GDPR basics for small companies start with one hard truth: size changes how much paperwork you keep, not whether the rules apply. If you collect leads, run payroll, track website enquiries, or store client emails, you are processing personal data. The GDPR text and the European Data Protection Board's SME guide both make this a practical business issue, not an enterprise-only topic.
That matters early. A small company still needs a lawful basis, clear notices, supplier controls, sensible security, and a plan for requests and breaches. Corpenza's audit and compliance support, the broader audit, compliance and AML guide, and the checklist on passing a first company audit fit into the same operational picture.
Does GDPR really apply to a small company?
Yes. GDPR applies to small companies whenever they process personal data. The size of the business may affect whether certain records or roles are mandatory, but it does not remove the core duties to process data lawfully, tell people what you do with it, keep it secure, and respect their rights.
The clean way to think about it is operational. If your company stores employee files, CRM contacts, newsletter subscribers, supplier contact details, or website form leads, you are already inside the GDPR conversation. The Your Europe business guide explains the controller and processor split in plain language: the controller decides why and how data is processed, and the processor handles it on the controller's behalf.
That distinction matters fast. Your payroll app, email platform, cloud storage provider, marketing tool, and outsourced HR partner will usually sit somewhere in that chain.
What lawful basis should a small company rely on?
A small company should choose a lawful basis activity by activity, not one blanket label for everything. Article 6 GDPR says processing is lawful only if at least one listed basis applies, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests. Most small companies use a mix.
In practice, employment files are often tied to legal obligation and contract. Sales contracts and onboarding documents usually sit under contract. Marketing emails may rely on consent or, in some situations, legitimate interests. The common mistake is copying one sentence into every form and hoping it covers the whole business. It does not.
Build a simple data map. For each process, note the data category, purpose, lawful basis, retention window, who receives the data, and which system stores it. That single sheet does a lot of work later.
What documents and controls do you need from day one?
Small companies do not need a giant compliance binder on day one. They do need a working minimum set: a privacy notice, processor agreements for vendors handling personal data, a retention view, an internal request-and-breach process, and enough records to prove what the company is doing.
| Control | Why it matters | Small-company mistake |
|---|---|---|
| Privacy notice | Tells people what data you collect, why, and how long you keep it. | Copying a template that does not match the real systems in use. |
| Vendor contracts | Processor relationships need written control, especially for payroll, CRM, email, and cloud tools. | Using tools before checking data-processing terms. |
| Retention rules | Stops the company from keeping everything forever. | Leaving old applicant, lead, or inactive customer data in live systems. |
| Request workflow | Keeps access, correction, and deletion requests from getting lost. | Letting requests sit in a shared inbox with no owner. |
| Breach playbook | Helps the team assess risk and act quickly if data is exposed. | Realising there is no incident path after the leak has already happened. |
Your Europe also states that you must be able to prove your company acts in accordance with the GDPR. That is the accountability test in plain business language. If a regulator, investor, bank, or due diligence team asks what your process is, “we thought we were covered” is not a process.
Do companies under 250 employees need records or a DPO?
Sometimes yes. GDPR does give smaller organisations a narrower record-keeping rule, but Article 30(5) does not create a full exemption. The lighter rule disappears if processing is risky, not occasional, or involves special-category or criminal-offence data. That is a bigger caveat than many founders expect.
So a small employer can still need structured processing records because HR data is ongoing, not occasional. A health-tech startup can run straight into special-category data. An e-commerce company that profiles users at scale can push into more demanding territory.
A Data Protection Officer is also not automatic. Article 37 points to specific triggers: regular and systematic monitoring on a large scale, or large-scale processing of special-category or criminal-offence data. Many small companies do not need a formal DPO. Some absolutely do. The right question is not headcount alone. It is what the business actually does with data every day.
What happens if there is a breach or a customer request?
A small company needs a response path before the stressful day arrives. GDPR expects data-breach notification to the supervisory authority without undue delay and, where feasible, within 72 hours after awareness if the breach is likely to risk people's rights and freedoms. That clock moves quickly.
The same goes for individual rights. Your Europe says requests should be answered without undue delay and in any case within one month, with a possible two-month extension for complex or multiple requests if the person is informed. The main operational lesson is simple: route requests to a named owner, log the deadline, and keep evidence of the response.
Most small companies do not fail here because the law is mysterious. They fail because nobody owns the inbox, the vendor list is outdated, and the incident facts are scattered across Slack, email, and the founder's phone.
What are the real GDPR penalties for small companies?
The headline penalties are real even if the outcome in any one case depends on context. Article 83 GDPR allows certain infringements to reach up to EUR 20,000,000 or 4% of worldwide annual turnover, whichever is higher. Small companies should read that as a governance warning, not a scare line to ignore.
In practice, the cost of weak GDPR habits usually appears earlier than a maximum fine. Lost sales cycles during procurement. Bank or investor diligence questions. Client security questionnaires that stall. Messy HR exits. Time burned on cleanup. Those are small-company problems long before a regulator arrives.
Start with the basics this week: list your data flows, assign lawful bases, review vendor contracts, trim retention, and write a breach-and-request path that one colleague can run under pressure. Then review it again after the business adds a new tool, market, or hiring channel.
FAQ: GDPR basics for small companies
Can a two-person startup fall under GDPR?
Yes. GDPR looks at the processing activity, not only the size of the team. A two-person startup that collects leads, invoices customers, hires staff, or runs analytics on EU users is already processing personal data.
Is consent the main lawful basis for every small company?
No. Consent is only one basis. Many routine operations rely on contract or legal obligation. Using consent when another basis fits better can create avoidable problems later.
Do small companies always need an Article 30 record?
No, but many still should keep one. The fewer-than-250 rule has exceptions, and a short practical processing record is useful even when the legal position is arguable.
Do we need a DPO before raising a funding round?
Fundraising does not itself trigger a DPO. The test is whether the business carries out large-scale monitoring or large-scale processing of special-category or criminal-offence data as a core activity.
What is the fastest first fix?
Create one data map and one vendor list. Those two documents reveal most of the gaps: missing lawful bases, unclear retention, weak contracts, and forgotten systems.
This is general information, not legal or tax advice; rules change and depend on your situation.
If your company handles EU customer, employee, or lead data and you want a practical setup rather than a generic template, Corpenza can help with audit and compliance support and a scoped review through Corpenza contact.
