Most GDPR Guides Are Not Written for You
If you have ever searched for GDPR small business advice, you have probably landed on a 6,000-word legal document that left you more confused than when you started. So here is the short version: GDPR does apply to your small business, but what you actually need to do depends on what kind of data you collect and what you do with it. Most small businesses can get compliant without hiring a lawyer.
Does GDPR Apply to Small Businesses?
Yes. The General Data Protection Regulation applies to any organisation that collects or processes personal data from people in the EU – regardless of size. There is no “too small to care” threshold.
That said, there is one meaningful exemption: businesses with fewer than 250 employees are not required to keep written records of their data processing activities – unless:
- The processing poses a risk to people’s rights or freedoms
- It is not occasional (i.e. you do it regularly)
- It includes special categories of data (health, religion, political views, etc.)
In practice, if you send marketing emails, run a website with analytics, or manage a customer database, you process data regularly – so the exemption probably does not apply to you.
What Does GDPR Actually Require?
Here is what most small businesses need to have in place:
| What | What It Means in Practice |
|---|---|
| Privacy policy | A clear page on your website explaining what data you collect, why, and who you share it with |
| Cookie consent | A proper cookie banner that lets users accept or decline non-essential cookies (analytics, ads) before they are set |
| Lawful basis for processing | A valid reason for every type of data you collect – consent, contract, legitimate interest, legal obligation |
| Data Processing Agreements | Contracts with any third-party tools that handle your users’ data (email platforms, CRMs, analytics tools) |
| Subject access request process | A way for people to request, correct, or delete their data – you have one month to respond |
| Breach notification | If you suffer a data breach, you must notify your national data protection authority within 72 hours |
The Tools You Use Are Part of the Picture Too
One thing many small business owners miss: if you use a US-based tool to handle customer data – a CRM, email marketing platform, cloud storage service – you need to check whether that transfer is covered by a valid legal mechanism under GDPR.
This matters more than most people realise. US companies can be compelled to hand over your customers’ data to US authorities under the CLOUD Act, even if the data is stored on European servers. If that happens, and you have no legal basis for that transfer, you could be in breach – even though you did nothing wrong. It is worth reading up on before you sign up for any US-based service.
Do You Need a Data Protection Officer?
Most small businesses do not. You only need a formal Data Protection Officer (DPO) if:
- You are a public authority
- Your core activity involves large-scale, systematic monitoring of people
- Your core activity involves large-scale processing of special category data (health, criminal records, etc.)
If none of those apply to you, you do not legally need a DPO – but designating someone internally to handle data protection questions is still good practice.
Where to Register and Who Oversees You
Every EU member state has its own data protection authority (DPA). You are supervised by the DPA in the country where your business is established. If you operate across multiple EU countries, the “lead supervisory authority” is usually the DPA where your main EU establishment is.
A full list of national DPAs is available on the European Data Protection Board website.
What Are the Fines?
GDPR fines are calculated as a percentage of global annual turnover, not a flat fee – so they scale with the size of the business. There are two tiers:
- Up to €10 million or 2% of global turnover – for technical violations (no proper records, no DPA agreement, etc.)
- Up to €20 million or 4% of global turnover – for serious violations (processing without legal basis, ignoring individual rights, etc.)
In practice, regulators tend to focus their enforcement on larger organisations. But small businesses have been fined – particularly for things like invalid cookie consent, sending unsolicited marketing emails, or failing to respond to access requests.
Quick Answers
Does GDPR apply if I only have a few customers?
Yes. GDPR applies based on what type of data you process, not how many people you have.
Do I need consent for everything?
No. Consent is one legal basis, but not the only one. Legitimate interest, contract performance, and legal obligation are also valid – and often more appropriate.
What counts as personal data?
Any information that can identify a person, directly or indirectly. Names, email addresses, IP addresses, cookie IDs, and location data all count.
Can I use a US email platform like Mailchimp?
Yes, but you need to make sure there is a valid transfer mechanism in place (Standard Contractual Clauses, or the provider’s certification under the EU-US Data Privacy Framework). Check the provider’s DPA before signing up.