GDPR for Small Business: A Practical Compliance Guide
Learn what GDPR means for small businesses. This guide covers requirements, exemptions, penalties, and step-by-step compliance for small business owners.
GDPR for small business is not optional, and it is not as overwhelming as it might seem. The General Data Protection Regulation applies to organizations of all sizes, including sole traders, freelancers, and micro-businesses, whenever they process personal data of people in the European Economic Area (EEA).
This guide breaks down exactly what the GDPR requires from small businesses, where the regulation offers flexibility based on business size, and what practical steps you can take to comply without hiring a full legal team. This content is educational and should not be treated as legal advice. Consult a qualified attorney for guidance specific to your business.
What the GDPR Requires from Small Businesses
The GDPR (Regulation (EU) 2016/679) came into effect on May 25, 2018, and applies to any organization that processes personal data of individuals located in the EEA. There is no revenue threshold, no employee count minimum, and no small business exemption in the regulation itself.
Personal data under Article 4(1) of the GDPR means any information relating to an identified or identifiable natural person. For a small business, this includes:
- Customer names, email addresses, and phone numbers
- IP addresses and cookie identifiers collected through your website
- Payment information and transaction histories
- Employee records, including payroll and health data
- Email marketing subscriber lists
- Any data collected through contact forms, booking systems, or CRM tools
If your business collects any of this data from people in the EEA, the GDPR applies to you. This is true even if your business is located outside Europe. A small online store based in the United States that ships products to German customers is subject to the GDPR for those customers' data.
GDPR and Small Businesses: Where the Law Offers Flexibility
While the GDPR does not exempt small businesses outright, several provisions scale obligations based on the size and risk profile of the organization. Understanding these flexibilities is key to practical compliance.
Records of processing activities (Article 30)
Article 30(5) of the GDPR states that organizations with fewer than 250 employees are not required to maintain records of processing activities, unless the processing is likely to result in a risk to the rights of individuals, is not occasional, or involves special categories of data. In practice, most small businesses that regularly process customer data should maintain basic records anyway, because the "not occasional" exception is narrow. A simple spreadsheet listing what data you collect, why, and where you store it satisfies this requirement.
Data Protection Officer
Under Article 37, appointing a Data Protection Officer (DPO) is mandatory only when your core activities involve large-scale, regular, and systematic monitoring of individuals, or large-scale processing of special category data (health, biometric, genetic, political opinions, religious beliefs). A typical small business, such as a restaurant, a local accountancy firm, or an online retailer, does not meet these criteria and is not required to appoint a DPO.
Data Protection Impact Assessments
Article 35 requires Data Protection Impact Assessments (DPIAs) only for processing that is "likely to result in a high risk to the rights and freedoms of natural persons." Small businesses running standard operations like email marketing, order processing, and basic website analytics generally do not trigger this requirement. If you start using CCTV surveillance, employee monitoring software, or automated decision-making that significantly affects individuals, a DPIA becomes necessary.
Step-by-Step GDPR Compliance for Small Businesses
Achieving GDPR compliance as a small business does not require enterprise-level resources. Focus on these steps in order of priority.
1. Conduct a data audit
Map every piece of personal data your business collects. For each data point, document:
- What data you collect (names, emails, IP addresses, payment details)
- Why you collect it (contract fulfillment, legitimate interest, consent)
- Where it is stored (email provider, CRM, spreadsheet, payment processor)
- Who has access to it (employees, third-party processors)
- How long you keep it (define retention periods for each category)
This audit forms the foundation of everything else. You cannot write an accurate privacy policy, respond to data subject requests, or identify compliance gaps without knowing what data you hold.
2. Establish a legal basis for each processing activity
Article 6 of the GDPR requires a valid legal basis for every instance of personal data processing. The six legal bases are:
- Consent: The individual has given clear, affirmative consent for a specific purpose
- Contract: Processing is necessary to fulfill a contract with the individual
- Legal obligation: Processing is required by law (tax records, employment law)
- Vital interests: Processing is necessary to protect someone's life
- Public task: Processing is necessary for a task carried out in the public interest
- Legitimate interests: Processing is necessary for your legitimate business interests, balanced against the individual's rights
Most small businesses rely primarily on contract (processing orders, delivering services), legal obligation (tax and employment records), consent (email marketing, cookies), and legitimate interests (fraud prevention, basic analytics). Document which basis applies to each processing activity from your data audit.
