GDPR for Small Businesses and Freelancers: Basic Obligations, Risks and How to Reduce Your Exposure to Fines

The official text of the GDPR can be found on EUR-Lex: Regulation (EU) 2016/679. Consolidated, easy-to-navigate versions are available on specialised sites such as gdpr-info.eu and GDPR.eu. These sources are worth bookmarking, because they are regularly used by practitioners, lawyers and data protection officers across Europe.

The aim of this article is not to turn you into a lawyer, but to explain in accessible language what basic obligations you have as a small business or freelancer, what risks and types of fines you face and, most importantly, what concrete steps you can take to reduce your exposure. We will look at lawful bases for processing, records of processing activities, when you need a Data Protection Officer (DPO), how to deal with data subject rights, and how to structure your GDPR approach so that it is realistic and proportionate to the size of your business.

1. Why GDPR matters for small businesses and freelancers

1.1 GDPR applies regardless of company size

GDPR does not contain a general exemption for micro-companies or freelancers. It applies to any controller that processes personal data, regardless of turnover or number of staff. Article 2 and Recital 14 of the Regulation clarify that GDPR covers automated processing and certain manual processing where personal data are part of a filing system and individuals are identified or identifiable.

There are some limited alleviations for organisations with fewer than 250 employees (for example in relation to records of processing activities under Article 30(5)), but no blanket exemption. The wording and scope of Article 30 GDPR are explained in commentaries such as gdpr-info – Article 30 and practical guides like GDPR.eu – Records of processing activities, which underline that many small organisations still have to maintain records because their processing is regular and not merely occasional.

1.2 Supervisory authorities and enforcement

Every EU country has an independent data protection authority. The complete list is maintained by the European Data Protection Board (EDPB) at edpb.europa.eu. These authorities publish guidance, FAQs, decisions and annual reports on enforcement trends.

On the European level, websites such as GDPR.eu – Fines and the EDPB’s enforcement overviews highlight that supervisory authorities have carried out thousands of investigations and imposed fines for a wide variety of infringements, from missing privacy notices and unlawful marketing to security breaches and lack of cooperation with the authority. The message is clear: GDPR enforcement is not limited to big tech. Small and medium-sized businesses are regularly investigated and fined.

1.3 Why you should care beyond “avoiding fines”

The most visible risk is, of course, the administrative fine. Article 83 GDPR provides that certain infringements may be punished with fines of up to 10 million EUR or 2% of the total worldwide annual turnover, and for more serious violations up to 20 million EUR or 4% of total worldwide annual turnover, whichever is higher. These thresholds and how they are applied are explained in detail on gdpr-info.eu and in the EDPB’s Guidelines 04/2022 on the calculation of administrative fines.

However, fines are not the only risk. There are also:

• Loss of customer trust if you suffer a data breach or are publicly named by the authority.
• Civil claims from data subjects demanding compensation under Article 82 GDPR.
• Operational costs to remediate security incidents, update systems or restructure processes after an investigation.
• Time and distraction for you and your team, dealing with complaints, audits and document requests.

Taking GDPR seriously is therefore not just about “ticking boxes” but about managing legal and reputational risk in a sustainable way.

2. Key concepts: who you are and what you do under GDPR

2.1 Controller, processor and data subject

Article 4 GDPR defines several core concepts:

• Controller: the natural or legal person which determines the purposes and means of the processing of personal data (Article 4(7)). If you decide why and how client data are processed, you are the controller.
• Processor: a natural or legal person which processes personal data on behalf of the controller (Article 4(8)). Typical examples for small businesses are cloud providers, email marketing platforms, payment processors or outsourced accounting firms.
• Data subject: an identified or identifiable natural person whose data are processed (Article 4(1)). For you this usually means customers, prospects, employees, contractors or newsletter subscribers.

The official definitions can be checked in the GDPR text on EUR-Lex and in accessible commentaries such as gdpr-info – Article 4 and GDPR.eu – Definitions.

2.2 What “processing” means in practice

According to Article 4(2) GDPR, processing means any operation performed on personal data, whether or not by automated means: collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, erasure, destruction, etc. In practice, typical processing operations in small businesses and freelance work include:

• Managing customer lists (CRM tools, spreadsheets, contact lists in your phone).
• Issuing invoices, contracts and service agreements containing personal data.
• Sending newsletters, marketing emails or SMS campaigns.
• Operating user accounts for an online service or membership site.
• Using website analytics and advertising tools that rely on cookies or online identifiers.
• Operating video surveillance in a shop or office.

Even if these activities feel “normal” and non-intrusive, they are squarely within the scope of GDPR and must be supported by a lawful basis and appropriate safeguards.

3. Lawful bases for processing: what you rely on

3.1 The six lawful bases in Article 6 GDPR

Article 6 GDPR lists six lawful bases for processing personal data. For small businesses and freelancers, the most relevant are usually:

• Contract (Article 6(1)(b)) – processing that is necessary for the performance of a contract with the data subject or to take steps at the request of the data subject prior to entering into a contract. Example: collecting a client’s contact details to provide consulting services.
• Legal obligation (Article 6(1)(c)) – processing needed to comply with EU or national law. Example: keeping invoices and accounting records for the retention period required by tax law.
• Legitimate interests (Article 6(1)(f)) – processing needed for the legitimate interests of the controller or a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject. Example: basic customer relationship management, fraud prevention or certain types of direct marketing, where allowed by other applicable rules.
• Consent (Article 6(1)(a)) – processing based on a freely given, specific, informed and unambiguous indication of the data subject’s wishes. Example: newsletter subscriptions for non-customers, use of non-essential cookies for analytics and targeted advertising.

The EDPB’s Guidelines 05/2020 on consent and the Article 29 Working Party’s Opinion 06/2014 on legitimate interests (endorsed by the EDPB) provide detailed explanations and examples of how to apply these bases correctly.

3.2 Typical scenarios for small businesses and freelancers

Let us look at a few common scenarios and the likely lawful basis, noting that exact qualification depends on context and national e-privacy rules:

• Delivering services or products to customers: you process personal data to provide what the customer purchased (contact, billing, delivery, support). The main lawful basis is contract (Article 6(1)(b)).
• Accounting and tax reporting: you store invoices and financial records with personal data. The lawful basis is legal obligation (Article 6(1)(c)).
• Basic customer relationship management: you keep a list of clients, notes about past projects and follow-up tasks. Depending on how intrusive the data is and the relationship, the basis may be contract or legitimate interests. A simple legitimate interests assessment helps document your reasoning.
• Direct marketing to existing customers: under some national e-privacy implementations, you may be allowed to send marketing for similar products or services to existing customers on a legitimate interests basis, provided they can easily opt out. You must still respect consumer and electronic communications law; guidance is available on the European Commission’s consumer portal at Your Europe – Internet and telecoms.
• Marketing to non-customers: newsletters for prospects and marketing communications to people who are not yet customers generally require consent, combined with compliance with national anti-spam rules.
• Analytics and advertising cookies: collection of online identifiers for measuring traffic or targeting ads typically needs prior consent under the ePrivacy rules and a clear lawful basis under GDPR. The EDPB, the European Data Protection Supervisor (EDPS) and several DPAs have published detailed cookie guidance explaining this dual framework.

The key point: do not default to consent for everything. The EDPB emphasises that consent is not valid if it is bundled with a contract for processing that is otherwise necessary, or if the data subject has no real choice.

3.3 What valid consent really requires

Under Article 4(11) and Article 7 GDPR, consent must be:

• Freely given – no coercion, no “take it or leave it” where processing is not necessary for the service.
• Specific – separate consent for different purposes, not a blanket agreement “to everything”.
• Informed – people must know what they are consenting to (purposes, types of data, identity of the controller, right to withdraw).
• Unambiguous – a clear affirmative action (for example ticking an empty box, clicking an “I accept” button) rather than silence or inactivity.

