Skip to content
Misconceptions calendar_today Updated: 6 April 2026 schedule 4 min read

Misconception: GDPR Only Applies to Large Companies

A persistent misconception is that the GDPR only applies to large companies. The truth: GDPR applies to every organisation that processes personal data, regardless of size. This article explains what that means for you.

summarize Key Takeaways
  • check_circle GDPR applies to every organisation that processes personal data, from freelancer to multinational
  • check_circle Even if you only have 2 employees and a customer list of 50 people, you fall under GDPR
  • check_circle There are some exemptions for small organisations, such as not being required to appoint a DPO, but the core obligations apply to everyone
  • check_circle Processing personal data is broader than you think: an email list, personnel file, or customer database already counts

The misconception

“GDPR is only for big tech companies, right? There are just five of us, that doesn’t apply to us.”

This is perhaps the most widespread misconception about the GDPR. And it’s understandable how it arose: the news always features fines for Google, Meta, or Amazon. From this, many business owners conclude that GDPR is a problem for the big players, not for SMEs.

But the text of the law is crystal clear.

What the law actually says

Article 2 of the GDPR describes its scope. The regulation applies to the processing of personal data, wholly or partly by automated means, and to the non-automated processing of personal data which forms part of a filing system or is intended to form part of a filing system.

Nowhere does it say: “only if you have more than X employees” or “only if your turnover exceeds Y.”

Every organisation that processes personal data falls under the GDPR. Full stop.

What counts as processing personal data?

Processing is a broad concept. It includes:

  • Collecting personal data (a contact form on your website)
  • Storing personal data (a customer list in Excel or your CRM)
  • Using personal data (sending a newsletter)
  • Sharing personal data (passing customer data to your accountant)
  • Retaining personal data (personnel files in your cabinet or on your server)

If you do even one of these things - and virtually every business does - you fall under the GDPR.

What does this mean concretely for small businesses?

What you MUST do

Regardless of your business size, you are required to:

  1. Have a legal basis for every processing of personal data (consent, contract, legal obligation, legitimate interest, etc.)
  2. Be transparent about what you do with personal data (privacy policy)
  3. Enter into processing agreements with parties that process data on your behalf
  4. Respond to requests from data subjects (access, deletion, rectification) within 30 days
  5. Report data breaches to the supervisory authority within 72 hours if there is a risk to data subjects
  6. Maintain a processing register (in practice required for virtually every business)

Where you DO get relief

There are some reliefs for smaller organisations:

  • You don’t always need to appoint a Data Protection Officer (DPO), unless your core activity consists of processing special categories of data or large-scale monitoring
  • A Data Protection Impact Assessment (DPIA) is only required for high-risk processing
  • