GDPR applies to you — yes, even as a small business
There is a common misconception that the General Data Protection Regulation only targets multinational corporations or Silicon Valley giants. In reality, the regulation applies to any organization — regardless of size or location — that processes personal data of individuals residing in the European Union. If you have a Shopify store, run a SaaS product, collect email addresses through a newsletter sign-up form, or use Google Analytics on your website, you are almost certainly processing personal data covered by the GDPR.
Enforcement bears this out. In 2025 alone, supervisory authorities across Europe issued fines to businesses with fewer than 50 employees. The Spanish AEPD, the Italian Garante, and the French CNIL have all demonstrated that company size is no defense. A single complaint from a customer or a routine audit from a data protection authority can trigger an investigation — and the penalties can reach €20 million or 4% of annual global turnover, whichever is greater.
What "personal data" actually means
Before diving into specific obligations, it helps to understand what constitutes personal data under the GDPR. The definition is intentionally broad: any information that relates to an identified or identifiable natural person. This includes the obvious (names, email addresses, phone numbers) as well as less obvious data points like IP addresses, cookie identifiers, device fingerprints, purchase histories, and location data.
If your website uses analytics, if your e-commerce platform stores customer orders, if your CRM holds client records, or if your email marketing tool tracks open rates — you are processing personal data. The question is not whether the GDPR applies to you, but how to comply efficiently without derailing your business.
The six things every small business needs to do
Getting compliant does not require hiring a law firm or spending months buried in legalese. It does require addressing six core areas:
1. Establish a lawful basis for processing
Every time you collect or use personal data, you need a valid legal reason for doing so. The GDPR defines six lawful bases, but the two most relevant for small businesses are consent (the individual actively agreed) and legitimate interest (you have a genuine business reason, and it does not unfairly override the individual's rights). For marketing emails, you typically need consent. For processing an order a customer placed, legitimate interest or contractual necessity applies.
2. Write a privacy policy that actually explains what you do
Your privacy policy is not just a legal formality — it is a transparency obligation under Articles 13 and 14 of the GDPR. It needs to explain what data you collect, why you collect it, who you share it with, how long you keep it, and what rights individuals have. It should be written in plain language, not in legal jargon that nobody reads.
3. Implement proper cookie consent
If your website drops cookies — and almost every website does via analytics, advertising, or embedded content — you need to obtain consent before those cookies are placed. A simple banner that says "we use cookies" is not enough. You need a mechanism that allows visitors to actively accept or reject different categories of cookies, and you need to respect those choices. The days of pre-ticked checkboxes are over.
4. Handle data subject rights requests
Under the GDPR, individuals have the right to access the data you hold on them, correct inaccuracies, request deletion, restrict processing, receive their data in a portable format, and object to processing. You have 30 days to respond to most requests. You do not need to build a complex system, but you do need a documented process for receiving, verifying, and fulfilling these requests.
5. Maintain a record of processing activities
Article 30 of the GDPR requires most organizations to maintain a Record of Processing Activities (ROPA). This is essentially a register of what personal data you process, why, under which lawful basis, who has access, where the data is stored, and how long you retain it. For small businesses, this does not need to be complex — a structured document or a digital register will suffice.
6. Report breaches within 72 hours
If you experience a personal data breach that is likely to result in a risk to individuals' rights and freedoms, you must notify the relevant supervisory authority within 72 hours. If the risk is high, you must also notify the affected individuals. Having a basic incident response plan in place — knowing who to contact, how to assess the breach, and what to report — is essential.
The AI-powered shortcut
Traditionally, addressing these six areas meant engaging a consultant (typically $5,000–$20,000 for an initial assessment) or purchasing enterprise-grade privacy management software ($500–$10,000 per month). Neither option is practical for a business generating $50,000 or $500,000 in annual revenue.
This is the gap Dxtra was built to fill. By answering questions about your business — what data you collect, which tools you use, where your customers are located — Dxtra's AI generates your privacy program: privacy policy, cookie policy, data processing records, consent management, a public Transparency Center, and more. Setup takes up to 10 minutes for the questionnaire and up to 60 minutes for AI generation, starting at $10 per month.
The platform monitors for regulatory changes and updates to your data processing activities, automatically scheduling regeneration when something changes. You review, approve, and publish — staying compliant without ongoing consultant fees or manual spreadsheet management.
Common mistakes to avoid
Even with the right tools, there are pitfalls that trip up small businesses. Relying on a generic privacy policy template you found online is one — these are rarely specific enough to your actual data processing activities. Assuming that because you are small, nobody will notice, is another — regulators increasingly use automated monitoring tools, and customer complaints are the most common trigger for investigations.
Ignoring third-party data processing is another frequent mistake. If you use Mailchimp to send newsletters, Stripe to process payments, or Google Analytics to track website visitors, each of those providers is a data processor acting on your behalf. You need to ensure you have data processing agreements in place and that you disclose these processors in your privacy notices.
Getting started today
Privacy compliance is not a project you complete once and forget about. It is an ongoing program that needs to evolve as your business grows, as your tools change, and as regulations are updated. The good news is that getting started is far simpler and more affordable than it was even two years ago.
The first step is understanding what data you actually collect and how it flows through your business. The second step is putting the right documentation and processes in place. The third step is making it visible — showing your customers that you take their data seriously. That combination of compliance, process, and transparency is what separates businesses that thrive from businesses that get caught off guard.