GDPR for Small Businesses: A Plain-English Guide to EU Data Privacy
A practical GDPR guide for small businesses. Learn who it applies to, what rights EU residents have, and exactly what your business must do to comply.
Last updated: 2026-02-08
Your SaaS app just got its first paying customer in Berlin. Great news -- except now you are subject to one of the most comprehensive data privacy laws on the planet. The General Data Protection Regulation does not care that you are a 12-person startup in Denver or a solo Shopify merchant in Toronto. If you collect data from people in the European Union, the GDPR applies to you. And unlike most U.S. state laws, there is no revenue threshold, no minimum number of users, and no small-business exemption. This guide explains what the GDPR actually requires, which rights your EU users have, and what concrete steps a small business needs to take.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney or data protection professional for guidance specific to your business. The information here is based on the General Data Protection Regulation (EU) 2016/679, as of the date of publication.
Does This Law Apply to Your Business?
The GDPR applies to your business if either of these is true (GDPR Article 3):
You are established in the EU or EEA. If your business has any presence in the European Union -- an office, an employee, a registered subsidiary -- the GDPR applies to all personal data you process in connection with that establishment. The European Economic Area (EEA) extends coverage to Norway, Iceland, and Liechtenstein as well.
You offer goods or services to people in the EU, or you monitor their behavior. This is the provision that catches businesses outside Europe. You do not need a physical presence. If your website accepts orders from France, displays prices in euros, translates content into German, or runs analytics on visitors from EU countries, you likely fall under the GDPR's reach.
There is no size threshold. A two-person online shop selling candles to customers in Ireland is subject to the same regulation as Amazon. The obligations scale somewhat -- you probably do not need a Data Protection Officer if you are a 15-person agency -- but the law itself applies equally.
Here is a practical test. Ask yourself these questions:
- Do you ship products to EU countries?
- Does your website have an EU country code top-level domain (.de, .fr, .nl)?
- Do you accept payment in euros?
- Do you run advertising campaigns targeting EU audiences?
- Do EU residents create accounts on your platform?
If you answered yes to any of these, assume the GDPR applies. For a deeper analysis, see our guide on whether GDPR applies to small businesses.
Extraterritorial reach is the key concept. The GDPR follows the data subject, not the business. A marketing agency in Chicago that builds email lists of European prospects is processing EU personal data and is subject to the regulation.
What Rights Do Consumers Have?
The GDPR grants individuals (called "data subjects") eight distinct rights over their personal data. When someone exercises one of these rights, it triggers a Data Subject Access Request (DSAR) or similar request that you must respond to within 30 calendar days (GDPR Article 12(3)), extendable by two additional months for complex requests.
Right of Access (Article 15). Data subjects can request a copy of all personal data you hold about them, along with details about how and why you process it. This is the most common type of DSAR.
Right to Rectification (Article 16). If someone's data is inaccurate or incomplete, they can ask you to correct it. You must do so without undue delay.
Right to Erasure -- "Right to Be Forgotten" (Article 17). Data subjects can ask you to delete their personal data in specific circumstances, such as when the data is no longer necessary for the purpose it was collected or when they withdraw consent. This right is not absolute -- you can retain data required by legal obligations. See our right to erasure guide for details.
Right to Restrict Processing (Article 18). Data subjects can ask you to stop using their data while a dispute about accuracy or lawfulness is being resolved, without deleting the data entirely.
Right to Data Portability (Article 20). Data subjects can request their data in a structured, commonly used, machine-readable format so they can transfer it to another service. This only applies to data processed by automated means based on consent or a contract.
Right to Object (Article 21). Data subjects can object to processing based on legitimate interest or for direct marketing. If someone objects to direct marketing, you must stop immediately. No exceptions.
