Vertical guide · SMEs and sole traders

GDPR for small businesses

Updated April 2026EU GDPR 2016/679EDPB aligned

EU GDPR applies to every organisation that processes personal data of individuals in the EU — regardless of size, regardless of where the organisation is established. A five-person company in the Netherlands, a sole trader in Italy, a startup in Poland — all are data controllers subject to the full framework. The obligations are the same; how they are met can be proportionate to scale and risk.

How to read this guide. This guide explains requirements and expectations derived from EU GDPR 2016/679 and EDPB published guidance. Where we write “EU GDPR requires” we cite the regulation. Where we write “EDPB guidance indicates” we cite regulatory guidance, which is not identical to a statutory obligation. Application of GDPR obligations may vary depending on member state law and supervisory authority interpretation — consult a qualified data protection practitioner familiar with the relevant jurisdiction.

Size is not an exemption

The EDPB and national DPAs have been explicit that GDPR applies universally. National DPAs across the EU actively investigate complaints against small organisations — particularly for SAR failures, inadequate security, and marketing without valid consent. The most common SME enforcement triggers are all preventable with basic documented procedures.

The practical minimum

For a small business with straightforward processing, the core elements typically expected by supervisory authorities are: a data audit establishing what personal data is held and why; a simple ROPA; a privacy notice in plain language covering all processing; a process for responding to access requests within one month; a breach response procedure and log; basic security measures appropriate to the data; and registration with the relevant national DPA where required (requirements vary by member state — not all EU countries require registration equivalent to the UK’s ICO fee).

Proportionality in practice

Accountability must be demonstrated, but the means are proportionate to scale and risk. A sole trader with a small customer list does not need an elaborate ROPA — a simple document recording what data is held, why, and for how long is sufficient. National DPAs require genuine consideration of obligations and documented evidence that the consideration occurred — not a compliance programme scaled for a multinational.

Common risks for small businesses

The most common GDPR enforcement issues affecting small businesses across the EU: sending personal data to the wrong recipient; failure to respond to access requests on time; inadequate security (particularly weak passwords and phishing leading to breaches); and marketing by email or phone without valid consent or documented legitimate interests. National DPA enforcement databases across the EU consistently show these as the highest-frequency violations at SME level.

National DPA registration requirements

Unlike the UK’s mandatory ICO fee, EU member states vary in their registration requirements. Some require prior notification or registration for certain types of processing; others have eliminated general registration requirements under GDPR. The relevant national DPA’s website is the authoritative source for whether registration is required in each member state where the organisation operates.

Record this. Keep a simple log of every data-related decision. When an access request arrives, log it. When a breach occurs, log it. Small businesses are investigated because of basic failures to respond to requests or report breaches — and because they have no records to show they tried.

Note: EU GDPR applies directly across all 27 member states, but national law overlays — particularly on employment data, special category processing, and AML retention — vary materially between jurisdictions. Confirm requirements with a practitioner familiar with the relevant member state law.

Not legal advice. This guide is derived from EU GDPR (Regulation (EU) 2016/679), EDPB published guidelines, and national supervisory authority guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.