Does GDPR Apply to Small Businesses? Exemptions Explained

You have probably seen headlines about GDPR fines in the hundreds of millions of euros. Then you look at your 12-person company and think: surely this does not apply to me?

We understand the impulse. But the short answer is: yes, GDPR almost certainly applies to your small business. The slightly longer answer involves some genuinely useful nuance about reduced obligations that can save you time and money.

Let us walk through it honestly.

The Blunt Truth: There Is No Small Business Exemption

Unlike some other privacy laws -- the California Consumer Privacy Act (CCPA), for example, only applies to businesses meeting certain revenue or data-volume thresholds -- GDPR does not care how big your company is. There is no revenue floor. There is no employee count minimum. There is no "we are too small to worry about this" carve-out.

If you process personal data of people in the EU/EEA, GDPR applies to you. Period.

This catches a lot of small business owners off guard, especially those based in the United States, Canada, or other non-EU countries. The assumption is "European law, European problem." But GDPR has extraterritorial reach (GDPR Article 3) -- it follows the data subject, not the business. As Recital 14 of the GDPR makes clear, the regulation is intended to apply to natural persons "whatever their nationality or place of residence."

When GDPR Applies to Your Business

GDPR applies if either of these conditions is true:

You Are Established in the EU/EEA

"Established" does not necessarily mean incorporated. It means you have a stable arrangement through which you conduct business activities in the EU. This could be:

• A registered company in an EU/EEA country
• A branch office, even a small one
• A single employee working from an EU country
• A regular, ongoing business presence (not just a one-off transaction)

If you have any of these, GDPR applies to all personal data processing related to that EU establishment -- even if the actual data processing happens elsewhere.

You Target EU Individuals (Even from Outside the EU)

Even if your business is entirely based outside the EU, GDPR applies if you:

• Offer goods or services to people in the EU (GDPR Article 3(2)(a)). This goes beyond just having a website accessible from Europe. The test is whether you are intentionally targeting EU consumers (Recital 23). Signs include: offering prices in euros, providing delivery to EU countries, having your website in EU languages (beyond English), advertising specifically to EU audiences.
• Monitor the behavior of people in the EU (GDPR Article 3(2)(b)). If you track EU visitors' behavior on your website using cookies, analytics, or profiling tools, you are "monitoring" them under GDPR.

The "Occasional" Argument Does Not Work

Some businesses try to argue that a few EU customers here and there does not trigger GDPR. The regulation does not support this interpretation. Even occasional processing of EU personal data can bring you within scope if you are intentionally making your services available to the EU market.

That said, if a single person in Germany stumbles across your purely domestic US website and makes a purchase, and you have done nothing to target the EU market, the argument for GDPR applying is much weaker. The regulation looks at intent and systematic targeting, not accidental one-offs.

The 250-Employee Threshold: What It Actually Means

Here is where the useful nuance comes in. You have probably heard that businesses with fewer than 250 employees get some kind of break under GDPR. This is true, but it is narrower than most people think.

GDPR Article 30(5) provides a limited exemption from one specific obligation: maintaining a Record of Processing Activities (ROPA). The ROPA is a detailed register documenting every type of personal data processing your business performs. As Recital 13 notes, the regulation takes account of the specific situation of micro, small, and medium-sized enterprises, but this consideration is reflected in proportionality of implementation rather than blanket exemptions.

Under 250 employees, you are exempt from maintaining a ROPA unless:

• The processing you carry out is likely to result in a risk to the rights and freedoms of individuals
• The processing is not occasional
• The processing involves special categories of data (health data, biometric data, data about racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, sex life, or sexual orientation) or data relating to criminal convictions

Here is the practical reality: almost every small business meets at least one of those exceptions, particularly the "not occasional" one. If you have customers, employees, or a mailing list, your processing is not occasional. It is ongoing.

Our honest advice: Just do the ROPA. Even if you technically qualify for the exemption, a ROPA is the single most useful document for understanding your own data practices. It takes a few hours to create and makes everything else about compliance easier. Do not spend more time arguing about whether you are exempt than it would take to just do it.

What About the Other Obligations?

The 250-employee threshold only affects the ROPA requirement. Everything else in GDPR applies equally regardless of your company size:

• Privacy policy requirements -- You need one, and it needs to be comprehensive and accurate.
• Lawful basis for processing -- You need a legal basis for every type of data processing you do.
• Data subject rights -- You must respond to access requests (GDPR Article 15), deletion requests (GDPR Article 17), and other rights requests within 30 days (GDPR Article 12(3)).
• Data breach notification -- You must notify your supervisory authority within 72 hours of becoming aware of a qualifying breach (GDPR Article 33).
• Data Processing Agreements -- You need DPAs with every vendor that processes personal data on your behalf.
• Cookie consent -- You need proper consent mechanisms for non-essential cookies.
• Data protection by design and by default -- You need to consider privacy when building or buying new systems.

The only question is whether you need a formal ROPA. Everything else is the same whether you have 5 employees or 5,000.

Do You Need a Data Protection Officer?

One obligation that does scale with business size and activity is the requirement to appoint a Data Protection Officer (DPO). GDPR requires a DPO (GDPR Article 37) if:

• You are a public authority or body
• Your core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale
• Your core activities consist of processing special categories of data on a large scale

Most small businesses do not hit these thresholds. "Large scale" is not precisely defined, but a 30-person accounting firm processing client financial data is generally not considered large scale. A 20-person health-tech company processing thousands of patient records might be.

Even if you do not need a DPO, designating someone internally as your privacy lead is smart practice. They do not need to be a lawyer -- they just need to be the person who knows your data practices and can handle requests and questions.