3. Create or update your privacy policy
A GDPR-compliant privacy policy must include specific information listed in Articles 13 and 14. At minimum, your policy should state:
- Your identity and contact details as the data controller
- What personal data you collect and the purposes for processing
- The legal basis for each processing activity
- Who you share data with (payment processors, email providers, analytics tools)
- Whether data is transferred outside the EEA, and the safeguards in place
- Data retention periods for each category of data
- Individual rights (access, rectification, erasure, portability, objection, restriction)
- How to lodge a complaint with a supervisory authority
- Whether you use automated decision-making or profiling
Writing a privacy policy from scratch is one of the more time-consuming compliance tasks. A privacy policy generator can help you build a structured, legally informed policy by walking you through each required section based on your specific business activities.
4. Implement proper consent mechanisms
Where consent is your legal basis, it must meet the GDPR's strict standard under Articles 4(11) and 7:
- Freely given: No pre-ticked boxes, no bundled consent, no penalties for refusing
- Specific: Separate consent for separate purposes (marketing vs. analytics)
- Informed: Clear explanation of what the person is consenting to
- Unambiguous: Requires a clear affirmative action (opt-in, not opt-out)
For website cookies, this means displaying a consent banner that blocks non-essential cookies until the visitor makes a choice. For email marketing, it means using a clear opt-in checkbox (not pre-checked) with a statement explaining what subscribers will receive.
5. Set up processes for data subject requests
Articles 15 through 22 of the GDPR grant individuals several rights that your business must be able to fulfill within one month of receiving a request:
- Right of access (Article 15): Provide a copy of all personal data you hold about the individual
- Right to rectification (Article 16): Correct inaccurate data upon request
- Right to erasure (Article 17): Delete personal data when there is no compelling reason to continue processing it
- Right to data portability (Article 20): Provide data in a commonly used, machine-readable format
- Right to object (Article 21): Stop processing based on legitimate interests if the individual objects
For a small business, this does not require automated systems. A documented process, such as a shared document outlining where to find each type of data and the steps to export or delete it, is sufficient. The important thing is that you can respond within the one-month deadline.
GDPR Penalties for Small Businesses
The GDPR's penalty framework under Article 83 applies to all organizations regardless of size. Maximum fines are structured in two tiers:
- Lower tier (Article 83(4)): Up to 10 million EUR or 2% of annual global turnover for violations of obligations like maintaining records, data protection by design, or breach notification
- Upper tier (Article 83(5)): Up to 20 million EUR or 4% of annual global turnover for violations of core principles, lawfulness of processing, consent conditions, or data subject rights
For small businesses, the "whichever is higher" clause means the fixed amounts typically apply rather than the percentage, since 4% of a small business's turnover would be far less than 20 million EUR. In practice, regulators exercise discretion. Fines against small businesses tend to range from 1,000 to 50,000 EUR, depending on the severity and whether the business cooperated with the investigation.
However, the reputational damage, lost customer trust, and cost of remediation often exceed the fine itself. Several small businesses across Europe have received fines specifically for:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- Sending marketing emails without valid consent
- Failing to respond to data subject access requests within the one-month deadline
- Not having a privacy policy, or having one that omits required information
- Continuing to process data after an individual withdrew consent
GDPR for Small Business Websites
If your small business has a website, there are specific technical and legal requirements to address.
Cookie compliance
The ePrivacy Directive (Directive 2002/58/EC), working alongside the GDPR, requires consent before placing non-essential cookies. This means your website needs a cookie consent mechanism that:
- Blocks analytics, marketing, and social media cookies until consent is given
- Provides granular options (accept all, reject all, or choose by category)
- Does not use dark patterns like hiding the reject button or using confusing language
- Records and stores consent as proof of compliance
- Allows visitors to withdraw consent as easily as they gave it
A cookie consent banner (also called a Consent Management Platform, or CMP) handles this. You also need a separate cookie policy that lists every cookie your site uses, its purpose, its provider, and its expiration.
Web forms and data collection
Every form on your website that collects personal data needs:
- A clear statement of purpose (why you are collecting this data)
- A link to your privacy policy
- An opt-in checkbox for marketing communications (if applicable)
- Appropriate security measures (HTTPS, encrypted transmission)
Third-party services
Review every third-party tool integrated into your website. Each one that processes personal data on your behalf is a data processor under Article 28 of the GDPR, and you need a Data Processing Agreement (DPA) with them. Common small business tools that require DPAs include:
- Email marketing platforms (Mailchimp, ConvertKit, Brevo)
- Analytics tools (Google Analytics, Hotjar, Mixpanel)
- Payment processors (Stripe, PayPal, Square)
- CRM systems (HubSpot, Salesforce, Zoho)
- Hosting providers and CDNs
Most major SaaS providers publish their DPA on their website. Download and countersign them, or confirm they are incorporated into the terms of service.
