GDPR for Small Business — What You Actually Need
You have a small website. Maybe a landing page, a SaaS with a few hundred users, or a freelance portfolio with a contact form. Do you really need to care about GDPR?
Myth: "GDPR doesn't apply to small businesses."
This is one of the most dangerous misconceptions in web compliance. GDPR has no general small business exemption. If you have an EU visitor and you set a cookie or collect an email address, you are subject to GDPR.
Reality: The bar is lower than you think — but it is not zero.
Most small sites can achieve solid GDPR compliance in an afternoon. There are 5 things you almost certainly need to do. None of them require a lawyer. A good starting point is a privacy policy and understanding legitimate interests as a lawful basis.
The 5 minimum requirements for small websites
GDPR Article 13 requires you to tell users what data you collect, why, how long you keep it, and their rights. This applies regardless of your company size.
Fix
Create a /privacy-policy page. Use our free Privacy Policy Generator — takes 60 seconds.
If you load Google Analytics, Facebook Pixel, or any non-essential cookie, you need explicit opt-in consent before loading it. No exceptions for small sites.
Fix
Add a CMP like CookieYes (free tier). Or generate a banner with our free Cookie Banner Generator.
Any site that collects data (including just an email signup form) must use HTTPS. HTTP transmits data in plain text — a technical security failure under GDPR Article 32.
Fix
Enable free SSL via Let's Encrypt, Cloudflare, Vercel, or your hosting provider.
Every form that collects an email or personal data needs a clear, unchecked consent checkbox or disclosure. Pre-ticked boxes are explicitly banned by GDPR.
Fix
Add: "I agree to my data being processed as described in the Privacy Policy." Link to your policy.
GDPR gives users the right to request deletion or access to their data. You must provide a way for them to contact you. A real email address is sufficient for most small sites.
Fix
Add a contact email to your footer, contact page, or privacy policy.
What you probably don't need
- • A Data Protection Officer (DPO) — only required for large-scale or special category processing
- • Data Protection Impact Assessments (DPIAs) — only for high-risk processing
- • Formal Records of Processing Activities (Article 30) — exempt if <250 employees and processing is occasional
- • Cross-border transfer mechanisms — only if you are sending EU user data to non-adequate countries
Frequently asked questions
Does GDPR apply to sole traders and freelancers?
Yes. GDPR applies to any entity that processes personal data of EU residents — including sole traders, freelancers, and one-person businesses. The exemptions are very narrow.
Does GDPR apply if my business is outside the EU?
Yes, if you have EU visitors or customers. GDPR has extraterritorial scope under Article 3. Any website accessible to EU residents that targets EU users or monitors their behaviour is covered.
Is there a "small business exemption" in GDPR?
There is a limited exemption from keeping formal Records of Processing Activities (Article 30) for companies with fewer than 250 employees — but only if processing is occasional and low-risk. The core obligations (privacy policy, consent, security) still apply to everyone.
What are the fines for small businesses?
GDPR fines are proportional. Regulators consider company size, revenue, and severity of the violation. Small businesses rarely face the headline million-euro fines, but enforcement is increasing. The CNIL, ICO, and other DPAs regularly fine SMEs thousands of euros.
Do I need a Data Protection Officer (DPO)?
Only if you process data at large scale, process special category data (health, biometrics, etc.) systematically, or are a public authority. Most small websites do not need a DPO.
Check your site now — free
Paste your URL and get a scored GDPR compliance report in 30 seconds. No account required.
Run a free GDPR scan