Skip to content
The Security Editor

Small business & compliance

GDPR for a very small business: the three things that will trip you up

GDPR applies to one-person businesses just as much as to Google. The good news: for most small operators, only a handful of obligations really matter day-to-day. This article covers them, in plain English, with the traps that catch small businesses most often.

By Alex Trustwell 7 min read intermediate
On this page
  1. A one-paragraph GDPR primer
  2. Trip-up #1: “What’s your lawful basis?”
  3. Trip-up #2: international transfers
  4. Trip-up #3: “Someone asked for their data. What do I do?”
  5. The breach notification trap
  6. The minimum viable GDPR program for a very small business
  7. Where this article stops

GDPR — the EU General Data Protection Regulation, and its UK near-twin the UK GDPR — applies to any organization that handles personal data of people in the EU or UK, regardless of the organization’s size or where it is based. For a one-person business, the paperwork can feel disproportionate. The reality is that the rules scale reasonably: you don’t need a Data Protection Officer, a 20-page privacy notice, or a risk register to be compliant. You need a manageable set of commitments actually carried through.

This article walks through the three things that, in my experience, trip up small businesses most often. It is not legal advice; for genuinely complex situations, talk to a data protection professional.

A one-paragraph GDPR primer

GDPR says: you can process the personal data of people in the EU/UK only if you have a lawful basis for it (consent, contract, legal obligation, vital interest, public task, or legitimate interest). You must tell people what you’re doing in a clear privacy notice. You must respect their rights — most importantly the right of access (they can ask for a copy of their data), erasure (they can ask you to delete it), and rectification (they can ask you to correct it). You must secure the data proportionately to its sensitivity. If something goes wrong, you must notify the regulator within 72 hours of becoming aware.

That’s the spine. The rest is detail.

Trip-up #1: “What’s your lawful basis?”

Every piece of personal data you hold must have a lawful basis for processing. For most small businesses, the common bases break down like this:

  • Contract — you hold a client’s address because you need to send them the thing they bought. This is the easy case.
  • Legal obligation — you keep tax records because the tax authority requires it. Also easy.
  • Legitimate interest — a balancing test: your interest in processing (for fraud prevention, or for communicating with existing customers about closely related products) outweighs the data subject’s rights. Requires documentation (a “legitimate interest assessment”).
  • Consent — the person has said yes, specifically, for this purpose.

The common small-business mistake: treating “consent” as a catch- all. It isn’t. Under GDPR, consent has to be freely given, specific, informed, and unambiguous, with an equally easy withdrawal mechanism. A pre-ticked box is not consent. A bundled “I agree to the terms and to marketing” is not consent. A consent that cannot be withdrawn as easily as it was given is not compliant.

For most small businesses, the trouble zones are:

  • Newsletter signups. You should be using consent, with a specific opt-in (not a pre-ticked box), and a one-click unsubscribe in every email.
  • Cookies on your website. Tracking and analytics cookies require consent. “Essential” cookies (the session cookie that keeps someone logged in) do not. A cookie banner that only offers “Accept” — with no “Reject” option that is equally prominent — is not compliant.
  • Buying mailing lists. Don’t. The consent doesn’t transfer. The fines can be substantial, and the mailing lists are almost always low-quality.

Trip-up #2: international transfers

GDPR restricts the movement of personal data to countries outside the EU/EEA that don’t have an adequacy decision from the European Commission.

The practical consequence: every time you send personal data to a US-based vendor — Google Workspace, Microsoft 365, Mailchimp, Slack, Zoom, every SaaS you use — you are performing an international transfer. This is legal only through specific mechanisms:

  • The EU-US Data Privacy Framework (DPF) — the current adequacy decision for transfers to certified US companies. Check whether your vendor is certified.
  • Standard Contractual Clauses (SCCs) — a set of template contract terms that bind the non-EU recipient to GDPR- equivalent protections. Most major US vendors offer SCCs in their data processing agreements.
  • Binding Corporate Rules — for large multinationals.