Data Breach Notification Requirements
Under Articles 33 and 34 of the GDPR, small businesses must have a process for handling personal data breaches. A breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
When a breach occurs:
- Notify the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights (Article 33)
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34)
- Document the breach internally, including the facts, effects, and remedial actions taken (Article 33(5))
For small businesses, the most common breaches involve stolen laptops, compromised email accounts, misdirected emails containing personal data, and ransomware attacks. Having a simple breach response plan that identifies who is responsible, what data is at risk, and how to contact the relevant supervisory authority will prepare you to meet the 72-hour reporting deadline.
International Transfers and Small Businesses
If your small business uses cloud services, email providers, or analytics tools headquartered outside the EEA, you are likely transferring personal data internationally. Chapter V of the GDPR (Articles 44 through 49) restricts transfers of personal data to countries outside the EEA unless adequate safeguards are in place.
The most common transfer mechanisms for small businesses are:
- Adequacy decisions: The European Commission has recognized certain countries (including the United States under the EU-U.S. Data Privacy Framework) as providing adequate protection. Transfers to these countries require no additional safeguards.
- Standard Contractual Clauses (SCCs): Pre-approved contract terms adopted by the Commission that both parties sign. Most major SaaS providers include these in their DPAs.
- Binding Corporate Rules: Relevant for multinational groups but rarely used by small businesses.
Check whether each of your data processors has a valid transfer mechanism in place. For U.S.-based services, verify whether they are certified under the EU-U.S. Data Privacy Framework.
Common GDPR Mistakes Small Businesses Make
Understanding what goes wrong most often helps you avoid the same pitfalls. These are the compliance failures regulators encounter repeatedly with small businesses.
- No privacy policy, or a copy-pasted one that does not reflect actual practices. Your privacy policy must accurately describe your specific data processing. Using another company's policy or a generic template without customization violates Articles 13 and 14.
- Treating consent as a formality. Pre-ticked checkboxes, implied consent from continued browsing, and bundling marketing consent with terms of service all fail to meet the GDPR's consent standard.
- Ignoring data subject requests. When a customer asks for their data or asks you to delete it, you have one month to respond. Ignoring these requests is a common trigger for complaints to supervisory authorities.
- No data processing agreements with third parties. Using a cloud service, email platform, or analytics tool without a DPA in place is a violation of Article 28, even if the provider is well-known and trusted.
- Keeping data indefinitely. The GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data be kept only as long as necessary. Define retention periods and delete data when those periods expire.
- Assuming GDPR does not apply because you are small. Size does not determine applicability. Processing personal data of EEA individuals does.
An automated compliance scanner, like the one offered by TermsBox, can identify many of these issues by analyzing your website for cookies, trackers, and missing policy information, giving you a concrete list of what needs fixing.
Frequently Asked Questions
Does the GDPR apply to small businesses?
Yes. The GDPR applies to any organization that processes personal data of individuals in the European Economic Area, regardless of the organization's size, revenue, or location. A sole trader in the UK selling handmade goods to EU customers is subject to the same regulation as a multinational corporation. The only exception is purely personal or household activity, such as maintaining a personal address book.
What are the GDPR penalties for small businesses?
Small businesses face the same maximum penalties as large companies: up to 20 million EUR or 4% of annual global turnover, whichever is higher, for the most serious infringements under Article 83(5). In practice, regulators consider factors like the size of the business, the nature of the violation, and whether the business cooperated. Fines against small businesses are typically proportionate, ranging from a few thousand to tens of thousands of euros, but they can still be devastating for a small operation.
Do small businesses need a Data Protection Officer?
Most small businesses do not need to appoint a Data Protection Officer (DPO). Under Article 37 of the GDPR, a DPO is required only when the organization's core activities involve regular and systematic monitoring of individuals on a large scale, or large-scale processing of special category data such as health records or biometric data. A typical small business, like a local retailer or consultancy, does not meet these thresholds.
What is the easiest way for a small business to start GDPR compliance?
Start with three steps: first, audit what personal data you collect and where you store it. Second, create a privacy policy that explains your data processing in plain language, including your legal basis, data retention periods, and how individuals can exercise their rights. Third, review your consent mechanisms to confirm they meet GDPR standards, particularly for email marketing and website cookies. These three steps address the most common compliance gaps regulators look for.