GDPR for Small Business: The Only Guide You Need

If you run a small business and you have heard the acronym GDPR thrown around, you have probably experienced one of two reactions: blind panic or total indifference. Neither is helpful.

The General Data Protection Regulation is a European privacy law that went into effect in May 2018. It governs how organizations collect, store, use, and delete personal data belonging to people in the European Union (and the European Economic Area, which includes Norway, Iceland, and Liechtenstein).

Here is the thing most guides will not tell you straight: GDPR is not as terrifying as the consultants want you to believe, but it is not something you can ignore either. This guide cuts through the noise and tells you exactly what a small business actually needs to do.

Does GDPR Apply to Your Business?

Let us get this out of the way first. GDPR applies to your business if either of these is true:

• You are established in the EU/EEA. If your business has any kind of presence in the EU -- an office, a branch, even a single employee based there -- GDPR applies to you. Full stop.
• You offer goods or services to people in the EU, or you monitor their behavior. This is the one that catches people off guard. If you have a website that ships products to France, accepts payments in euros, or runs analytics on visitors from Germany, GDPR likely applies.

Notice what is missing from that list: the size of your business. There is no small business exemption from GDPR. A two-person online shop selling handmade candles to customers in Ireland is subject to the same regulation as Google. The obligations scale differently (more on that shortly), but the law itself applies equally.

For a deeper dive into whether your specific situation triggers GDPR obligations, see our guide on whether GDPR applies to small businesses.

What GDPR Actually Requires: The Six Lawful Bases

GDPR says you cannot process personal data unless you have a lawful basis for doing so (GDPR Article 6). "Processing" means basically anything you do with data -- collecting it, storing it, looking at it, sharing it, deleting it.

There are six lawful bases. You need at least one for every type of data processing you do:

1. Consent

The person has given you clear, affirmative permission to use their data for a specific purpose (GDPR Article 7). This is what cookie banners are about (poorly, in most cases). Consent must be freely given, specific, informed, and unambiguous. Pre-ticked checkboxes do not count. Burying consent in your terms of service does not count.

When to use it: Newsletter signups, marketing emails, non-essential cookies and tracking.

2. Contract

You need to process the data to fulfill a contract with the person, or they have asked you to take steps before entering a contract. This is the most intuitive one.

When to use it: Shipping an order (you need their address), providing a service they are paying for, processing their payment.

3. Legal Obligation

You are required by law to process the data. You do not get to choose -- the law makes you do it.

When to use it: Tax records, employment law requirements, anti-money laundering checks.

4. Vital Interests

Processing is necessary to protect someone's life. This one is rarely relevant for most small businesses unless you work in healthcare or emergency services.

When to use it: Medical emergencies. That is about it for most businesses.

5. Public Task

Processing is necessary for a task carried out in the public interest or in the exercise of official authority. This is mostly for government bodies.

When to use it: If you are a government agency. If not, move on.

6. Legitimate Interest

You have a genuine business reason to process the data, and that reason is not overridden by the person's rights and interests. This is the most flexible basis, but it requires you to do a balancing test.

When to use it: Fraud prevention, direct marketing to existing customers, internal analytics, network security. This is often the best basis for small businesses for many routine activities. See our startup GDPR guide for more on using legitimate interest effectively.

The key point: You need to decide which lawful basis applies before you start processing data, and you need to document your choice. You cannot retroactively pick a basis after someone complains.

The Eight Data Subject Rights

GDPR gives individuals specific rights over their personal data. As a business, you need to be prepared to handle requests related to these rights:

1. Right to Be Informed

People have the right to know what data you collect, why, how long you keep it, and who you share it with. This is primarily handled through your privacy policy.

2. Right of Access

People can ask you for a copy of all the personal data you hold about them (GDPR Article 15). This is called a Data Subject Access Request, or DSAR. You have 30 days to respond (GDPR Article 12(3)).

3. Right to Rectification

If someone's data is inaccurate or incomplete, they can ask you to correct it (GDPR Article 16).

4. Right to Erasure (Right to Be Forgotten)

People can ask you to delete their personal data in certain circumstances (GDPR Article 17). This is not absolute -- there are legitimate reasons to refuse. See our detailed guide on the right to erasure for the specifics.

5. Right to Restrict Processing

People can ask you to stop using their data while a dispute is being resolved, without deleting it entirely.

6. Right to Data Portability

People can ask you to provide their data in a machine-readable format so they can move it to another service (GDPR Article 20). This only applies to data processed by automated means based on consent or a contract.

7. Right to Object

People can object to their data being processed based on legitimate interest or for direct marketing purposes. If someone objects to direct marketing, you must stop. No exceptions.

8. Rights Related to Automated Decision-Making

People have the right not to be subject to decisions made solely by automated processing (including profiling) that produce legal or significant effects. If you use algorithms to make decisions about people, they can ask for human review.

What You Actually Need to Do: The Practical Checklist

Here is where we stop talking about legal theory and start talking about what you need to do on Monday morning. These are the concrete steps a small business with 10 to 50 employees needs to take.

1. Get Your Privacy Policy Right

Your privacy policy is the foundation of GDPR compliance. It needs to explain, in plain language:

• Who you are (company name, contact details)
• What personal data you collect
• Why you collect it (and which lawful basis you rely on for each purpose)
• Who you share it with (including any third-party services)
• How long you keep it
• What rights people have and how to exercise them
• Whether you transfer data outside the EU/EEA

Do not copy someone else's privacy policy. Do not use a generator without reviewing the output. Your privacy policy needs to accurately reflect what your business actually does with data.

2. Sort Out Cookie Consent

If your website uses cookies beyond what is strictly necessary for the site to function, you need consent. This means:

• A cookie banner that blocks non-essential cookies until the person actively opts in
• Separate options for different categories (analytics, marketing, functional)
• An easy way to withdraw consent later
• No "accept all" dark patterns where the reject button is hidden

Strictly necessary cookies (session cookies, shopping cart cookies, security cookies) do not require consent. Everything else does -- including Google Analytics.

3. Create a Record of Processing Activities (ROPA)

GDPR Article 30 requires you to maintain a record of your processing activities (ROPA). This sounds intimidating, but it is basically a spreadsheet that lists:

• Each type of data processing you do
• The purpose and lawful basis
• Categories of data subjects and personal data
• Any recipients of the data
• Data transfers outside the EU/EEA
• Retention periods
• A general description of your security measures

Technically, organizations with fewer than 250 employees are exempt from this requirement (GDPR Article 30(5)) -- unless your processing is not occasional, involves special categories of data, or could pose a risk to people's rights. In practice, almost every business meets one of those exceptions. Just do the ROPA. It takes a few hours and it is the single most useful compliance document you will create.

4. Implement Data Subject Request Handling

You need a process for handling DSARs and other data subject rights requests. At minimum:

• A clear way for people to submit requests (email address, form on your website)
• An internal process for who handles them and how
• A system for verifying the identity of the requester
• The ability to actually find and export someone's data within 30 days
• Documentation of each request and your response

This does not need to be software. A shared spreadsheet tracking requests, a designated person responsible, and a documented process is sufficient for most small businesses. As you grow, you will want to formalize this.

5. Review Your Vendor Contracts

If you use third-party services that process personal data on your behalf -- and you almost certainly do (email provider, CRM, analytics, hosting, payment processor) -- you need Data Processing Agreements (DPAs) with each of them.

Most reputable SaaS providers already have DPAs available. Check their terms of service or legal pages. If a vendor will not sign a DPA or does not have one, that is a red flag.

Key things a DPA should cover:

• The vendor only processes data according to your instructions
• They implement appropriate security measures
• They notify you of data breaches
• They delete data when the relationship ends
• They do not sub-process without your approval

6. Assess Whether You Need a Data Protection Officer

A Data Protection Officer (DPO) is someone responsible for overseeing your data protection strategy. GDPR requires a DPO (GDPR Article 37) if:

• You are a public authority
• Your core activities involve regular and systematic monitoring of individuals on a large scale
• Your core activities involve processing special categories of data (health, biometrics, criminal records) on a large scale

Most small businesses do not need a DPO. A 30-person e-commerce company does not qualify. A 15-person marketing agency does not qualify. A 40-person health-tech startup processing patient records probably does.

Even if you do not need a DPO, it is smart to designate someone in your organization as the point person for data protection matters.

