GDPR For Small Businesses: A Quick Guide For 2025

The EU market is a goldmine for small businesses, with a massive and diverse customer base waiting to be reached. But with great opportunity comes GDPR compliance. 

But here’s the good news—many have crossed this hurdle before you. The key is understanding what data you collect, how you use it, and how to empower your customers with control over what happens to their information and data. 

Charlotte Mason, UK Head of Legal, Prighter, mentioned in a webinar with Sprinto

In this article, we look at the principles of GDPR and walk you through the steps you need to take to breeze past GDPR compliance for small businesses.

TL;DR GDPR compliance for small businesses exempts them from its record-keeping requirements for data processing with a few criteria.  GDPR requirements include processing data on a lawful basis, privacy by design and default, data security, accountability & governance, and privacy rights of data subjects.  Complying with GDPR includes a 12-step checklist containing identifying and updating privacy notices, cookie consent, privacy policies, assigning a DPO, conducting DPIA, and more.

Is your business exempt from GDPR?

The GDPR small business exemption applies to companies with less than 250 employees. They don’t have to keep a written record of your data processing. However, there are still exceptions. We’ll discuss exemptions in the following sections. 

What is GDPR?

GDPR (General Data Protection Regulation) is a privacy and security law that protects the personal information of individuals in the EU (European Union). It gives customers the right to hold companies accountable for how their data is processed.

The GDPR law is applicable to all companies including small companies (irrespective of size, industry, and location) that collect, process and store personally identifiable information or PII in the EU. However, for small companies, there are a few exceptions like maintaining records or assigning a DPO. 

Here are some common GDPR definitions you must know:

Term	Definition
Data Subject	The individual whose personal data is being processed.
PII (Personally Identifiable Information)	Any information relating to a living individual who can be identified from that data (e.g., name, email address, IP address).
Controller	The organization that determines the purposes and means of processing personal data.
Processor	An organization that processes personal data on behalf of the controller.
Processing	Any operation performed on personal data (e.g., collection, storage, use, disclosure).
Lawful Basis	A legitimate reason for processing personal data under GDPR (e.g., consent, contract, legal obligation).
Data Protection Officer (DPO)	A person appointed by a controller or processor to oversee compliance with GDPR.
Data Protection Impact Assessment (DPIA)	A process to identify and mitigate risks to data subjects’ privacy.
Subject Access Request (SAR)	A data subject’s right to access their personal data held by a controller.
Right to Erasure	A data subject’s right to have their personal data deleted.
Privacy Notice	A document that informs data subjects about how their personal data is collected and used.

Does GDPR apply to small businesses? Exemption rules

The GDPR does not bend the rules for small companies except for two instances: Article 30(5) and assigning a DPO.

Article 30(1 and 2) mandates that all controllers and processors should maintain a written record of their data processing activities, which should be presented if requested. The record should contain:

• Controller Info
• Processing Purpose
• Types of data subjects and personal data.
• Categories of recipients of personal data, including third countries or international organizations.
• Details of any data transfers to third countries
• Time limits for data erasure.
• General description of security measures as per Article 32(1).

Article 30(5) of GDPR states that businesses with less than 250 employees are exempted from keeping records of processing data (paragraphs 1 & 2). However, this exemption is nullified if the processing:

• Is likely to result in a risk to the rights and freedoms of data subjects.
• Is not occasional: Regular or systematic processing falls under GDPR requirements.
• Includes sensitive data categories like race, political views, religion, union membership, genetic and biometric identifiers, health information, and details about sexual orientation or activities.
• Involves personal data relating to criminal punishments or convictions. 

The European Commission also mentions that small businesses only need to appoint a Data Protection Officer if their main business involves processing data that poses specific risks to individuals’ rights and freedoms. Examples include large-scale monitoring or handling of sensitive data or criminal records.

5 requirements for GDPR for small businesses

Small businesses are required to comply with all the 99 articles of GDPR. To make things easier, here’s an overall breakdown of them with five key requirements: 

1. Processing with lawful basis & transparency

GDPR mandates that small businesses analyze the information they collect to determine what kind of data they’re processing, who has access to it, and what risks it can lead to. It suggests doing this using a Data Protection Impact Assessment (DPIA). 

Furthermore, Articles 6, 7-11 of GDPR denote that you should have legal justification for why you are collecting data and how you’re processing it. This information should be reflected in your privacy policy. If your legal basis is ‘consent,’ then it should meet the following points:

• Controllers must prove that data subjects consented to their personal data processing.
• Consent requests must be clearly distinguishable from other matters, using plain language. 
• Data subjects can withdraw consent at any time.
• Consent must not be a condition for contract fulfillment or service provision unless necessary for that purpose.

