complaint file.
Under the rules, your privacy notice must include:
- The identity and contact details of your business as the data controller
- The purposes for which you process personal data, expressed clearly and not in vague phrases like "to provide our services"
- The lawful basis you rely on for each purpose
- The categories of personal data you collect
- The recipients or categories of recipients you share data with, including processors such as your accountant, your payroll bureau or your cloud booking system
- How long you keep each category of data, or the criteria you use to decide
- The rights people have: access, rectification, erasure, restriction, objection, portability and the right to withdraw consent
- The right to lodge a complaint with the ICO, with the ICO contact details
- Whether any decisions are made automatically and the logic involved
It must be available before or at the point you first collect the data. On a website, that means linked from every form. In a care home, that means handed to families during admission and signposted clearly. In a hospitality business, that means linked from your booking confirmation. A privacy notice locked away on a single page nobody can find does not meet the rule.
Most of the privacy notices we review during a TestSafe GDPR audit were drafted in 2018, paste a generic template, and have never been updated to reflect the actual cloud tools, AI tools and third party processors the business now uses. That gap alone is the most common ICO finding against small businesses.
Lawful basis: pick one per purpose and write it down
UK GDPR sets six lawful bases for processing personal data. You must choose at least one for every purpose you have, document the choice, and make sure it is reflected in your privacy notice. The six are:
- Consent: freely given, specific, informed and unambiguous. Pre-ticked boxes and bundled consent do not work
- Contract: necessary to deliver a service the person has asked for, or to take steps before entering into a contract
- Legal obligation: required by another law, such as keeping payroll records for HMRC
- Vital interests: necessary to protect someone's life, in practice limited to emergency situations
- Public task: carrying out a task in the public interest with a basis in law, mainly relevant to public bodies
- Legitimate interests: a balancing test between your interests and the rights of the individual, with a written assessment to back it up
Most small Devon businesses end up using a mix. Payroll runs on legal obligation. Customer bookings run on contract. Marketing emails to existing customers tend to run on legitimate interests with a clear opt-out. Marketing to people who are not yet customers needs consent. The mistake we see most often is using consent for everything, then collecting it badly, when contract or legitimate interests would have been the correct basis and would not have needed a tick box at all.
Records of Processing Activities
A Record of Processing Activities, often called a ROPA, is an internal document that lists what personal data you hold, why you hold it, who you share it with, how long you keep it, and how you protect it. Under Article 30 of UK GDPR there is a limited exemption for organisations with fewer than 250 staff, but the exemption does not apply where processing is not occasional, where it involves special category data such as health or religion, or where it could affect rights and freedoms.
In plain terms, that means almost every Devon care provider, dental practice, holiday let, salon and hospitality business needs a ROPA, because they all process either special category data or regular customer data on a continuous basis. The exemption is rarely available in practice.
A ROPA does not need to be complicated. A spreadsheet with one row per processing activity covering categories of data, purpose, lawful basis, recipients, retention period and security measures will satisfy the rule. What it cannot do is sit in your head. If the ICO asks for a copy and you cannot produce one, the answer "we know what we do" is not a defence.
Subject Access Requests: one month, no excuses
A Subject Access Request, or SAR, is the right of any individual to ask what personal data you hold about them and to receive a copy. SARs are now one of the leading sources of ICO complaints against small businesses, partly because they are often used by former employees in dispute, partly because customers know more about their rights than they did a few years ago.
The rules are:
- Respond within one calendar month of receiving the request
- You can extend by up to two further months for complex or multiple requests, but you must tell the requester within the first month and explain why
- Verify identity before disclosing anything, especially where the request comes by email from an address you cannot confirm
- Provide the data in a commonly used electronic format unless the request was on paper
- You can withhold third party personal data, legally privileged content and certain other narrow exceptions, but you must redact carefully and consistently
- You cannot normally charge a fee unless the request is manifestly unfounded or excessive
The two patterns that lead to ICO enforcement are silence and over-disclosure. Either the business never responds because they hoped the request would go away, or they hand over a bundle that includes information about other staff or clients without redacting. Both are easy to avoid with a written SAR procedure that anyone in the business can follow.