Rights Related to Automated Decision-Making (Article 22). Data subjects have the right not to be subject to decisions made solely by automated processing, including profiling, that produce legal or significantly similar effects. If you use algorithms to make decisions about people, they can request human review.
| Right | GDPR Article | Key Detail |
|---|---|---|
| Access | Art. 15 | Copy of all personal data plus processing details |
| Rectification | Art. 16 | Correct inaccurate or incomplete data without undue delay |
| Erasure (Right to Be Forgotten) | Art. 17 | Delete data when no longer necessary or consent withdrawn |
| Restrict Processing | Art. 18 | Pause processing during disputes without deleting |
| Data Portability | Art. 20 | Provide data in machine-readable format for transfer |
| Object | Art. 21 | Object to processing; mandatory stop for direct marketing |
| Automated Decision-Making | Art. 22 | Right to human review of solely automated decisions |
What Your Business Must Do
Establish a lawful basis for processing. Before you collect any personal data, you need a legal reason for doing so (GDPR Article 6). There are six lawful bases: consent, contract performance, legal obligation, vital interests, public task, and legitimate interest. Most small businesses rely on consent (for marketing emails and analytics cookies), contract (for fulfilling orders), and legitimate interest (for fraud prevention and internal analytics). You must decide and document which basis applies to each processing activity before you begin.
Write a real privacy policy. Your privacy notice must explain in plain language who you are, what data you collect, why you collect it, which lawful basis you rely on, who you share data with, how long you keep it, whether you transfer data outside the EU/EEA, and what rights data subjects have (GDPR Articles 13 and 14). Do not copy a template without customizing it. Your policy must reflect what your business actually does.
Implement cookie consent properly. If your website uses non-essential cookies -- including Google Analytics, Meta Pixel, or any advertising tracker -- you must obtain active, informed consent before loading them (GDPR Article 6(1)(a) combined with the ePrivacy Directive). This means a cookie banner that blocks non-essential cookies by default, provides granular options, and makes it as easy to reject as to accept. Pre-checked boxes do not count.
Create a Record of Processing Activities (ROPA). GDPR Article 30 requires you to maintain a register of your processing activities: what data you process, why, the lawful basis, retention periods, security measures, and any transfers outside the EU. Organizations under 250 employees are technically exempt unless the processing is not occasional, involves special category data, or poses a risk to rights -- which covers most businesses in practice. Just do the ROPA.
Set up DSAR handling. You need a clear process for receiving, verifying, and responding to data subject requests. Provide a contact method (email address, web form) and designate someone to manage requests. You have 30 calendar days to respond (GDPR Article 12(3)). Track requests, verify identity, retrieve or delete the data, and document your response. For small teams, a spreadsheet tracker and a written process document is a solid starting point.
Sign Data Processing Agreements (DPAs). Every third-party service that processes personal data on your behalf -- your email provider, CRM, hosting service, analytics platform, payment processor -- must have a DPA in place (GDPR Article 28). Most reputable SaaS providers have DPAs available on their legal pages. If a vendor refuses or does not have one, find a different vendor.
Assess international data transfers. If you transfer personal data outside the EU/EEA (for example, to servers in the U.S.), you need a legal mechanism to do so. Standard Contractual Clauses (SCCs) are the most common approach after the Schrems II decision invalidated the EU-U.S. Privacy Shield. The EU-U.S. Data Privacy Framework, adopted in July 2023, provides a new mechanism for transfers to certified U.S. companies, but its long-term viability is uncertain.
Train your staff. Every employee who handles personal data needs to understand what it is, how to handle it, how to recognize a DSAR, how to spot a potential data breach, and basic security practices. An annual one-hour session covers most small businesses.
How Is It Enforced?
Each EU member state has a Data Protection Authority (DPA) responsible for enforcing the GDPR. France has the CNIL, Germany has state-level DPAs, Ireland has the DPC, and so on. The European Data Protection Board (EDPB) coordinates enforcement across member states.
Maximum penalties are EUR 20 million or 4% of global annual revenue, whichever is higher (GDPR Article 83). In practice, fines vary widely. Meta received a EUR 1.2 billion fine from the Irish DPC in 2023 for unlawful data transfers to the U.S. Amazon was fined EUR 746 million by Luxembourg's CNPD in 2021 for targeted advertising practices. But smaller fines are common too -- a Spanish gym was fined EUR 10,000 for using fingerprint scanners without proper consent.
Data subjects also have a private right of action (GDPR Article 82). Individuals who suffer material or non-material damage from a GDPR violation can sue for compensation. This has led to a growing number of individual and class-action lawsuits across Europe.
The most common enforcement triggers for small businesses are complaints from individuals filed with DPAs and data breach notifications that reveal inadequate security practices. DPAs generally treat businesses that made genuine compliance efforts more favorably than those that ignored the law entirely.
How This Compares to Other Privacy Laws
The GDPR is the benchmark against which most other privacy laws are measured. Here is how it compares to the CCPA/CPRA and the UK GDPR:
| Feature | GDPR (EU) | CCPA/CPRA (CA) | UK GDPR |
|---|---|---|---|
| Scope | Any business processing EU residents' data | For-profit businesses meeting thresholds | Any business processing UK residents' data |
| Size threshold | None | $26.625M revenue or 100K consumers | None |
| Consent model | Opt-in (consent before collection) | Opt-out (collect, then consumer can stop) | Opt-in (mirrors EU GDPR) |
| Cookie consent | Required before non-essential cookies | No banner required, but 'Do Not Sell' link needed | Required before non-essential cookies |
| Response deadline | 30 days (extendable by 2 months) | 45 days (extendable by 45 days) | 30 days (extendable by 2 months) |
| Max penalty | EUR 20M or 4% global revenue | $7,500 per violation | GBP 17.5M or 4% global revenue |
| Private right of action | Yes (Article 82) | Yes (data breaches only) | Yes |
| Enforcement body | DPAs in each member state | CPPA + AG | ICO |
The most significant difference between the GDPR and U.S. state laws is the consent model. The GDPR is opt-in: you need a lawful basis (often consent) before collecting data. The CCPA is opt-out: you can collect data, and consumers can tell you to stop. The UK GDPR closely mirrors the EU version but is enforced by the ICO and uses British pounds for penalties. If you comply with the EU GDPR, you are most of the way there for UK compliance, but you need a separate legal basis for UK data transfers and should check for any divergences introduced by UK-specific legislation.
Action Checklist for Small Businesses
-
Determine whether the GDPR applies. If you have EU customers, EU website visitors you track, or EU-based employees, assume it does.
-
Map your data processing activities. Document every category of personal data you collect, the lawful basis for each, the retention period, and any third parties you share with.
-
Write or update your privacy policy. Make sure it covers all GDPR-required disclosures in plain language.
-
Fix your cookie consent. Block non-essential cookies until active consent is given. Make the reject option as prominent as accept.
-
Create your ROPA. Build a processing activity register, even if you think you are exempt. It is the most useful compliance document you will create.
-
Set up DSAR handling. Designate someone to manage requests, create a tracking system, and document your process. Aim to respond within 30 days.
-
Get DPAs from your vendors. Check every SaaS tool that processes personal data on your behalf and ensure a Data Processing Agreement is in place.
-
Assess cross-border data transfers. If data moves outside the EU/EEA, implement Standard Contractual Clauses or verify your U.S. provider is certified under the EU-U.S. Data Privacy Framework.
-
Set up breach notification procedures. Know your supervisory authority, prepare a breach notification template, and establish an internal escalation process. You have 72 hours to notify the DPA after becoming aware of a qualifying breach (GDPR Article 33).
-
Train your team. Run an annual training session covering personal data handling, DSAR recognition, and breach reporting.
Key Dates
- April 14, 2016: GDPR adopted by the European Parliament.
- May 25, 2018: GDPR took effect and became enforceable.
- July 16, 2020: Schrems II decision invalidated the EU-U.S. Privacy Shield.
- June 4, 2021: European Commission adopted updated Standard Contractual Clauses.
- July 10, 2023: European Commission adopted the EU-U.S. Data Privacy Framework adequacy decision.
References
- General Data Protection Regulation (GDPR): Regulation (EU) 2016/679. Full text
- European Data Protection Board (EDPB): Official EDPB website
- EU-U.S. Data Privacy Framework: European Commission adequacy decision
- Standard Contractual Clauses: European Commission SCCs
- CNIL (France): Official CNIL website
- Irish Data Protection Commission: Official DPC website
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the regulation and consult qualified legal counsel before making compliance decisions for your business.
Doing business internationally? Download our free GDPR Compliance Guide for a practical framework tailored to small businesses navigating EU data privacy requirements.