GDPR for Small Businesses: Compliance Guide for SMEs (2026)

The GDPR applies to every small business that processes personal data of individuals in the EU, with no blanket exemption based on size. Article 30(5) provides a narrow records derogation for organisations under 250 employees, but only if processing is occasional, low-risk, and excludes special-category data. Most small businesses cannot meet all three conditions.

The GDPR applies to every organisation that processes personal data of people in the European Union: a sole trader in Vienna, a ten-employee e-commerce shop in Warsaw, and a US-based SaaS startup with European customers are all subject to it. Size does not determine applicability.

That said, the GDPR is not a one-size-fits-all regulation. Several provisions are calibrated to the nature and scale of processing rather than to headcount alone, and the EU has recently proposed further reductions in administrative burden for smaller organisations. Understanding which obligations are full, which are reduced, and which are currently being reformed is the practical starting point for any small business.

This guide covers what applies to your SME, the Article 30(5) records derogation and its real limits, the DPO question, the November 2025 Digital Omnibus proposal, sector-specific examples, practical low-cost steps, and recent enforcement that small businesses should know about. For the foundational overview of the regulation, see What Is GDPR.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection attorney or privacy professional for guidance specific to your situation.

Does the GDPR Apply to Your Small Business?

The short answer is almost certainly yes, if you handle any personal data connected to EU individuals.

The European Commission is direct on this point: GDPR applicability turns on the nature of your activities, not your company's size or location. Under Article 3 of the regulation, the GDPR applies if any of the following is true:

• You are established in the EU and process personal data in the course of your activities, regardless of where the processing takes place.
• You are established outside the EU but offer goods or services to individuals in the EU, including a free app, a website that accepts EU orders, or a newsletter directed at EU readers.
• You are established outside the EU but monitor the behaviour of EU individuals, for example through website analytics, advertising pixels, or location tracking.

What Counts as Personal Data for a Small Business?

Most small businesses handle more personal data than they realise. Common processing activities that bring GDPR obligations include:

• Customer names, email addresses, postal addresses, and purchase history
• Employee and contractor records: payroll data, HR files, performance notes, and CVs from applicants
• Website cookies, analytics, and behavioural advertising pixels
• Email marketing subscriber lists
• CCTV and security camera footage covering individuals in or near your premises
• Online booking and reservation systems
• Payment records (even if payment processing is handled by a third party)
• Social media advertising targeted at EU users

Processing any of these in connection with EU individuals brings your business under the GDPR in full.

The Article 30(5) Records Derogation: What It Actually Covers

Article 30 of the GDPR requires controllers and processors to maintain records of processing activities. Article 30(5) provides a partial derogation for smaller organisations:

"The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10."

In plain terms: an organisation with fewer than 250 employees is exempt from mandatory record-keeping only if all three of the following are true simultaneously:

1. The processing is unlikely to result in a risk to individuals' rights and freedoms.
2. The processing is occasional: not routine or systematic.
3. The processing does not include special-category data (health, biometric, genetic, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation) or data about criminal convictions.

The EDPB's position paper on the Article 30(5) derogation confirms this is a narrow exemption. Processing customer records, managing a payroll, running an email marketing list, or operating a website with analytics all fail the "occasional" test. These are recurring, systematic activities: the derogation does not apply to them.

The Practical Reality

The exemption was intended for genuinely one-off processing, such as a small organisation that occasionally processes a one-time event attendee list and does nothing else with personal data regularly. In practice, almost no operating business qualifies fully.

The recommendation is the same regardless of the technical derogation: keep records of processing activities. They are your evidence of accountability, your reference when supervisory authorities inquire, and your tool for managing data subject requests. A simple spreadsheet covering what data you process, why, where it is stored, who has access, and how long you keep it is sufficient for most small businesses.

When a Small Business Needs a Data Protection Officer

The DPO requirement under Article 37 is not linked to employee count. It is triggered by the nature and scale of your core processing activities. A DPO is mandatory in three situations:

1. The organisation is a public authority or public body (not applicable to most small businesses).
2. The core activities of the organisation require regular and systematic monitoring of individuals on a large scale, for example, a business whose primary product is behavioural advertising technology or large-scale user surveillance.
3. The core activities involve large-scale processing of special-category data (health, biometrics, sexual orientation, etc.) or personal data relating to criminal convictions.

The EDPB's SME guide on DPOs is explicit: a small organisation is unlikely to need a data protection officer. A local retail shop, a small marketing agency, a ten-person software company, or a two-partner law firm does not meet these criteria.

