Does GDPR Apply to My Small Business? A Plain-English Test
## The short answer
Yes, GDPR almost certainly applies to your business. If you collect, store, or use any information that identifies a living person — customer names, email addresses, delivery details, staff records, even a list of enquiry forms — you are processing personal data, and the rules apply. There is no general small-business exemption based on headcount or turnover. The common belief that GDPR is "only for big companies" is one of the most expensive misconceptions in compliance.
What changes with size is not *whether* the rules apply but *how much* paperwork you must keep and how much risk you carry. A sole trader with a mailing list and a 200-person firm both have to handle personal data lawfully; the larger firm simply has more obligations to document it.
## What counts as personal data
Personal data is any information relating to an identifiable living individual. That is broader than most people expect. It includes:
- Names, postal addresses, email addresses and phone numbers
- IP addresses, cookie identifiers and device IDs
- Photographs and CCTV footage
- Customer purchase history and account notes
- Employee and contractor records
- Job applicant CVs
A special, more sensitive category — "special category data" — covers things like health, ethnicity, religious beliefs, sexual orientation and biometric data used for identification. This carries stricter rules and you usually need a stronger legal justification to process it.
## The three-question scope test
Work through these to confirm you are in scope:
1. **Do you handle any information about identifiable people?** If yes, continue.
2. **Are you established in the UK or EU, or do you offer goods/services to, or monitor, people there?** A business based outside the UK/EU can still be caught if it targets customers inside those regions.
3. **Are you acting as the one deciding why and how that data is used?** If so you are a "data controller" with the fullest set of duties. If you only process data on someone else's instructions, you are a "processor" with a narrower but still real set of duties.
If you answered yes to questions one and two, the regulation applies to you.
## The one genuine relief for smaller organisations
There is a limited exemption around keeping a formal "record of processing activities". Organisations with fewer than 250 staff do not always have to maintain this full record — but the exemption falls away if your processing is more than occasional, is likely to risk people's rights, or involves special category data. In practice, most active businesses end up needing some form of record anyway, so it is sensible to keep a simple one regardless.
This is the only meaningful size-based concession. Everything else — lawful basis, transparency, security, honouring individual rights — applies to everyone.
## What being in scope actually requires
Being in scope does not mean drowning in bureaucracy. The core duties are practical:
- **Have a lawful basis** for every use of personal data (for example consent, contract, or legitimate interests).
- **Tell people what you do** with their data through a clear privacy notice.
- **Keep data secure** with sensible technical and organisational measures.
- **Only keep data as long as you need it**, then delete it.
- **Be ready to respond** when someone asks to see, correct, or delete their data.
For a small business, this can often be handled with a privacy notice, a short internal data inventory, a retention rule of thumb, and disciplined access controls.
## A note on registration
Many UK organisations that process personal data must also pay a data protection fee to the Information Commissioner's Office (the ICO) and register, unless a specific exemption applies. The fee is tiered and modest for small organisations. Check the ICO self-assessment to confirm your position rather than assuming you are exempt.
## Why this matters even at small scale
The reputational and financial consequences of getting it wrong are not scaled to your size. A single mishandled subject access request or a leaked customer list can trigger a complaint, an investigation, and lost trust. Building good habits early — while your data footprint is small — is far cheaper than retrofitting compliance once you have thousands of records.
At neart.ai we build enterprise-grade products with data protection considered from the design stage, which is exactly the mindset a smaller business can borrow: treat personal data as something you are responsible for, not something you merely possess.
## Practical takeaway
Assume GDPR applies unless you have specifically confirmed otherwise. Spend an afternoon listing what personal data you hold, why you hold it, and where it lives. That single inventory turns a vague worry into a manageable checklist — and it is the foundation every other GDPR obligation builds on.