7. Set Up Breach Notification Procedures

If you suffer a data breach that poses a risk to individuals' rights and freedoms, GDPR requires you to (GDPR Article 33):

• Notify your supervisory authority within 72 hours of becoming aware of the breach. In the UK, this is the ICO. In other EU countries, it is the local data protection authority.
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

You need a breach response plan before a breach happens. This means:

• Knowing who in your organization handles breach response
• Having contact details for your supervisory authority
• A template for breach notifications
• A process for assessing the severity of a breach
• Documentation procedures

8. Train Your Staff

Your compliance is only as good as your team's understanding of it. Every employee who handles personal data needs to understand:

• What personal data is
• Your company's policies on handling it
• How to recognize and escalate a DSAR
• How to recognize and report a potential data breach
• Basic security practices (strong passwords, not clicking phishing links, locking screens)

This does not need to be a week-long course. A one-hour training session with annual refreshers, plus clear written policies they can refer to, covers most small businesses.

Common Small Business Mistakes

After working with hundreds of small businesses on data protection, the same mistakes come up over and over:

Using Google Analytics without consent. Google Analytics processes personal data (IP addresses, browsing behavior). You need consent before loading it. If you have not set up a proper consent mechanism, you are technically in violation. Consider privacy-friendly alternatives like Plausible or Fathom that do not require consent.

Sending marketing emails without proper consent. Buying email lists or adding people to your newsletter without their explicit opt-in is a GDPR violation. "They gave me their business card" is not consent. Neither is "they are an existing customer" for third-party marketing.

Ignoring data subject requests. When someone emails asking for their data or asking you to delete it, you have 30 days. Not 30 business days -- 30 calendar days. Ignoring these requests or dragging your feet is one of the fastest ways to get a complaint filed against you.

Keeping data forever. GDPR requires data minimization. You should only keep personal data for as long as you need it. Define retention periods for each type of data and actually delete data when those periods expire.

Not having a DPA with your email provider. Mailchimp, HubSpot, Salesforce -- whatever you use, if it processes EU personal data on your behalf, you need a DPA. Most providers have one. Go find it and make sure it is in place.

The Cost of Getting It Wrong

GDPR fines can be up to 20 million euros or 4% of annual global turnover, whichever is higher (GDPR Article 83). But here is the reality for small businesses: you are far more likely to face:

• A complaint to a supervisory authority from a disgruntled customer
• An investigation triggered by a data breach
• A requirement to change your practices and demonstrate compliance

The goal is not to be perfect. It is to demonstrate that you take data protection seriously, you have thought about it, and you have reasonable measures in place. Supervisory authorities generally treat businesses that made genuine efforts differently from those that did nothing.

Where to Start if You Are Doing Nothing Today

If you have read this far and realized you have done none of this, do not panic. Here is your priority order:

1. Write a real privacy policy that reflects what your business actually does.
2. Set up cookie consent so non-essential cookies are blocked until consent is given.
3. Create your Record of Processing Activities. This forces you to think through everything else.
4. Get DPAs from your vendors. Log into each service, find their DPA, and make sure it is active.
5. Create a basic DSAR process. Designate someone to handle requests, create a tracking spreadsheet, and document your process.
6. Train your team. Even a brief overview is better than nothing.

You do not need to do all of this in a day. Work through it over a few weeks. The important thing is to start.

Keeping It Going

GDPR compliance is not a one-time project. It is an ongoing practice. Build these habits:

• Review your privacy policy whenever your data practices change
• Check for new vendor DPAs when you adopt new tools
• Do a quarterly review of your data retention and delete what you no longer need
• Run annual training refreshers for your team
• Keep your ROPA updated as your business evolves

The businesses that stay compliant are the ones that build privacy into their regular operations rather than treating it as a separate project.

References

• General Data Protection Regulation (GDPR): Regulation (EU) 2016/679. Full text
• UK GDPR: The UK General Data Protection Regulation, as retained under the Data Protection Act 2018. ICO guidance
• European Data Protection Board (EDPB): Official EDPB website
• Information Commissioner's Office (ICO): ICO for organisations

---

Get the Free DSAR Compliance Guide

Handling data subject requests is one of the most concrete obligations under GDPR. Our free DSAR Compliance Guide walks you through the entire process -- from receiving a request to delivering your response -- with templates and checklists designed for small businesses.

Download the free DSAR Compliance Guide