Sector Nuances

Some SMEs operate in sectors where the DPO question is less clear:

• Small clinic or medical practice: Processing patient health data is special-category processing under Article 9. Whether it is "large scale" depends on volume and context. A two-doctor practice treating a local patient population is generally not large scale. A regional chain of clinics with tens of thousands of patient records is a closer question. Many EU member states have issued sector-specific guidance for healthcare providers.
• HR software startup: If your product systematically processes employee data for large client organisations, your own core activities may involve large-scale processing of special-category data. Seek specific advice.
• Marketing agency: Profiling and behavioural targeting at scale for clients may bring you closer to the systematic monitoring threshold than a typical SME.

Voluntary Appointment

You can appoint a DPO voluntarily even when not required. If you do, the full GDPR rules on DPO independence, resources, tasks, and protection from dismissal apply automatically. Many small businesses find it more practical to designate a privacy lead internally (a named person responsible for data protection who handles queries and requests) without using the formal DPO title.

The November 2025 Digital Omnibus: Proposed SME Simplification

On 19 November 2025, the European Commission published its Digital Omnibus package, a set of targeted amendments to the GDPR, the ePrivacy Directive, the Data Act, the NIS2 Directive, and the AI Act. The package is part of the Commission's broader competitiveness agenda to reduce regulatory burden on European businesses, with SMEs identified as a particular priority.

What the Commission Proposed for GDPR Article 30(5)

The Commission's proposal would make two significant changes to the records derogation:

• Raise the employee threshold from fewer than 250 to fewer than 750 employees, extending relief to a category the Commission calls "small mid-cap companies" (SMCs).
• Restructure the conditions: Instead of the three current disqualifying factors (risk, not occasional, special-category data), the derogation would apply unless the processing is "likely to result in a high risk" within the meaning of Article 35 (the DPIA threshold). The proposal removes references to "occasional processing" and to special-category data as standalone disqualifying factors.

The EU Council's Position (September 2025)

Before the Commission's November publication, the EU Council circulated an even broader position in September 2025: organisations with fewer than 1,000 employees that carry out high-risk processing would only need to maintain records of those specific processing activities that are likely to result in high risk: not a complete record of all processing.

EDPB and EDPS Response

The EDPB and the EDPS welcomed the simplification in their joint statement, supporting the general objective of reducing administrative burden for SMEs. They noted that the proposal is targeted and limited, and they requested further clarifications on the interaction with accountability obligations. Critically, they emphasised that other obligations (including transparency, legal basis, data subject rights, and security) remain fully applicable regardless of record-keeping simplifications.

Current Status: Active Negotiation, Not Yet Law

As of May 2026, the Digital Omnibus GDPR amendments are in active negotiation between the European Parliament and the Council under the legislative train schedule. Trilogue discussions are expected to continue through 2026. Final adoption and any transition period before the amendments take effect means the current Article 30(5) text (the 250-employee threshold with three disqualifying conditions) remains the applicable law today.

Do not adjust your compliance approach based on the proposed changes. Continue operating under the current rules until the amendments are formally adopted and in force.

Core Obligations That Apply to All Small Businesses in Full

While certain administrative obligations are calibrated to scale, the following GDPR requirements apply without reduction to every organisation of any size.

1. Lawful Basis for Every Processing Activity

Every processing activity requires a documented legal basis under Article 6. The three bases most relevant to small businesses are:

• Contractual necessity (Article 6(1)(b)): Processing needed to perform a contract with the individual, for example, processing a delivery address to ship an order, or processing salary data to pay an employee.
• Legitimate interests (Article 6(1)(f)): A genuine, proportionate business interest that does not override the individual's rights, for example, basic direct marketing to existing customers, fraud prevention, or network security. Requires a documented legitimate interests assessment.
• Consent (Article 6(1)(a)): The individual freely opts in for a specific, clearly stated purpose. Consent is revocable and creates ongoing management obligations. It is often over-used by small businesses where another basis would be simpler and more durable.

For a full treatment of when consent is and is not the appropriate basis, see GDPR Consent Requirements.

2. Privacy Notices

Every individual whose data you collect must be informed at the point of collection about: who you are, what data you collect, why, the legal basis, how long you retain it, who you share it with, and their rights. This applies to your website, your in-store forms, your employment paperwork, and any other data collection point.

A privacy notice does not need to be long. It needs to be clear, accessible, and complete. The EDPB's practical resources section provides free templates.

3. Data Subject Rights

The GDPR's eight individual rights apply to all organisations. Small businesses must:

• Have a clear, accessible way for individuals to submit requests (email is sufficient).
• Identify and respond to requests within one calendar month (extendable by two months for complex requests, with notice to the requester).
• Provide the first copy of personal data free of charge in response to an access request.
• Process deletion, correction, objection, and portability requests appropriately and document responses.

