Does GDPR apply to very small businesses?

Yes. GDPR applies to any organisation that processes personal data of people in the UK, regardless of size. There is no exemption for small businesses. However, the expectations are proportionate. A sole trader with a contact form has fewer obligations than a company processing thousands of customer records.

What counts as personal data under GDPR?

Personal data is any information that can identify a living person. This includes obvious things like names, email addresses, and phone numbers, but also IP addresses, location data, cookie identifiers, and any combination of data that could identify someone.

Do I need a Data Protection Officer?

Most small businesses do not need a DPO. You only need one if you process personal data on a large scale, carry out large-scale systematic monitoring (like surveillance), or are a public authority. Most small businesses with customer contact forms and mailing lists do not meet this threshold.

What happens if a small business breaches GDPR?

The ICO can issue fines of up to 4% of annual global turnover or 17.5 million pounds, whichever is higher. In practice, the ICO tends to take a proportionate approach for small businesses. They focus on whether you took reasonable steps to comply. Being able to demonstrate good-faith effort and a documented compliance process goes a long way.

GDPR for Small Businesses: A No-Jargon Guide to Getting Compliant

GDPR has been in force since May 2018, and it still causes confusion among small business owners. The regulations were written in legal language, the guidance documents are long, and the maximum fines (up to 4% of annual turnover) sound terrifying. But the reality for most small businesses is more manageable than it seems.

This guide covers what GDPR actually requires of you, what counts as personal data, and the practical steps to get compliant. No legal jargon, no scare tactics, just what you need to know.

What GDPR actually requires of small businesses

GDPR applies to any organisation that processes personal data of individuals in the UK, regardless of size. There is no exemption for sole traders, micro-businesses, or companies with fewer than 10 employees. If you collect, store, or use personal information about anyone in the UK, you need to comply.

But here is the important bit that often gets missed: GDPR expects compliance proportionate to your size and the amount of data you process. The Information Commissioner's Office (ICO), which enforces GDPR in the UK, does not expect a sole trader with a contact form to have the same data protection infrastructure as a bank. What they expect is that you take reasonable steps, have documented what you do, and can show you have thought about it.

The core obligations for most small businesses are straightforward:

Know what personal data you collect and why
Have a lawful reason for processing it
Tell people what you do with their data (a privacy policy)
Keep it secure
Do not keep it longer than necessary
Respect people's rights over their data

What counts as personal data

Personal data is any information that can identify a living person, either on its own or when combined with other information. For a small business website, the most common types are:

Names and email addresses from contact forms, newsletter sign-ups, or customer accounts
IP addresses logged by your web server, analytics tools, or contact forms
Location data collected by analytics or mapping widgets
Cookie identifiers stored in visitors' browsers
Phone numbers and postal addresses collected through forms or orders
Payment details if you process payments directly (though most small businesses use a payment provider like Stripe, which handles PCI compliance separately)

A common misconception is that IP addresses do not count as personal data. They do. The ICO is clear on this. Every time someone visits your website, their IP address is personal data under GDPR. This means your website analytics, server logs, and contact form submissions all involve processing personal data.

Lawful basis for processing

You cannot just collect personal data because you want to. GDPR requires you to have a lawful basis for processing it. There are six options, but most small businesses use one of these three:

Consent. The person has given clear, informed, specific consent. This is required for most marketing emails and non-essential cookies. Consent must be freely given, specific, and easy to withdraw. Pre-ticked boxes do not count.

Contract. Processing is necessary to fulfil a contract with the person. If someone buys something from your website, you need their name and address to deliver it. You do not need separate consent for this, though you still need a privacy policy.

Legitimate interest. You have a genuine business reason that does not override the person's rights. This might cover processing enquiry form data to respond to a query, or basic security measures like blocking malicious IP addresses. You should document your legitimate interest assessment.

Privacy policy essentials

Every website that collects personal data needs a privacy policy. It does not need to be written by a lawyer, but it does need to be clear, specific, and honest. A good privacy policy covers:

Who you are (your business name and contact details)
What personal data you collect
Why you collect it and your lawful basis
Who you share it with (hosting providers, email services, analytics tools, payment processors)
How long you keep it
What rights people have (access, deletion, correction, objection)
How people can complain to the ICO

Avoid generic privacy policy templates filled with clauses that do not apply to your business. If you do not use Salesforce, do not mention Salesforce. If you do not do direct marketing, say so. The policy should describe what you actually do.

Data subject rights

GDPR gives individuals specific rights over their personal data. The ones most relevant to small businesses:

Right of access: Anyone can ask what data you hold about them. You have one month to respond.
Right to erasure: People can ask you to delete their data, subject to some exceptions (such as legal obligations to keep records).
Right to rectification: People can ask you to correct inaccurate data.
Right to object: People can object to processing based on legitimate interest or direct marketing.

You do not need a complex system to handle these. You need a process for receiving and responding to requests, and you need to be able to locate and delete data when asked.

Cookie consent requirements

Cookies are a specific area of GDPR enforcement that the ICO is actively pursuing. The rules are:

Strictly necessary cookies (session cookies, shopping cart cookies) can be set without consent
All other cookies (analytics, advertising, social media tracking) require informed consent before they are set
Consent must be actively given (pre-ticked boxes do not count)
Visitors must be able to reject non-essential cookies as easily as they accept them
You must list exactly which cookies you set and what they do

This means if your website loads Google Analytics, Facebook Pixel, or any advertising scripts before the visitor has chosen to accept cookies, you are in breach. See our guides on tracking cookies explained and ICO cookie consent fines for the full picture.

Data breach notification

If personal data is lost, stolen, or accidentally exposed, you have obligations:

Notify the ICO within 72 hours of becoming aware of a breach that could risk people's rights and freedoms
Notify affected individuals without undue delay if the breach is likely to result in a high risk to them
Document every breach, even if it does not meet the threshold for notification

Common breaches for small businesses include emails sent to the wrong person, website contact form data exposed publicly, or a hacked website leaking customer details. Having a plan in place before it happens makes the 72-hour window manageable.

The ICO's role

The ICO is the UK's data protection regulator. They provide guidance, handle complaints, investigate breaches, and issue fines. Their approach to enforcement is generally proportionate. For small businesses making genuine efforts to comply, they tend to offer advice before penalties.

The ICO's website has a specific section for small businesses with checklists and templates. It is genuinely useful and written in plain English. Use it.

Practical first steps

If you have not done anything about GDPR yet, start here:

Audit what data you collect. List every form on your website, every tool that processes visitor data, and every third-party script you load.
Write or update your privacy policy. Make it specific to your actual data processing. Link to it from your website footer.
Fix your cookie consent. Make sure no non-essential cookies load before consent is given. Your banner needs an accept and reject option, both equally visible.
Secure the data you hold. Use HTTPS, keep software updated, use strong passwords, and limit who can access customer data.
Set up a process for data requests. Decide how you would handle an access or deletion request, and make sure you can respond within one month.

GDPR compliance is not a one-time project. It is an ongoing responsibility. But the initial work to get compliant is not as daunting as it sounds, and the ICO recognises the difference between a business that is trying and one that is ignoring its obligations.

To check whether your website's cookie setup and data collection practices meet GDPR requirements, run a free PulseShield scan. It checks cookie consent, security headers, SSL, and more in a single report.