The EDPB Guidelines 05/2020 on consent make it clear that pre-ticked boxes, consent hidden in terms and conditions and inactivity are not acceptable. The guidelines also stress that withdrawing consent must be as easy as giving it, and controllers must respect withdrawal without detriment to the individual.

4. Records of processing activities: your “GDPR register”

4.1 What Article 30 GDPR requires

Article 30 GDPR obliges controllers (and processors) to maintain records of processing activities. For controllers, the records must at least include:

• the name and contact details of the controller (and joint controllers, if applicable) and, where applicable, the DPO;
• the purposes of the processing;
• a description of the categories of data subjects and categories of personal data;
• the categories of recipients;
• transfers to third countries or international organisations and the safeguards used;
• envisaged time limits for erasure of the different categories of data;
• a general description of technical and organisational security measures.

The full wording can be consulted on EUR-Lex and in simplified form on gdpr-info.eu – Article 30 and GDPR.eu – Records of processing. The records do not have to be publicly available, but you must be able to present them to the supervisory authority upon request.

4.2 The “under 250 employees” exception and why it often does not help

Article 30(5) provides that organisations with fewer than 250 employees “shall not be obliged” to maintain records of processing activities unless:

• the processing is likely to result in a risk to the rights and freedoms of data subjects; or
• the processing is not occasional; or
• the processing includes special categories of data or personal data relating to criminal convictions and offences.

In practice, most small businesses process personal data on a regular, ongoing basis (customer databases, HR, payroll, marketing). As a result, their processing is not “occasional” and the exception does not apply. This interpretation is reflected in many practical guides aimed at SMEs, such as the European Commission’s GDPR guidance for SMEs, which explicitly encourages SMEs to keep records even when the law might technically exempt them.

4.3 What a simple record can look like

There is no single mandatory template, but the structure usually includes columns such as:

• Name of processing activity (e.g. “Customers – invoicing”, “Newsletter subscribers”, “Employee payroll”).
• Categories of data subjects (customers, prospects, employees, contractors).
• Categories of data (identification, contact, financial, usage data, images, etc.).
• Purposes (contractual performance, legal obligation, marketing, security).
• Lawful basis (contract, legal obligation, legitimate interests, consent).
• Recipients (accountant, hosting provider, payment gateways, marketing tools).
• International transfers (yes/no, with what safeguards – for example Standard Contractual Clauses).
• Retention periods (for example “5 years after last purchase”, “10 years for accounting records”).
• Security measures (passwords, encryption, access controls, backups).

For a micro-business, this can be a simple spreadsheet or document. The important point is to keep it up to date and consistent with what you actually do.

5. The Data Protection Officer (DPO): do you need one?

5.1 When a DPO is mandatory

Article 37 GDPR sets out three situations in which a Data Protection Officer is mandatory:

• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• the core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale;
• the core activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

The EDPB’s Guidelines on Data Protection Officers (which update the former WP243 guidelines) provide concrete examples: large-scale hospitals, banks, insurance companies, large online platforms. They also show situations where a DPO is not mandatory, such as a small accounting firm or an individual doctor, if they do not process data on a “large scale” in the sense of the GDPR.

5.2 What this means for small businesses and freelancers

Most small businesses and freelancers will not meet the criteria for mandatory appointment of a DPO. However, the EDPB and national authorities stress that even where no DPO is required, it is good practice to designate someone internally with responsibility for data protection matters, or to consult an external expert when needed. The European Commission’s page on DPOs offers an accessible overview.

For a micro-business, this “role” may simply be assumed by the owner, who documents key decisions, organises training and acts as contact point for data subjects and the supervisory authority.