A Romanian company was fined €15,000 specifically for not responding to an access request for three months and then providing incomplete information. This is the type of enforcement that catches small businesses.

4. Technical and Organisational Security Measures

Article 32 requires appropriate security measures proportionate to the risk and the nature of the data. Proportionality means what is appropriate for a two-person accountancy firm differs from what is appropriate for a 200-employee healthcare provider, but both must have something in place.

Practical baseline measures for small businesses:

• Enable multi-factor authentication on all business accounts (email, cloud storage, accounting software).
• Use a password manager and enforce strong unique passwords.
• Encrypt laptops, external drives, and mobile devices that contain personal data.
• Limit access to personal data to staff members who genuinely need it for their role.
• Apply software and operating system updates promptly.
• Maintain regular tested backups stored separately from the primary data.
• Have a written policy on how to handle personal data and ensure staff understand it.
• Lock physical files containing personal information.

5. Data Breach Notification

If a personal data breach occurs and it is likely to result in a risk to individuals, you must notify your supervisory authority within 72 hours of becoming aware. If the breach is likely to result in a high risk to individuals, you must also notify the affected individuals directly. See GDPR Data Breach Notification: 72-Hour Rule for the full procedure.

A common small business mistake is assuming only large-scale hacks qualify as breaches. A stolen laptop with unencrypted customer data, an email sent to the wrong recipient containing sensitive information, or a ransomware attack on a shared drive all constitute data breaches that may require notification.

6. Data Processing Agreements with Vendors

Under Article 28, whenever you share personal data with a third party that processes it on your behalf (cloud hosting providers, email marketing platforms, payroll services, accounting software, payment processors, website analytics tools), you need a data processing agreement in place. Most major providers now include GDPR-compliant DPAs in their standard terms of service or offer them on request. Review them and confirm they are in place.

GDPR in Practice: Three Sector Examples

A Small E-Commerce Shop (10 Employees)

A 10-person online retailer selling clothing to EU customers processes customer names, addresses, email addresses, and purchase history daily. Their processing is not occasional; it is central to every transaction.

Key obligations: legal basis for order processing (contractual necessity), separate basis for marketing emails (consent or legitimate interests), cookie consent banner for analytics and advertising pixels, privacy notice on the website, data processing agreements with the payment processor and email platform, and a clear process for handling access and deletion requests.

The Article 30(5) derogation does not apply because the processing is not occasional. The retailer should maintain a records spreadsheet. No DPO is required. A designated staff member handles rights requests.

A Local Clinic or GP Practice (5 Staff)

A small medical practice processes patient health data daily. Health data is special-category data under Article 9, requiring a legal basis under both Article 6 and Article 9(2). The appropriate Article 9 basis for a healthcare provider treating patients is typically Article 9(2)(h): medical diagnosis and treatment.

The Article 30(5) derogation does not apply because the processing involves special-category data (health records). The practice must maintain full records of processing. Whether a DPO is required depends on whether the processing is "large scale" in context; most EU data protection authorities view a small local practice as not meeting the large-scale threshold, though member-state guidance varies.

Key additional obligations: strict access controls on patient records, security measures appropriate to sensitive health data, data sharing agreements with any third-party systems used (lab results, appointment platforms), and careful handling of any patient communications by email.

A Small Digital Marketing Agency (15 Employees)

A marketing agency that runs campaigns and processes EU consumer data on behalf of clients sits in a more complex position. The agency acts as both controller (for its own staff data and business contacts) and processor (when handling client data on the client's behalf).

As a processor, the agency must: sign data processing agreements with every client that specifies the nature, purpose, and duration of processing; implement appropriate security measures as instructed by the controller; notify clients promptly of any breach; and not engage sub-processors without the client's authorisation.

For behavioural advertising campaigns using tracking pixels and cookies, GDPR consent requirements for cookies apply. The agency should also be aware that using Google Ads requires Consent Mode v2 implementation as of March 2024 to communicate user consent choices correctly.

Common SME Compliance Mistakes

Assuming Size Creates an Exemption

"We are a small company" is not a legal defence under the GDPR. Supervisory authorities have fined sole traders and micro-businesses for basic violations. Fines apply proportionately, but they apply.

Over-Using Consent as a Legal Basis

Many small businesses add a consent checkbox to every form because it seems safe. In practice, consent is often the wrong basis: it creates revocation rights that are complex to manage, and it should only be used where the individual has a genuine free choice. Where you can rely on contractual necessity or legitimate interests, those bases are often more practical and durable.

Invalid Cookie Consent

Stating "by using this site you accept cookies" in a footer notice is not valid GDPR consent. Consent for non-essential cookies requires a clear opt-in mechanism that allows users to accept or reject cookies before they are set. Pre-ticked boxes and implied consent are non-compliant.

