neart.ai
EcosystemStoryHow We BuildPricingBlog
Try Inspected →
neart.ai
EcosystemStoryHow We BuildBlog

Ní neart go cur le chéile

A SaltCore Group Limited company

© 2026 neart.ai · SaltCore Group Limited. All rights reserved.

Compliance & Security

Does GDPR Apply to My Small Business? A Plain-English Test

28 February 20254 min read

## The short answer


Yes, GDPR almost certainly applies to your business. If you collect, store, or use any information that identifies a living person — customer names, email addresses, delivery details, staff records, even a list of enquiry forms — you are processing personal data, and the rules apply. There is no general small-business exemption based on headcount or turnover. The common belief that GDPR is "only for big companies" is one of the most expensive misconceptions in compliance.


What changes with size is not *whether* the rules apply but *how much* paperwork you must keep and how much risk you carry. A sole trader with a mailing list and a 200-person firm both have to handle personal data lawfully; the larger firm simply has more obligations to document it.


## What counts as personal data


Personal data is any information relating to an identifiable living individual. That is broader than most people expect. It includes:


- Names, postal addresses, email addresses and phone numbers

- IP addresses, cookie identifiers and device IDs

- Photographs and CCTV footage

- Customer purchase history and account notes

- Employee and contractor records

- Job applicant CVs


A special, more sensitive category — "special category data" — covers things like health, ethnicity, religious beliefs, sexual orientation and biometric data used for identification. This carries stricter rules and you usually need a stronger legal justification to process it.


## The three-question scope test


Work through these to confirm you are in scope:


1. **Do you handle any information about identifiable people?** If yes, continue.

2. **Are you established in the UK or EU, or do you offer goods/services to, or monitor, people there?** A business based outside the UK/EU can still be caught if it targets customers inside those regions.

3. **Are you acting as the one deciding why and how that data is used?** If so you are a "data controller" with the fullest set of duties. If you only process data on someone else's instructions, you are a "processor" with a narrower but still real set of duties.


If you answered yes to questions one and two, the regulation applies to you.


## The one genuine relief for smaller organisations


There is a limited exemption around keeping a formal "record of processing activities". Organisations with fewer than 250 staff do not always have to maintain this full record — but the exemption falls away if your processing is more than occasional, is likely to risk people's rights, or involves special category data. In practice, most active businesses end up needing some form of record anyway, so it is sensible to keep a simple one regardless.


This is the only meaningful size-based concession. Everything else — lawful basis, transparency, security, honouring individual rights — applies to everyone.


## What being in scope actually requires


Being in scope does not mean drowning in bureaucracy. The core duties are practical:


- **Have a lawful basis** for every use of personal data (for example consent, contract, or legitimate interests).

- **Tell people what you do** with their data through a clear privacy notice.

- **Keep data secure** with sensible technical and organisational measures.

- **Only keep data as long as you need it**, then delete it.

- **Be ready to respond** when someone asks to see, correct, or delete their data.


For a small business, this can often be handled with a privacy notice, a short internal data inventory, a retention rule of thumb, and disciplined access controls.


## A note on registration


Many UK organisations that process personal data must also pay a data protection fee to the Information Commissioner's Office (the ICO) and register, unless a specific exemption applies. The fee is tiered and modest for small organisations. Check the ICO self-assessment to confirm your position rather than assuming you are exempt.


## Why this matters even at small scale


The reputational and financial consequences of getting it wrong are not scaled to your size. A single mishandled subject access request or a leaked customer list can trigger a complaint, an investigation, and lost trust. Building good habits early — while your data footprint is small — is far cheaper than retrofitting compliance once you have thousands of records.


At neart.ai we build enterprise-grade products with data protection considered from the design stage, which is exactly the mindset a smaller business can borrow: treat personal data as something you are responsible for, not something you merely possess.


## Practical takeaway


Assume GDPR applies unless you have specifically confirmed otherwise. Spend an afternoon listing what personal data you hold, why you hold it, and where it lives. That single inventory turns a vague worry into a manageable checklist — and it is the foundation every other GDPR obligation builds on.

Related posts

Compliance & Security

The Six GDPR Lawful Bases: How to Choose the Right One

Compliance & Security

How to Handle a Data Subject Access Request, Step by Step

Compliance & Security

Data Breach Reporting: When You Must Tell the ICO Within 72 Hours