Reduced Obligations vs. No Obligations

There is an important distinction between "reduced obligations" and "no obligations." Small businesses under GDPR have reduced obligations in a few practical ways:

Proportionality. GDPR is built on the principle of proportionality. The security measures, documentation, and processes expected of a 15-person online shop are not the same as those expected of a multinational bank. Supervisory authorities understand this.

Risk-based approach. Many GDPR requirements are calibrated to risk. If your data processing is low-risk (basic customer details for order fulfillment, standard employee records), the measures you need to take are correspondingly lower than a company processing sensitive health data or financial information at scale.

Enforcement reality. Supervisory authorities have limited resources. They tend to focus enforcement actions on large organizations, repeat offenders, and cases involving significant harm. A small business that has made genuine efforts to comply but has imperfect documentation is in a very different position from one that has done nothing.

None of this means you can ignore GDPR. It means that the effort required to comply is genuinely proportional to your size and risk profile.

How GDPR Compares to Other Privacy Laws for Small Businesses

It helps to understand where GDPR sits relative to other privacy regulations:

CCPA/CPRA (California)

The California Consumer Privacy Act (and its successor, the California Privacy Rights Act) only applies to businesses that meet specific thresholds: annual gross revenue over $25 million, buying/selling personal information of 100,000+ consumers, or deriving 50%+ of revenue from selling personal information. Most small businesses fall below these thresholds and are simply not covered.

GDPR has no such thresholds. This is the fundamental difference.

UK GDPR

After Brexit, the UK implemented its own version of GDPR (the UK GDPR) alongside the Data Protection Act 2018. It is substantively identical to EU GDPR. If you process data of UK residents, you need to comply with UK GDPR in addition to EU GDPR. The obligations are essentially the same.

US State Privacy Laws

Virginia, Colorado, Connecticut, and several other US states have passed privacy laws, but they all have applicability thresholds based on revenue or data volume. GDPR remains the outlier in applying to businesses of any size.

For more on data protection for small businesses across these different frameworks, see our comprehensive guide.

The Honest Assessment: What Should You Actually Do?

Here is our pragmatic take on GDPR compliance for small businesses:

If You Clearly Target the EU Market

You sell to EU customers, your website is available in EU languages, you ship to EU addresses, or you have EU-based employees. GDPR applies. Follow the practical compliance checklist in our GDPR for small business guide.

If You Are US-Based with Incidental EU Traffic

You are a US company with a US-focused business. You do not ship to Europe, you do not advertise there, but your website gets some EU visitors. The legal risk is low, but not zero. At minimum:

• Have a privacy policy that describes your data practices
• Set up basic cookie consent (this costs almost nothing)
• Be prepared to handle data subject requests if they come in
• Do not ignore requests from EU residents

If You Have No EU Connection Whatsoever

You are a local business serving local customers with no online presence reaching the EU. GDPR genuinely does not apply to you. You may still be subject to your country's domestic privacy laws, of course.

The Key Principle

The effort you put into GDPR compliance should be proportional to your EU exposure. A US company with 5% of revenue from EU customers needs to take it seriously but can take a pragmatic approach. A UK company selling primarily to EU customers needs to be more rigorous.

Frequently Asked Questions

Are small businesses exempt from GDPR?

No. There is no blanket small business exemption from GDPR. The regulation applies based on what you do with data and who that data belongs to, not how big your company is.

What is the 250-employee exemption?

Companies with fewer than 250 employees have a limited exemption from maintaining a formal Record of Processing Activities (ROPA). However, this exemption has exceptions that apply to most businesses, so it is often not relevant in practice.

Can I be fined as a small business?

Yes, but enforcement against small businesses tends to involve corrective orders (being told to change your practices) rather than massive fines (GDPR Article 83). Fines for small businesses, when they happen, are typically proportional to the business's size and the severity of the violation.

I am a US business. Does GDPR apply to me?

It depends on whether you intentionally target the EU market or monitor the behavior of EU residents. Simply having a website accessible from the EU is not enough on its own.

Do I need to appoint a representative in the EU?

If you are not established in the EU but GDPR applies to you (because you target EU individuals), GDPR Article 27 requires you to appoint a representative in the EU. This is someone -- a person or organization -- who acts as your point of contact for supervisory authorities and data subjects. There are services that provide this for a few hundred dollars per year.

What happens if I just ignore GDPR?

In the short term, probably nothing. In the medium term, you risk complaints from EU customers, investigation by supervisory authorities, and being unable to work with EU-based business partners who require GDPR compliance from their vendors. The risk increases as your EU exposure grows.

The Bottom Line

GDPR applies to nearly every business that interacts with EU residents, regardless of size. The reduced obligations for smaller organizations are real but narrow. The practical effort required to comply is proportional to your size and risk profile.

The businesses that handle this well are the ones that take an honest look at their data practices, put reasonable measures in place, and maintain them over time. You do not need a six-figure compliance budget. You need a few hours of focused work and the discipline to maintain good habits.

References

• General Data Protection Regulation (GDPR): Regulation (EU) 2016/679. Full text
• UK GDPR: The UK General Data Protection Regulation, as retained under the Data Protection Act 2018. ICO guidance
• European Data Protection Board (EDPB): Official EDPB website
• Information Commissioner's Office (ICO): ICO for organisations

---

Get the Free DSAR Compliance Guide

Data subject access requests are one of the most common ways GDPR becomes real for small businesses. When that first request arrives, you need a process ready to go. Our free DSAR Compliance Guide gives you everything you need -- step-by-step instructions, templates, and timelines.

Download the free DSAR Compliance Guide