For a small business, the day-to-day practice is:

  1. Know where your vendors are. Maintain a list.
  2. Confirm each has a valid transfer mechanism — either DPF certification or SCCs in a Data Processing Agreement (DPA) they will sign with you.
  3. For any vendor that won’t sign a DPA, find a replacement or don’t send personal data to them.
  4. Mention the transfer in your privacy notice — specifically, that personal data may be transferred outside the EU/UK under appropriate safeguards.

The UK version has a similar framework but with the UK Information Commissioner’s Office (ICO) rules and the UK International Data Transfer Agreement / Addendum.

Trip-up #3: “Someone asked for their data. What do I do?”

Sooner or later, a customer, former employee, or irritable internet stranger will exercise one of their GDPR rights against you. The most common:

  • Right of access — they want to know what you hold about them.
  • Right of erasure — they want you to delete their data.
  • Right of data portability — they want a copy they can move elsewhere.

You have one month to respond (extendable by two months for complex requests, with notification to the requester). If you don’t have a process, one month is not much time.

A working process looks like:

  1. A named point of contact (your own email is fine for a solo business, but it must be clearly advertised — often on the privacy notice).
  2. A way to verify the identity of the person asking (you don’t want to hand over somebody’s data to a stranger claiming to be them).
  3. A checklist of where you hold personal data — CRM, email, accounting software, spreadsheets, physical files. You can’t respond properly if you don’t know where the data lives.
  4. Template responses for common requests — an access request response, an erasure confirmation, a refusal with reasons (for cases where an exception applies, e.g. you need to keep the data for tax purposes).

Half of GDPR breaches I’ve seen in small businesses are actually failure to respond to rights requests rather than data security incidents. It’s an unforced error.

The breach notification trap

If personal data is exposed to unauthorized people, you must notify the regulator within 72 hours of becoming aware. “Aware” means the point at which you have reasonable certainty that a breach has occurred, not the point at which you have finished investigating.

Small businesses often miss this because they want to “investigate first and report later”. You can investigate in parallel; you must also report on time. Initial notifications can be incomplete and updated later.

“Breach” here is broader than “hack”. It includes:

  • A lost laptop with unencrypted personal data.
  • An email accidentally sent to the wrong address, when it contained personal data.
  • A misconfigured cloud folder that was publicly accessible.
  • A ransomware incident (even if no data was exfiltrated, encrypted unavailable data is a “breach of availability”).

The minimum viable GDPR program for a very small business

You don’t need a compliance department. You do need, in writing:

  1. A brief privacy notice on your website, naming you, what data you collect, your lawful bases, your retention periods, how you handle international transfers, and how to exercise rights.
  2. A record of processing activities — a single document listing what personal data you process, why, on what basis, and who you share it with. GDPR Article 30 requires this, and for small businesses it can be a one-page table.
  3. DPAs in place with every processor (cloud vendors, email marketing tools, accountants, etc.).
  4. A cookie banner on your website that actually works — if you have tracking or analytics.
  5. A rights-request process and a place to send them (your email).
  6. A brief security policy — unique passwords, MFA on critical accounts, full-disk encryption, a backup plan. Applies to you; applies to anyone who works with you.
  7. An incident response checklist with the regulator’s contact info and the 72-hour clock in mind.

That is a lunchtime’s work plus some vendor emails to get DPAs signed. The alternative is a regulator’s letter landing on your desk asking what your program looks like, which is a considerably more expensive afternoon.

Where this article stops

  • Fines and enforcement priorities in your specific jurisdiction.
  • Sector-specific rules (healthcare, finance, children’s data, biometric data).
  • Employee data obligations, which have their own quirks under GDPR.
  • ePrivacy Directive issues, particularly around electronic marketing and cookies.

For those, the national regulators publish excellent plain- English guidance. The UK ICO and the French CNIL in particular have small-business portals that are actually readable. Use them.

Sources

  1. European Commission — Data protection in the EU
  2. EDPB — Guidelines
  3. ICO (UK) — Guide to Data Protection
  4. CNIL (France) — GDPR for small companies