Data breach: the 72-hour clock
A personal data breach is any security incident that affects the confidentiality, integrity or availability of personal data. That covers the obvious cases, a stolen laptop, a hacked email account, a ransomware attack, and the everyday ones, a misdirected email, a lost paper file, a USB stick left on a train.
Where the breach is likely to result in a risk to the rights and freedoms of the people whose data is affected, you must notify the ICO within 72 hours of becoming aware of it. Where the risk is high, you must also notify the affected people directly without undue delay. For care, dental and hospitality businesses processing health data or financial data, most breaches will cross the threshold.
Even when a breach does not need to be reported, you must keep an internal record of it. The ICO can ask to see your breach log and the reasoning you applied. A blank log after a year of trading is not a sign that nothing happened, it is a sign that nothing was recorded.
AI tools at work: the 2026 elephant in the room
In 2024 and 2025 the use of public AI tools across Devon small businesses went from rare to ubiquitous. By 2026, ChatGPT, Claude, Microsoft Copilot and Google Gemini are being used in care homes to draft handover notes, in salons to write social media copy, in holiday lets to reply to guest enquiries, in dental practices to summarise correspondence, and in tradesperson businesses to draft quotes.
The GDPR question is what happens to the data when someone pastes it in. With most public AI tools, the input is sent to a third party processor, often outside the UK, on terms that the business has not read, has not assessed, has not named in its privacy notice and has no lawful basis for. The ICO published updated guidance on AI and data protection in late 2025 and has been explicit that putting personal data into a public AI tool without proper controls is a processing activity in its own right, with all the obligations that brings.
Every Devon business that lets staff use AI tools should have a written AI usage policy. As a minimum the policy should cover:
- The list of approved AI tools that the business has actually assessed
- A clear prohibition on putting personal data, special category data or confidential business information into anything not on the approved list
- A requirement for human review of any AI output before it is used in client communication, clinical notes or HR decisions
- Training so staff understand that "pasting it into ChatGPT" is data sharing, not a productivity hack
- An update to the privacy notice if approved tools handle personal data
The TestSafe GDPR and data audit includes a specific review of which AI tools your team is actually using, what they put into them, and whether that is consistent with your privacy notice and lawful basis. It is now the single most common gap we identify.
Special category data in care and health
Some categories of personal data carry tighter rules. Health data, biometric data, genetic data, data about racial or ethnic origin, religious belief, trade union membership, political opinion, sexual orientation and sex life are all special category data. To process any of them you need two things: a lawful basis under the main rules, plus an additional condition that allows special category processing.
For a Devon care provider this is daily reality. Every care plan, every medication record, every safeguarding note involves health data. For a dental practice, every clinical record is health data. For a beauty therapist offering anything more invasive than a haircut, you are likely holding health information about contraindications. The relevant conditions for these businesses are usually those related to health and social care, employment law, or substantial public interest, all set out in Schedule 1 of the Data Protection Act 2018.
Where special category data is involved, you also need an Appropriate Policy Document setting out how you comply with the specific conditions and how long you keep the data. This is a separate document from your privacy notice and many businesses simply do not have it.
What the ICO is actually looking at right now
Based on the ICO's published enforcement actions and regulatory action policy across 2025 and into 2026, the priorities for small business attention are clear:
- Failure to register and pay the data protection fee, the easiest possible enforcement target
- Ignored or mishandled Subject Access Requests, especially from former employees
- Privacy notices that are out of date, missing the lawful basis, or not visible at the point of collection
- AI tool use that has not been assessed, approved or documented
- Data breaches that were not reported and not internally logged
- Unredacted disclosures that release third party personal data alongside the requester's own
- Public complaints about a business name, address or contact detail being misused
None of these require sophisticated forensic investigation. They surface from a single complaint, a quick check of the ICO register, and a look at your website. That is the level of effort an investigator is being asked to put in before deciding whether to escalate.