No Data Retention Policy

The storage limitation principle under Article 5(1)(e) requires that personal data not be kept longer than necessary. Keeping customer records indefinitely, or never deleting former employee files, is a breach of this principle. Define retention periods for each category of data and implement a process to delete data when those periods expire.

Forgetting Employee Data

GDPR applies equally to staff data as to customer data. Employee records, salary information, disciplinary files, and CVs submitted by job applicants all require the same protections. Many small businesses focus compliance efforts on customer data and neglect their HR obligations entirely.

No Breach Response Plan

Without a plan, a breach is likely to exceed the 72-hour notification deadline while staff work out what to do. A basic written procedure covering how to detect a breach, how to assess its severity, who is responsible for notification, and how to contain and document it costs nothing to create and can prevent a fine.

Missing Vendor DPAs

Using cloud storage, email marketing tools, or payroll software without reviewing whether a data processing agreement is in place is a common gap. It is also a straightforward enforcement target for supervisory authorities because it is easy to demonstrate as a missing document.

Low-Cost Compliance Steps for Small Businesses

Compliance does not require large budgets or specialist software. The following six steps address the highest-priority GDPR requirements at minimal cost.

Step 1: Data inventory (free): List every type of personal data you process: what it is, whose it is, why you hold it, where it is stored, who can access it, and how long you keep it. A spreadsheet is sufficient. Update it whenever you introduce a new tool or process.

Step 2: Privacy notice (free): Write a plain-language privacy notice covering all required Article 13 and 14 information. Publish it on your website and make it available at every data collection point. Use the EDPB's free templates as a starting point.

Step 3: Cookie consent (free to low cost): If your website uses non-essential cookies (analytics, advertising, social media buttons), implement a compliant opt-in banner. Several free and low-cost tools provide GDPR-compliant consent management.

Step 4: Vendor DPA review (free): Go through your list of service providers and confirm that a data processing agreement is in place with each one that handles personal data on your behalf. Most major providers offer DPAs in their terms or on request.

Step 5: Basic security (free to low cost): Enable multi-factor authentication on all business accounts. Deploy a password manager. Encrypt your devices. Keep software updated. These measures are mostly free and address the most common breach vectors for small businesses.

Step 6: Rights request and breach response procedures (free): Designate a named contact for data subject requests. Create a simple log to track requests, their type, date received, and date resolved. Write a one-page breach response checklist covering the 72-hour notification requirement.

GDPR Obligation Summary for SMEs

Free Official Resources for Small Businesses

EDPB Data Protection Guide for Small Business: The EDPB's SME guide is the most comprehensive free official resource. It covers all major GDPR topics with videos, interactive flowcharts, infographics, and practical examples. The practical resources section includes downloadable templates for records of processing, privacy notices, consent forms, and data processing agreements. Available in 17 EU languages as of 2024.

ICO Advice for Small Organisations: The UK's Information Commissioner's Office provides guidance specifically for small and medium organisations and a data protection self-assessment tool that generates a tailored action plan.

Your Europe Business Portal: The Your Europe portal provides GDPR guidance in all EU official languages for businesses operating across the single market.

National Supervisory Authorities: Each EU member state's DPA publishes its own SME resources. The Irish DPC, the French CNIL, the Dutch AP, and the German state DPAs all offer free toolkits and helplines for small businesses in their jurisdictions.

What Changes Under the Proposed Digital Omnibus (When Enacted)

If the Digital Omnibus amendments are adopted as proposed, the practical changes for SMEs would be:

• Organisations with fewer than 750 employees would no longer need to maintain records of processing activities unless the processing is likely to result in a high risk (the DPIA threshold under Article 35).
• Routine low-risk processing (customer email lists, staff records, online bookings) would no longer need to be formally documented by these organisations.
• All other obligations remain unchanged: legal basis, privacy notices, data subject rights, security, breach notification, and vendor contracts continue to apply in full.

The simplification is real but limited. The vast majority of your compliance obligations are unaffected. Continue current compliance practices and monitor the legislative progress before making any changes.

Related GDPR Guides

• What Is GDPR for a comprehensive overview of the regulation
• GDPR Compliance Checklist for a step-by-step compliance guide
• GDPR Consent Requirements for valid consent standards and when consent is and is not the right basis
• GDPR Data Subject Rights for all eight individual rights
• GDPR Fines and Penalties for enforcement data and penalty calculation
• GDPR Breach Notification 72-Hour Rule for breach reporting procedure
• EU Cookie Law (ePrivacy Directive) for cookie consent requirements
• EU Data Privacy Laws for the complete EU data protection hub