6. Data subject rights: how to handle requests in a small organisation

6.1 The main rights under GDPR

Articles 12 to 22 GDPR grant data subjects a series of rights:

• Right of access (Article 15) – to obtain confirmation whether data are being processed and access to that data and related information.
• Right to rectification (Article 16) – to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”, Article 17) – under certain conditions, such as where data are no longer necessary or consent is withdrawn and there is no other legal basis.
• Right to restriction of processing (Article 18).
• Right to data portability (Article 20) – applicable for data processed on the basis of consent or contract, by automated means.
• Right to object (Article 21) – especially relevant for direct marketing; once someone objects to marketing, you must stop sending such communications.
• Rights related to automated decision-making and profiling (Article 22).

The EDPB transparency guidelines and the GDPR.eu overview of data subject rights provide practical explanations, including on timelines: generally, you must respond “without undue delay” and in any event within one month of receiving the request, with possible extensions by two months for complex cases (Article 12(3)).

6.2 A pragmatic process for small operators

Even if you are alone in your business, it is wise to set up a simple internal process:

• Designate a contact channel for privacy requests (for example a dedicated email address or a clear section in your privacy policy).
• Define basic steps: how you log the request, verify the identity of the requester (especially for access and erasure), find data in your systems, and decide whether any exceptions apply.
• Prepare templates for common responses (access, rectification, erasure, objection to marketing, portability). Templates help you respond consistently and within the deadline.
• Keep a log of requests and how you handled them (date, type of request, outcome, reasons for any refusal). This will be useful if the supervisory authority investigates.

Ignoring or delaying responses to data subject requests is a common cause of complaints and investigations, so having a basic process dramatically reduces your risk.

7. Risks, fines and examples: what can go wrong if you ignore GDPR

7.1 How fines are determined

Article 83 GDPR sets out the general conditions for imposing administrative fines. The supervisory authority must consider factors such as:

• the nature, gravity and duration of the infringement;
• whether it was intentional or negligent;
• any actions taken to mitigate the damage suffered by data subjects;
• degree of responsibility, taking into account technical and organisational measures implemented;
• previous infringements and relevant past behaviour;
• the categories of personal data affected;
• the way the infringement became known to the authority, including whether the controller notified it;
• compliance with measures ordered by the authority.

These criteria and their practical application are analysed in the EDPB’s Guidelines 04/2022 and summarised for non-lawyers on sites such as gdpr-info.eu and GDPR.eu – Fines.

7.2 Typical infringements for small businesses

Across Europe, enforcement databases and supervisory authority press releases show recurring patterns of infringements among SMEs:

• Unlawful marketing, such as sending commercial emails or SMS without consent where required, or ignoring objections to marketing.
• Insufficient transparency, for example missing or incomplete privacy notices, or notices written in overly complex legal language.
• Inadequate security measures, leading to data breaches that could have been prevented by basic controls such as strong passwords and access management.
• Excessive data collection or storage of data for longer than necessary without justification.
• Failure to respect data subject rights, such as not responding to access or erasure requests.

Supervisory authorities often stress that while technical errors can sometimes be forgiven if quickly remedied, negligence in basic governance (no policies, no records, no responses to individuals) is viewed more critically and tends to result in fines or corrective orders.

8. How to reduce your exposure to GDPR fines: practical steps

8.1 Map your processing activities and data flows

The first and most important step is to understand what you do with personal data. The European Commission’s SME guidance recommends that controllers start by mapping their processing activities and drawing a data flow diagram, even if simple. On the Commission’s page for businesses at Obligations under GDPR you will find a high-level checklist of what is expected.

For a micro-business, a simple table or spreadsheet usually suffices. For each activity, note:

• Which categories of people are involved (customers, prospects, employees, suppliers).
• What data you collect from each category (identity, contact, financial, technical, behavioural).
• Why you collect it (purpose) and on what lawful basis (contract, legal obligation, legitimate interests, consent).
• Where the data goes (internal tools, laptops, phones, cloud services, third parties).
• How long you keep the data and what you do at the end of the retention period (erasure, anonymisation, archiving under legal obligation).
• What security measures apply (passwords, encryption, access controls, backups).

