Quick answer: Yes, GDPR applies to small businesses. There is no revenue threshold or employee minimum — if you process personal data of EU residents, you must comply. The good news: small businesses can often achieve compliance with a few targeted actions, without hiring a lawyer or a DPO.
Does GDPR Really Apply to My Small Business?
Yes, if any of these are true:
- Your website has visitors from the EU (even if your business is outside Europe)
- You collect email addresses (newsletter, contact forms, e-commerce)
- You use analytics tools that track behavior (Google Analytics, Hotjar, etc.)
- You run online advertising targeting EU users
- You sell products or services to EU customers
The only exemption is for purely personal or household activity. If your website has any commercial purpose, GDPR applies.
But Can Small Businesses Actually Get Fined?
Yes — and it's happening. While the headline-grabbing fines target big companies, DPAs across Europe have increasingly targeted SMBs:
- Spain (AEPD): Fined a small dental clinic €10,000 for an inadequate privacy policy
- Italy (Garante): Fined a local business €20,000 for sending marketing emails without consent
- Romania (ANSPDCP): Fined a small e-commerce site €5,000 for missing cookie consent
- Germany (LfDI): Fined a freelancer €1,500 for using Google Fonts without consent (loading external resources that transmit IP addresses)
For the full picture on GDPR fines, see our detailed breakdown.
The Small Business GDPR Compliance Checklist
You don't need to do everything a multinational does. Focus on these 10 actions:
Step 1: Add a Privacy Policy
Every website needs a GDPR-compliant privacy policy that explains what data you collect, why, and how users can exercise their rights. Link it in your footer on every page.
Step 2: Implement Cookie Consent
If your site uses analytics, marketing, or social media cookies, you need acookie consent banner that:
- Blocks non-essential cookies until consent is given
- Offers granular choices (not just "Accept All")
- Allows users to withdraw consent easily
- Doesn't use dark patterns to manipulate choices
Step 3: Scan Your Website
Use PrivacyChecker to discover what's actually happening on your site. Many small businesses are surprised to find:
- Cookies they didn't know about (from WordPress plugins, embedded videos, etc.)
- Third-party trackers loading without consent
- Missing security headers
- Exposed email addresses in source code
Step 4: Secure Your Website
- Use HTTPS everywhere (get a free SSL certificate via Let's Encrypt)
- Add security headers (CSP, HSTS, X-Frame-Options)
- Keep your CMS and plugins updated
- Use strong passwords and two-factor authentication
Step 5: Handle Contact Forms Properly
- Add a consent checkbox (unchecked by default): "I agree to the processing of my data as described in the Privacy Policy"
- Link to your privacy policy from the form
- Don't use the data for purposes beyond what users consented to
- Delete form submissions when they're no longer needed
Step 6: Get Email Marketing Right
- Use double opt-in for newsletter signups
- Include an unsubscribe link in every email
- Keep records of when and how consent was given
- Set up SPF, DKIM, and DMARC for your domain
Step 7: Review Your Third-Party Tools
List every tool that processes customer data. For each one:
- Check if they offer a DPA (Data Processing Agreement) — sign it
- Verify where data is stored (EU is simplest)
- Add them to your privacy policy
- See our SaaS tools GDPR guide for specific tools
Step 8: Prepare for Data Requests
Users can request to access, correct, or delete their data. Have a simple process:
- Provide a contact email for privacy requests
- Respond within 30 days (GDPR requirement)
- Know where all user data is stored so you can export or delete it
Step 9: Do You Need a DPO?
Most small businesses do not need a Data Protection Officer. A DPO is required only if:
- You're a public authority
- Your core activities involve large-scale systematic monitoring of individuals
- Your core activities involve large-scale processing of sensitive data
A typical small business website with analytics and a contact form does not need a DPO.
Step 10: Document Everything
If you have more than 250 employees, you must maintain a Record of Processing Activities (ROPA). Even if you're smaller, documenting your data practices is smart — it's your best defense if a DPA ever audits you.
Common Small Business GDPR Mistakes
| Mistake | Risk | Fix |
|---|---|---|
| No cookie consent banner | Fine up to €20M | Install a CMP — see our CMP comparison |
| Pre-checked consent boxes | Consent is invalid | All consent checkboxes must be unchecked by default |
| Using Google Fonts externally | IP transmitted to Google = data transfer | Self-host your fonts |
| No privacy policy | Guaranteed violation | Use our privacy policy guide |
| Newsletter without double opt-in | Consent is questionable | Enable double opt-in in your email platform |
| Keeping data forever | Violates data minimization | Set retention periods and auto-delete old data |
| Not knowing what cookies your site sets | Undeclared cookies = violation | Scan your cookies |
Frequently Asked Questions
I'm a sole trader / freelancer. Does GDPR apply to me?
Yes. GDPR applies to any organization — including sole traders, freelancers, and one-person businesses — that processes personal data of EU residents in a commercial context.
How much does GDPR compliance cost for a small business?
It can cost nothing to very little. Free tools like PrivacyChecker scan your website at no cost. Free CMPs exist (Cookiebot free tier, Osano free). The main investment is your time to review and update your practices.
Can I just add "By using this site, you agree to our privacy policy"?
No. Implied consent is not valid under GDPR for non-essential data processing. You need active, affirmative consent — an unchecked checkbox, a clear accept/reject choice, or granular cookie preferences.
What's the fastest way to check if my small business website is compliant?
Scan your website with PrivacyChecker — it takes 60 seconds and checks cookies, consent, privacy policy, security headers, third-party scripts, and more. You'll get a clear compliance score with specific recommendations.