GDPR Compliance Guide for Small Businesses: What You Actually Need to Do

The General Data Protection Regulation (GDPR) applies to any business that processes personal data of individuals in the European Economic Area (EEA), regardless of where the business is located. If your website has visitors from the EU or you serve EU customers, GDPR likely applies to you.

This guide breaks down what GDPR actually requires and provides practical steps for small businesses to achieve compliance without hiring a full legal team.

Who Does GDPR Apply To?

GDPR applies to your business if you:

• Are based in the EU/EEA
• Offer goods or services to people in the EU (even for free)
• Monitor the behavior of people in the EU (analytics, tracking, profiling)

The size of your business does not matter. A one-person online shop selling to EU customers must comply just like a multinational corporation.

The Six Lawful Bases for Processing Data

Under GDPR, you must have a legal basis for every type of personal data processing. The six lawful bases are:

1. Consent

The individual has given clear, informed consent for a specific purpose. Consent must be freely given, specific, informed, and unambiguous.

What this means in practice: Pre-checked boxes do not count. Consent must be an active opt-in. You must be able to prove that consent was given.

2. Contract

Processing is necessary to fulfill a contract with the individual or to take steps at their request before entering a contract.

Example: Processing a customer's address to deliver a product they ordered.

3. Legal Obligation

Processing is necessary to comply with the law.

Example: Retaining employee payroll records as required by tax law.

4. Vital Interests

Processing is necessary to protect someone's life. This basis is rarely applicable for most businesses.

5. Public Task

Processing is necessary for a task carried out in the public interest. This mainly applies to government bodies.

6. Legitimate Interests

Processing is necessary for the legitimate interests of your business, as long as those interests are not overridden by the individual's rights.

Example: Sending a follow-up email to an existing customer about a related product. You must conduct a legitimate interests assessment (LIA) to use this basis.

Key GDPR Rights You Must Support

Individuals have specific rights under GDPR. Your business must be able to fulfill these requests:

• Right of access — Individuals can request a copy of all data you hold about them
• Right to rectification — They can ask you to correct inaccurate data
• Right to erasure — Also called the "right to be forgotten" — they can request deletion of their data
• Right to restrict processing — They can ask you to stop processing their data while a complaint is resolved
• Right to data portability — They can request their data in a machine-readable format
• Right to object — They can object to processing based on legitimate interests or direct marketing

You must respond to these requests within one month.

Step-by-Step Compliance Checklist

Step 1: Audit Your Data

Create a record of processing activities (ROPA) that documents:

• What personal data you collect
• Why you collect it (purpose and legal basis)
• Where it is stored
• Who has access to it
• How long you retain it
• What security measures protect it

Step 2: Update Your Privacy Policy

Your privacy policy must be written in clear, plain language and include:

• Your identity and contact details
• What data you collect and why
• The legal basis for each type of processing
• Who you share data with (third parties, processors)
• How long you keep data
• Individual rights and how to exercise them
• How to lodge a complaint with a supervisory authority

Step 3: Implement Consent Mechanisms

If you rely on consent as a legal basis:

• Use clear, affirmative opt-in mechanisms
• Keep records of when and how consent was obtained
• Make it easy to withdraw consent at any time
• Do not bundle consent with terms and conditions

Step 4: Secure Your Data

GDPR requires "appropriate technical and organizational measures" to protect personal data:

• Encrypt data at rest and in transit
• Implement access controls (principle of least privilege)
• Keep software updated and patched
• Use strong authentication for systems that process personal data
• Regularly test your security measures

Step 5: Set Up Breach Notification Procedures

If a data breach occurs that poses a risk to individuals, you must:

• Notify the relevant supervisory authority within 72 hours
• Notify affected individuals without undue delay (if high risk)
• Document the breach, its effects, and remedial actions taken

Step 6: Review Third-Party Processors

If you use third-party services that process personal data on your behalf (email providers, analytics tools, cloud storage):

• Ensure they have a Data Processing Agreement (DPA) in place
• Verify they offer adequate security measures
• Confirm they will assist you in fulfilling data subject requests

Common GDPR Mistakes Small Businesses Make

Using Google Analytics without consent: Standard Google Analytics implementation transfers personal data. You need explicit consent before loading tracking scripts.

Assuming GDPR does not apply: If your website is accessible to EU visitors and you use any form of tracking, GDPR likely applies.

Not having a cookie consent mechanism: A simple cookie banner that only informs (but does not block cookies) is not compliant. You must block non-essential cookies until consent is given.

Keeping data indefinitely: GDPR requires data minimization. Define retention periods and automatically delete data when it is no longer needed.

Frequently Asked Questions

What are the penalties for GDPR non-compliance?

Fines can reach up to 4% of annual global turnover or 20 million euros, whichever is higher. In practice, small businesses typically receive warnings and lower fines for first offenses.

Do I need a Data Protection Officer (DPO)?

Most small businesses do not. A DPO is required if your core activities involve large-scale processing of sensitive data or systematic monitoring of individuals.

Is GDPR the same as CCPA?

No. The California Consumer Privacy Act (CCPA) has different requirements, thresholds, and enforcement mechanisms. They share similar principles but are distinct regulations.

Related Guides

Learn more about protecting your business with cybersecurity fundamentals, choosing a privacy-focused VPN, and password management best practices.