GDPR for small businesses: where to start to get compliant.
GDPR applies to every business that handles personal data, no matter how small. A concrete, jargon-free guide to getting compliant step by step.
Published on January 8, 2026
The General Data Protection Regulation applies to every organisation that processes personal data, regardless of size. As a small business, you almost certainly handle customer data, supplier contacts, and employee information. You are therefore covered, even if your volumes are modest.
The good news: compliance does not require a legal background. It takes a clear method, a few hours of work, and simple habits to build into your daily routine.
Here is where to start.
Why build a record of processing activities first?
The record of processing activities (RoPA) is the foundation of GDPR compliance. It requires you to document each use of personal data: why you collect it, what data exactly, who has access, how long you keep it, and on what legal basis.
In practice, your record can be a simple spreadsheet. For a small business, common processing activities look like this:
- Customer relationship management (name, email, purchase history)
- Invoicing and accounting (contact details, payment data)
- Payroll and HR (contracts, pay slips, leave records)
- Commercial outreach (prospecting emails, newsletter)
- Website management (forms, cookies, analytics)
Start there: list your processing activities, even imperfectly. An incomplete but current record is far better than none at all.
For more detail on data protection in your day-to-day operations, our GDPR compliance use case covers the most common situations for small businesses.
What legal basis applies to each of your activities?
Every data processing activity must rest on one of the six legal bases defined in GDPR. As a small business, you will mainly use three:
Contract: you process data because it is necessary to deliver a contract. Example: a customer’s delivery address.
Legal obligation: you must process certain data to comply with the law. Example: payroll data kept for tax authorities.
Legitimate interest: you process data for a justified purpose, provided it does not override the individuals’ rights. Example: sending a relevant offer to a former customer.
Consent: you obtain an explicit, freely given permission before processing. Example: signing up to a newsletter.
For each activity in your record, note the legal basis you have chosen. It is this basis that defines your concrete obligations (consent form, right to withdraw, etc.).
What notices and consent mechanisms do you need?
If you have a website, two obligations apply immediately.
Information notices must appear wherever you collect personal data: contact forms, newsletter sign-ups, online checkout. These notices state who you are, why you collect the data, how long you keep it, and how individuals can exercise their rights.
Cookie consent is obtained through a banner displayed on the first visit. It must be as easy to decline as to accept: a clearly visible “Decline all” button on the first screen, without requiring any scrolling.
If you send commercial emails to consumers, prior consent is mandatory. For business contacts (B2B), you can rely on legitimate interest, provided the emails are relevant to their professional activity and you include an unsubscribe link.
How do you secure personal data in practice?
Data security is a core part of GDPR. You do not need a complex infrastructure as a small business: a few basic measures are enough to significantly reduce the risk.
Passwords: every professional account must be protected by a strong, unique password. Use a password manager (Bitwarden, 1Password) and enable two-factor authentication on your email, CRM, accounting software, and any tool holding customer data.
Backups: apply the 3-2-1 rule. Three copies of your data, on two different media, with one copy stored off-site (cloud or an external drive kept elsewhere). Our article on 3-2-1 backup walks you through it step by step. An untested backup is not a backup.
Access control: limit access to personal data to the people who genuinely need it for their work. An intern should not have access to your entire customer database. Revoke access as soon as a team member leaves.
Devices: encrypt the hard drives on your laptops and enable automatic screen locking. A stolen computer must not expose your data.
How do you manage your processors and sub-contractors?
Any provider that processes personal data on your behalf is a data processor under GDPR: your web host, your SaaS invoicing tool, your emailing platform, your accountant if they access payroll data.
You must have a Data Processing Agreement (DPA) in place with each of them. Most major vendors (Microsoft, Google, Mailchimp, etc.) make this document available online within their terms of service. For local providers, ask for it explicitly.
Also check where your data is hosted. Hosting within the European Union simplifies compliance and reduces the risk of international data transfers.
How do you handle individuals’ rights?
Your customers, prospects, and employees have rights over their data: access, rectification, erasure, portability, and the right to object. They can exercise these rights at any time, by email or letter.
You generally have one month to respond. Designate someone internally to handle these requests (often yourself in a small business) and keep a record of requests received and responses sent.
If a data breach occurs (a cyberattack, a lost laptop, an email sent to the wrong recipient), you have 72 hours to notify your supervisory authority if the breach is likely to result in a risk to the individuals concerned. Our cybersecurity advisory page explains how to respond to an incident.
When should you call in an expert?
The large majority of small businesses can handle the basics on their own: the record of activities, information notices, passwords, backups, and supplier DPAs. These steps take time and organisation, not advanced legal knowledge.
Call in an expert in these situations:
- You process sensitive data (health, political opinions, biometric data)
- You have experienced or suspect a data breach
- You have received a formal notice from a data protection authority
- You are launching a new service involving large-scale data processing
- You are uncertain about a legal basis or an international data transfer
An expert can also carry out a rapid audit to highlight priorities and save you considerable time.
GDPR compliance is not a one-off project. It is an ongoing practice, built up gradually into your daily habits. Start with the record of processing activities, secure your access controls, and inform your contacts. The rest can follow in stages.
Our iokoo experts support small businesses on these topics: compliance audits, access security, incident response. Create an account to get started or ask your questions.
Frequently asked questions
Does GDPR apply to a small business with no website?
Yes. As soon as you process personal data (names, emails, customer or employee contact details), GDPR applies, whether you have a website or not. A simple client list in a spreadsheet or invoicing software is already covered.
Does a small business need to appoint a DPO (Data Protection Officer)?
No, appointing a DPO is only mandatory in specific cases (large-scale processing, mass sensitive data, public bodies). As a small business, you can designate an informal internal point of contact or call on an external consultant if needed.
What are the real risks of not being GDPR compliant?
Supervisory authorities can issue fines of up to 20 million euros or 4% of global turnover, but in practice they typically start with a formal notice and guidance for small organisations. The immediate risk is more likely a loss of trust from your clients and partners, and the obligation to notify in the event of a data breach.