This mapping feeds directly into your records of processing activities, privacy notice, contracts with processors and internal security measures.

8.2 Draft and publish a clear, honest privacy notice

Articles 12–14 GDPR, supported by the EDPB’s Guidelines on transparency, require that you inform data subjects in a way that is concise, transparent, intelligible and easily accessible. In practice, this means:

• Publishing a dedicated Privacy Policy on your website or app.
• Using headings and plain language rather than dense legalese.
• Explaining who you are, what data you collect, for which purposes, on what legal bases, with whom you share data, how long you retain it, and what rights individuals have.
• Linking to the Privacy Policy wherever you collect data (sign-up forms, checkout pages, contact forms), not hiding it only in the footer.

A clear privacy notice is often the first thing regulators look at; it is also your main tool for building trust with customers and avoiding misunderstandings.

8.3 Check your contracts with processors and international transfers

If you use third-party services that process personal data on your behalf (email platforms, cloud hosting, payment processors, CRM tools), GDPR treats them as processors. Article 28 requires a written contract that sets out the subject-matter and duration of processing, the nature and purpose, types of personal data, categories of data subjects and the obligations and rights of the controller.

You should therefore:

• Review the Data Processing Agreements (DPAs) offered by your providers and ensure they meet Article 28 requirements.
• Verify whether data is transferred outside the EEA (for example to the United States). If so, ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, and follow EDPB recommendations on supplementary measures for transfers.
• Keep an inventory of your main processors, what they do with data and under which safeguards.

Even as a small controller, you are responsible for choosing processors that provide sufficient guarantees for data protection and security.

8.4 Implement basic but solid security measures

Article 32 GDPR requires controllers and processors to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk. For SMEs, the EDPB and national authorities often emphasise pragmatic, risk-based controls. Examples include:

• Strong, unique passwords for business accounts and administrative access.
• Multi-factor authentication (MFA) wherever available.
• Regular software updates and patching, including on mobile devices.
• Access controls: only those who need access to personal data should have it.
• Encryption for laptops, USB sticks and cloud storage containing personal data.
• Regular, secure backups of critical data, stored separately.
• Basic training for staff and collaborators on phishing and safe handling of personal data.

Many data breaches affecting SMEs could have been prevented by these simple measures, and supervisory authorities often mention the lack of basic security as a major aggravating factor.

8.5 Prepare for data subject requests and potential breaches

Two types of events can quickly escalate into regulatory problems if you are not prepared: data subject requests and data breaches.

For requests, the steps described in section 6.2 are usually enough: a clear contact point, a simple workflow, and documented responses. For breaches, Article 33 GDPR requires notification to the supervisory authority “without undue delay and, where feasible, not later than 72 hours” after becoming aware of a personal data breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals. Article 34 may also require notifying the affected individuals in case of high risk.

The EDPB’s Guidelines 01/2021 on examples of data breach notification provide many real-life scenarios and show when notification is or is not required. Familiarising yourself with at least the basic examples will help you make informed decisions when something goes wrong.

8.6 Review your practices regularly

GDPR compliance is not something you set up once and then forget. Your business evolves: you add new services, new tools, new marketing channels. Legislation and regulatory guidance also evolve. A simple but effective habit is to schedule a yearly GDPR review where you:

• Update your records of processing activities and privacy notice.
• Review processor contracts and check whether any new tools were introduced informally.
• Reassess retention periods and delete or anonymise data that is no longer needed.
• Refresh basic staff training and remind people of security rules.
• Check for new or updated guidance from the EDPB and your national authority.

This kind of light but regular maintenance is often enough to keep small businesses on the safe side and demonstrate accountability if ever asked by the regulator.

FAQ – Frequently asked questions about GDPR for small businesses and freelancers