Note: Consider downloading a checklist version of the requirements to get a better insight into where you stand in terms of the GDPR requirements:

2. Data privacy by design

Article 25 of GDPR mandates ‘data protection by design and by default’.

Data protection by design means controllers must implement appropriate technical and organizational measures, considering current technology, costs, and processing risks, to protect data subjects’ rights. This includes methods like pseudonymization and data minimization.

By default, only necessary personal data should be processed for specific purposes. This includes limiting data collection, processing, storage duration, and access.

The validation of these requirements can be showcased using the certification provided by GDPR (Article 42). 

3. Data security

The GDPR requires all businesses to use end-to-end encryption when using products or services for cloud storage, communication, or documentation. This should be done while considering operational security by developing policies and conducting security awareness training.

Employees must be well equipped with data protection measures like password management, VPNs, MFA (multi-factor authentication), device encryption, etc. 

The regulation also mandates an incident response plan that includes notifying a supervisory authority in case of a breach within 72 hours. If the breach affects any data subjects, they should also be notified.  

4. Accountability and governance

Accountability forms a part of data privacy by default under GDPR for small businesses. It mandates that the organization should appoint someone who is accountable for evaluating and implementing data protection policies. Such a person can either be a state representative or even a Data Protection Officer (DPO). 

The job of a DPO job includes monitoring GDPR compliance, assessing data protection risks, advising on impact assessments, and working with regulators.

Watch a video featuring Andreas (CEO) and Charlotte (Legal Head) at Prighter discussing governance trends for CISOs in 2024, focusing on the extraterritorial scope of GDPR:

Governing the GDPR also includes having a data protection agreement with your third parties that have access to your data subjects’ information. Here’s a template:

5. Privacy rights for customers

Articles (12-23) of the GDPR states the rights of the data subjects:

• Right to be informed: Data subjects must be provided with clear and concise information about how their personal data is being processed. It should include the purpose and the entities involved.
• Right to access the data by the data subject: Data subjects have the right to access their personal data and obtain information about how it is being processed.
• Right to rectify/modify the data: Customers have the right to request correction or update existing data for inaccuracies. 
• Right to erase or remove any data: Also known as the “right to be forgotten,” this allows data subjects to request the deletion of their personal data under certain conditions.
• Right to restrict processing of personal data: Data subjects can request to limit the processing of their personal data in specific situations. 
• Right to port data to another controller: If the data subject wishes, they can transmit their data to another controller in a structured, machine-readable format.
• Right to object processing: Individuals can object to the processing of their personal data on grounds relating to situations like consumer profiling and direct marketing.
• Rights concerning automated decision-making and profiling: Customers have the right to not be subjected to decisions made solely by automated processes. They can ask for a human to review the decision and challenge the outcome.

While keeping these rights in mind, the data controller must respond to data subject requests within one month. If the request is complex or there are many requests, this period can be extended by an additional two months.

GDPR compliance for small businesses: 12-steps to follow

GDPR compliance for small businesses can be completed within two to three weeks using a compliance automation platform. It should not be a year-long task, though it may seem like that with its length of regulations. Below, you’ll find an easy guide with 12 steps on how to comply with GDPR for small businesses. 

Step 1: Raise awareness on GDPR: As you’re a small company, it should be easy to involve all employees while complying with GDPR. Restrict data access and ensure that your third-party suppliers are compliant. Identify non-compliance risks for GDPR and establish formal data processing agreements with your suppliers.

Read: GDPR Fines and How to avoid penalties?

Step 2: Record your data processing flows: Track how customer data flows through your company. Even if you have a few departments, record and update types of personal data, data processing methods, responsibilities, or accountability for each department.

Step 3: Address individuals’ rights: Address rights like accessing, correcting, transferring, deleting data, and objecting to direct marketing and automated decisions. This can be done through your existing customer portal. Keep in mind that your business should have a designated decision-maker for these tasks. 

Check out: GDPR Compliance for US Companies (2024). 

Step 4: Update subject access requests (SAR): Refrain from charging fees in most cases, respond within one month, and assess requests for excessiveness. Provide clear explanations for refusals promptly, informing individuals of their right to escalate complaints or legal action. 

What is SAR? SAR or Subject Access Request is a request made by an individual to an organization to access the personal data that the organization holds about them. It can be provided in either writing or verbally.  It need not be a format request and can be requested through any channel, even social media or direct email.