The Devon angle: why this matters more here
Devon's small business economy leans heavily on sectors that hold special category or sensitive data. Care, dental, hospitality, holiday letting, beauty and personal services are all over-represented compared with the UK average. All of them collect health data, guest data, or identification documents that fall squarely inside UK GDPR.
At the same time, Devon businesses are typically smaller than the national average. The owner is often the receptionist, the marketer and the data protection lead in the same person. That is not a criticism, it is the operating reality of running a service business in a rural county. What it means is that the gap between what the law expects and what is actually in place tends to be wider than it would be in a London corporate with a compliance team.
The fix is not a 50-page policy. It is a clear written record of what you do with personal data, a current privacy notice, a paid ICO registration, a usable SAR procedure, a breach log and an AI usage policy. Get those six things in order and you are ahead of most of your sector.
Where TestSafe fits in
We are not a law firm, we do not provide regulated legal advice, and we do not sell you an annual retainer you will never see the benefit of. What we do is sit down with you on site, work through your actual processing activities against UK GDPR, look at your real privacy notice, check your real ROPA, ask your real staff which AI tools they actually use, and write you a plain-English gap analysis with a priority order.
For most small Devon businesses, the audit takes half a day and the written report follows within five working days. You leave knowing where you stand, what to fix first, and what can wait. For anything that needs a solicitor we will tell you, and for anything that the ICO would treat as urgent we will say so on the day.
This article is for general information only and reflects the law as it stood on the date of publication. It does not constitute legal advice and should not be relied upon as a substitute for advice specific to your situation. TestSafe Compliance provides audit and assessment services only. Where a specific legal question arises, seek advice from a qualified solicitor or employment law specialist.
Frequently asked questions
Does a small Devon business really need to register with the ICO?
Almost certainly yes. Any business that processes personal data on a computer must register with the Information Commissioner's Office and pay the data protection fee unless it falls into one of a narrow set of exemptions. For most Devon SMEs the fee is the tier 1 rate of around £40 to £60 a year. Failing to register is itself an offence and is one of the easiest things for the ICO to spot during a complaint investigation. Sole traders running a salon, a holiday let, a tradesperson business or a care service all normally need to register.
What must a privacy notice contain?
A privacy notice must identify your business, explain why you collect each category of personal data, state the lawful basis for each purpose, list who you share data with, set out how long you keep it, and explain the rights people have including access, erasure, objection and rectification. It must tell people they can complain to the ICO. It must be written in plain English, available before or at the point you collect the data, and updated when your processing changes. Many Devon privacy notices were drafted in 2018 and have never been touched since.
Is putting client information into ChatGPT a GDPR breach?
It can be, and in 2026 the ICO treats this as a priority area. Pasting a care plan, a customer email, a CV or a guest list into a public AI tool transfers personal data to a third party processor that you almost certainly have not assessed, named in your privacy notice or covered by a lawful basis. The fix is an AI usage policy that lists approved tools, prohibits personal data input into anything not on the list, and requires human review of AI output before it is used.
How quickly must I respond to a Subject Access Request?
Within one calendar month of receiving the request. You can extend this by a further two months if the request is complex or there are several requests from the same person, but you must tell them within the first month that you are extending and explain why. You must verify the identity of the requester, provide a copy of the personal data in a usable format, and supply it free of charge in most cases. Ignoring or sitting on a SAR is one of the fastest routes to an ICO complaint.
When does a data breach have to be reported to the ICO?
Within 72 hours of becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of the people whose data is affected. A lost laptop with no encryption, a misdirected email containing health data, a ransomware attack or a stolen handover sheet all normally cross that threshold. If the risk is high you must also notify the affected people directly without undue delay. Keep a written record of every incident even where you decide not to report, because the ICO can ask to see the reasoning.