GDPR Compliance Checklist for Small Businesses

Does GDPR apply to my business?

GDPR applies to your business if you process personal data (any information that identifies a living person - a name, email address, IP address, or phone number counts) and any of the following is true: you are based in the EU or UK; you offer goods or services to people in the EU or UK; or you monitor the behaviour of people in the EU or UK (for example, using analytics tracking). There is no size exemption - a sole trader with a contact form that collects email addresses from EU visitors is subject to GDPR.

The GDPR compliance checklist

1. Publish a privacy policy

Every website that processes personal data must have a publicly accessible privacy policy. It must explain what data you collect, why you collect it, how long you keep it, who you share it with, and what rights users have. Link to it from your website footer and from any form that collects personal data.

2. Identify your legal basis for processing

For each type of personal data you collect, you must have a valid legal basis under GDPR. The six lawful bases are: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Most small businesses rely on consent (for marketing emails), contract performance (for processing customer orders), and legitimate interests (for website analytics). Document which basis you rely on for each processing activity.

3. Obtain valid consent where required

If you rely on consent, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count as consent under GDPR. Users must actively opt in. For email marketing, this means a clear opt-in checkbox (not pre-ticked) with a plain-English explanation of what they are signing up for. Keep records of when and how consent was obtained.

4. Add a cookie consent banner

Non-essential cookies (including Google Analytics, Facebook Pixel, and advertising cookies) may only be set after the user has given consent. This requires a cookie consent banner that allows users to accept or reject non-essential cookies before they are loaded. Essential cookies (required for the site to function) do not require consent but must still be disclosed in your privacy policy.

5. Honour data subject rights

Under GDPR, individuals have the right to: access all personal data you hold about them; request correction of inaccurate data; request deletion of their data; request that you stop processing their data; receive their data in a portable format; and object to processing based on legitimate interests. You must be able to respond to these requests within 30 days. Put a process in place for receiving and handling data subject requests - even a designated email address is sufficient for most small businesses.

6. Review your third-party processors

Any third-party service that processes personal data on your behalf (your email marketing platform, payment processor, analytics provider, hosting company) is a data processor under GDPR. You must have a Data Processing Agreement (DPA) in place with each processor. Most major services (Google, Mailchimp, Stripe, etc.) provide standard DPAs - check their documentation and accept or sign them if you have not already done so.

7. Secure the personal data you hold

GDPR requires appropriate technical and organisational security measures. For most small businesses this means: using HTTPS on your website (free via Let's Encrypt); using strong, unique passwords and multi-factor authentication for any service that holds personal data; keeping software and plugins up to date; limiting who has access to personal data to those who need it; and having a process for securely deleting data that is no longer needed.

8. Know your data breach obligations

If you experience a data breach (unauthorised access to, disclosure of, or loss of personal data), GDPR requires you to notify your national data protection authority within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. If the breach is likely to result in a high risk to individuals, you must also notify the affected individuals directly. Keep a record of all data breaches, even those that do not require notification.

GDPR and international data transfers

If you use services that transfer personal data outside the EU/UK (for example, a US-based email marketing platform or cloud storage provider), this transfer must be protected by an appropriate safeguard such as Standard Contractual Clauses (SCCs), an adequacy decision, or the UK-US Data Bridge. Most major US service providers have SCCs in place - check their data processing agreements for confirmation.

What about the UK after Brexit?

The UK has its own data protection law - UK GDPR - which is largely identical to EU GDPR. If you process personal data of UK residents, UK GDPR applies. If you process personal data of both UK and EU residents, both EU GDPR and UK GDPR apply. In practice, complying with EU GDPR will generally mean you also comply with UK GDPR.

Create your privacy policy

The Privacy Policy Generator on this site builds a GDPR-compliant privacy policy tailored to your business. Select your jurisdiction, tick the data types you collect, add your cookie and third-party services, and download a complete policy in minutes - no signup required.