Step 5: Meet Lawful EU data processing requirements: Refer to Article 6 of GDPR to back your data processing purpose on legal grounds. Here’s an interpretation. 

Step 6: Update cookie consent: GDPR mandates taking cookie consent even for small companies. Update your cookie consent banners with clear, easy-to-understand language. Include an opt-out button for users who do not wish to give consent. 

Step 7: Protect children’s data: For children under 16 years (under 13 in the UK), parental consent must be obtained. It should be verifiable, and communicated in child-friendly language.

Step 8: Manage data breaches: Perform a GDPR assessment to outline data types requiring breach notifications. According to GDPR’s data breach policy, cloud-hosted companies (irrespective of how small) must inform the ICO of breaches within 72 hours of discovery. Individuals must be promptly notified if there’s a significant risk to their rights.

Step 9: Practice privacy by design: Use GDPR-recommended pseudonymization or anonymization for data encryption. Regularly delete unused data, including backups. Implement dual authentication, TLS/SSL certificates, and password encryption. 

As a small company, even if you’re not collecting large volumes of data, regularly scan devices, systems, and networks for vulnerabilities.

Step 10: Assign a DPO: For cloud-hosted companies, especially those processing significant personal data, appointing an internal or external DPO is crucial for compliance. Ensure the DPO receives necessary training on GDPR requirements and responsibilities.

Note: If you’re a very small business, you may not be required to appoint a DPO. GDPR requires them if 

• You are a public authority.
• You perform large-scale, systematic monitoring of individuals.
• You process large-scale special categories of data (e.g., health or criminal records)

Step 11: Choose a lead supervisory authority: If your cloud company operates in multiple EU states or has a single EU base affecting citizens in other states, assign a lead authority. Make sure you document the process. 

For a more detailed understanding of the steps above, refer to: GDPR Compliance Checklist. 

12. Bonus step: Get your GDPR certification: You can prepare for a GDPR audit after following the above steps. You can either do this manually (which can take months) or choose a compliance automation platform with an integrated audit dashboard. 

Sprinto is a top choice for automating GDPR compliance for small businesses and others ranging from various industries. It adapts to your existing cloud environment with its powerful integrations and maps the necessary security controls to GDPR’s requirements. 

With Sprinto, Noosa took ONLY 14 sessions to get compliant with GDPR. The Co-Founder, Idan Deshe said:

Sprinto also has a bunch of in-house auditors to make the process of getting your certification easier. You can complete the audit in minimal time with automated evidence collection and rich reports. 

The easy way to GDPR with Sprinto

Complying with GDPR is not an option. It’s a must if you fall under its scope. It can be extremely exacting, even if you’re a very small company with no physical presence. Its hefty fines can reach up to 4% of your global turnover or 20 million euros, whichever is greater.  This means that the cost of non-compliance is much greater than the cost of complying with GDPR. 

In fact, the implementation costs for GDPR can range anywhere between $20,500 to $102,500. And we’re not even taking into account the extra costs for audits here. 

Sprinto, on the other hand, can help you cut down your GDPR compliance costs by 60%. And that’s not all. With Sprinto’s common control approach, several companies were also able to achieve ISO 27001 and ISO 27701 certifications in record time. 

Want to take the first step? See Sprinto in action. 

Frequently asked questions

1. What are the penalties for not complying with GDPR?

Penalties for GDPR non-compliance vary based on severity:

• Level-one fines can reach up to €10 million or 2% of the company’s global annual revenue, whichever is higher.
• Level-two fines can be as high as €20 million or 4% of the company’s global annual revenue, whichever is greater. These penalties underscore the seriousness of adhering to GDPR regulations.

2. What is the minimum company size for GDPR?

GDPR does not specify a minimum company size. It applies to all organizations, including small and medium-sized enterprises (SMEs), that handle the personal data of individuals in the EU, irrespective of their size or turnover.

3. Who is exempt from GDPR?

Exemptions from GDPR include activities performed by individuals for purely personal or household purposes. It also exempts data processing for law enforcement, national security, and certain public authorities.

4. Where is GDPR mandatory?

GDPR is mandatory across all EU member states. Additionally, it applies to organizations outside the EU that offer goods or services to individuals in the EU or monitor their behavior.

5. Does GDPR apply to small websites?

Small websites must comply with GDPR if they collect or process the personal data of individuals in the EU. Compliance is based on the nature of data processing activities rather than the size of the website or organization.