Does GDPR apply to small businesses?

Yes. GDPR applies to any organisation that processes the personal data of people in the EU or UK, regardless of size — there is no small-business exemption. A sole trader emailing a customer list is in scope. The only size-related relief is that organisations with fewer than 250 employees are exempt from keeping full records of processing activities, unless the processing is not occasional, is likely to result in a risk to individuals, or includes special-category data.

What are the seven principles of GDPR?

The seven principles in Article 5 are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. The last principle means you must not only comply but be able to demonstrate compliance with documentation.

Do small businesses need a Data Protection Officer (DPO)?

Most small businesses do not. A DPO is mandatory only if you are a public authority, your core activities involve large-scale regular and systematic monitoring of individuals, or your core activities involve large-scale processing of special-category or criminal data. Many SMEs appoint a non-mandatory "data protection lead" instead, which is good practice without the formal obligations.

What is a lawful basis under GDPR?

A lawful basis is the legal justification for processing personal data. There are six: consent, contract, legal obligation, vital interests, public task, and legitimate interests. You must identify and document a lawful basis for each processing activity before you start. For most small businesses, contract and legitimate interests cover the majority of routine processing, with consent reserved for things like marketing emails.

How much can a small business be fined under GDPR?

GDPR fines can reach €20 million or 4% of global annual turnover (whichever is higher) for the most serious breaches, and €10 million or 2% for lesser ones. In practice, regulators consider the size and resources of the business and rarely issue maximum fines to small companies, but enforcement notices, mandatory audits, and reputational harm are real risks even when no fine is levied.

What documents does a small business need for GDPR?

At minimum: a privacy notice for customers and website visitors, a record of processing activities (a simple data inventory), a lawful-basis register, a data breach response procedure, a data subject request procedure, and data processing agreements with any vendors that handle personal data on your behalf. A retention schedule and a basic security policy round out the core set.

GDPR Compliance for Small Business: A 30-Day Plan (2026)

Yes, GDPR Applies to You

One of the most common — and most expensive — misconceptions among small business owners is that GDPR is a big-company problem. It is not. The General Data Protection Regulation applies to any organisation that processes the personal data of individuals in the EU or UK, whether you are a 200-person agency or a one-person consultancy. The only meaningful concession for smaller firms is that organisations with fewer than 250 employees are relieved of the full records of processing obligation — but even that relief evaporates if your processing is regular, risky, or involves sensitive data, which covers most businesses in practice.

The good news: compliance for a small business is genuinely achievable without a legal department. What you need is structure, not size.

The Seven Principles, in Plain English

Everything in GDPR flows from seven principles in Article 5. Lawfulness, fairness and transparency means you need a legal reason to process data and you must be open about it. Purpose limitation means you collect data for a specific reason and do not quietly repurpose it. Data minimisation means you only collect what you actually need. Accuracy means you keep data correct and up to date. Storage limitation means you delete data when it is no longer needed. Integrity and confidentiality means you keep it secure. And accountability means you can prove all of the above — which is why documentation matters so much.

Pick a Lawful Basis Before You Process

Before processing any personal data, you must identify one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. For a typical small business, fulfilling an order runs on contract, sending an invoice to meet tax law runs on legal obligation, and analysing customer behaviour to improve your service often runs on legitimate interests (after a balancing test). Reserve consent for marketing emails and non-essential cookies, where it is usually required. Write your chosen basis down for each activity — that register is the backbone of accountability.

The Documents You Actually Need

Ignore the 200-page templates. A compliant small business runs on a compact set of documents:

Privacy notice — tells customers and website visitors what you collect, why, your lawful basis, retention, and their rights.
Record of processing / data inventory — a simple table of what data you hold, where it lives, who it is shared with, and how long you keep it.
Lawful-basis register — the basis for each processing activity.
Data subject request procedure — how you handle access, deletion, and correction requests within one month.
Breach response procedure — how you detect, contain, and (within 72 hours) report a reportable breach to your supervisory authority.
Data processing agreements (DPAs) — Article 28 contracts with every vendor that handles personal data for you, from your email provider to your accountant. See our DPA guide.
Retention schedule — when each data category gets deleted.

A Practical 30-Day Plan

Week 1 — Map. Walk through your business and list every place personal data enters: website forms, your CRM, email, payment processor, payroll, support tickets. Build the data inventory. You cannot protect what you have not mapped.

Week 2 — Justify. For each activity in your inventory, assign a lawful basis and a retention period. Flag anything involving special-category data (health, biometrics, ethnicity, etc.) for extra care. Fix obvious over-collection now.

Week 3 — Document and contract. Publish your privacy notice, write your breach and request procedures, and send DPAs to every vendor that touches personal data. Configure cookie consent on your website if you use non-essential cookies or analytics.

Week 4 — Secure and train. Turn on the basics: strong access controls, encryption in transit and at rest, multi-factor authentication, and backups. Brief your team on how to spot a breach and what to do with a data subject request. Then schedule a quarterly review so this does not rot.

Where AI and GDPR Overlap

If your small business uses AI — for marketing, hiring, credit decisions, or chatbots — you may have obligations under both GDPR and the EU AI Act. Automated decisions with legal or similarly significant effects trigger Article 22 GDPR rights, and high-risk AI uses (like CV screening) carry separate AI Act duties. Treat the two regimes together to avoid duplicating work.

GeraCompliance gives small businesses the ready-to-use GDPR templates for every document above, and our penalty calculator shows where your exposure sits. Need it done for you? The GDPR sprint delivers a complete document set in days.

GDPR Compliance for Small Business: A 30-Day Plan