GDPR: A simple guide for small business compliance

Published Wednesday 5 November 2025

Table of contents

• What is GDPR?
• Who does GDPR apply to?
• What does GDPR mean?
• The 7 principles of GDPR
• GDPR penalties and fines
• GDPR and data protection
• Does GDPR affect data security?
• Summary of GDPR for small business
• GDPR resources for small businesses and advisors
• FAQs on GDPR

Key takeaways

• Implement GDPR compliance if you handle personal data of anyone located in the EU or UK, regardless of where your business is based or whether you offer free or paid services to these individuals.

• Apply the seven core GDPR principles by collecting only necessary data, using it solely for stated purposes, keeping it accurate and secure, and being transparent about your data handling practices.

• Establish clear processes to respond to individual rights requests within one month, including providing data access, enabling data deletion, and offering portable digital copies of personal information.

• Designate someone in your organisation to oversee GDPR compliance, audit your data collection practices, update privacy notices, and implement appropriate security measures including access controls and encryption.

What is GDPR?

GDPR is the General Data Protection Regulation - Europe's comprehensive data privacy law that controls how businesses handle personal information. It took effect on 25 May 2018.

The regulation gives EU individuals control over their personal data, including how it's collected, stored and used. GDPR applies to every company worldwide that processes personal data about people in the EU.

Who does GDPR apply to?

The General Data Protection Regulation (GDPR) isn't just for European companies. It applies to any business, anywhere in the world, that handles the personal data of people located in the European Union (EU) or the United Kingdom (UK).

You may need to comply if you have customers in the EU, market to people there, or track website visitors from the region. If you offer goods or services to people in the EU or UK, even for free, you'll need to comply with GDPR.

What does GDPR mean?

GDPR establishes clear rules for how you handle customer data and gives individuals specific rights over their information. The key areas GDPR covers are:

• Personal data about people in the EU: This includes your customers, employees, suppliers, and anyone else whose personal data you collect. Personal data includes names, contact details, medical information, credit card or bank account details, and other identifying information.
• How you collect personal data: In all cases, you must make it clear what the personal data will be used for – and only use it for that purpose.
• Make user contracts and terms and conditions simple, clear, and easy to understand – avoid complicated legal text.
• Give individuals the right to know what information you hold about them. You must respond within one month and cannot charge a fee.
• Allow customers to ask you to delete all personal data you hold about them, unless you need to keep it for legal reasons, such as tax.
• Provide individuals with a digital copy of their personal data if they request it, so they can use it as they choose.
• Report certain types of data breaches to the relevant supervisory authority.

The UK government adopted GDPR into UK law before Brexit. If you are a UK company, you have the same obligations.

The 7 principles of GDPR

GDPR is built on seven key principles for handling personal data.

1. Lawfulness, fairness and transparency: Be clear and honest about why you're collecting data and what you'll do with it.
2. Purpose limitation: Only use the data for the specific reason you collected it for.
3. Data minimisation: Only collect the data you actually need, and nothing more.
4. Accuracy: Make sure the personal data you hold is accurate and up-to-date.
5. Storage limitation: Don't keep data for longer than you need to.
6. Integrity and confidentiality: Keep the data safe and secure from unauthorised access or loss.
7. Accountability: You are responsible for showing how you comply with these principles.

GDPR penalties and fines

If you do not follow GDPR rules, you can face significant fines. There are two levels of penalties, which can be up to €20 million or 4% of your business's global annual turnover from the previous year, whichever is higher.

Regulators consider your business size and resources when deciding on penalties. The main goal is to encourage you to protect personal data properly.

GDPR and data protection

GDPR shifts control of personal data back to individuals and requires businesses to make data protection central to their operations.

The regulation exists because many businesses treated personal data as a free resource. Common problems included:

• selling customers' email addresses without permission
• allowing unauthorised access to sensitive information
• failing to protect data against hackers

If you handle EU personal data, including as a small business, you need to comply. The steps below will help you get compliant.

Does GDPR affect data security?

GDPR requires you to keep personal data secure through appropriate technical and organisational measures. This includes secure storage (learn more about cloud security), access controls, and encryption where necessary.

The regulation also controls where you can store and process EU personal data. If you transfer data outside the EU, you need adequate safeguards in place, as you may need to disclose personal information to organisations in countries like the United States, the UK, and Singapore. For transfers to the United States, check that providers have appropriate certifications or contractual protections that meet GDPR requirements.

Summary of GDPR for small business

GDPR compliance centres on treating personal data ethically and transparently - handle it as carefully as you would your own valuable information.

Follow these steps to make your small business GDPR compliant:

Check products and services

• Audit your data collection: Check which products or services collect and process personal data
• Establish legal grounds: Ensure you have a legal basis for processing personal data
• Enable customer rights: Ensure you can comply with GDPR obligations like data access and deletion requests

Review notices and contracts

• Revise privacy notices: Update internal and external notices to meet GDPR transparency requirements
• Review contracts: Review customer contracts to ensure they include necessary GDPR clauses and data processing terms

Assign responsibility

• Assign data protection responsibility: Designate someone to oversee GDPR compliance and privacy matters
• Assess DPO requirements: Most small businesses do not need a formal data protection officer, but check the Information Commissioner's Office guidance on data protection officers if you process large amounts of sensitive data.
• Train your team: Train your team so staff understand their data protection responsibilities

Take care over security

• Secure your systems: Secure your systems by implementing appropriate security measures, including access controls, encryption, and regular security updates

GDPR resources for small businesses and advisors

You can find further information on the GDPR.EU website. Talk to your legal advisors to understand what you need to do to be GDPR compliant.

FAQs on GDPR

Here are answers to some common questions about GDPR.

What is GDPR Australia?

While GDPR is a European regulation, it can affect Australian businesses. If your business offers goods or services to people in the EU or UK, or monitors their online behaviour, you must comply with GDPR. Australia has its own Privacy Act, but you must follow GDPR requirements when handling data from European residents.

What is GDPR in simple terms?

In short, GDPR is a European data privacy regulation. It gives individuals in the EU and UK rights over how their personal information is collected, used, and stored. For businesses, it sets the rules for handling that data lawfully and securely.

What are the main differences between GDPR and other privacy laws?

GDPR is often considered one of the strictest privacy laws. Compared to other laws, like Australia's Privacy Act, you may face broader requirements and higher potential fines under GDPR. While some laws require strict consent, GDPR allows you to use several legal reasons for handling data, not just consent.

Do I need a data protection officer for my small business?

Most small businesses do not need to appoint a formal data protection officer. You only need one if you are a public authority, process large amounts of sensitive data, or monitor individuals on a large scale. However, it is still a good idea to have someone in your business responsible for data protection.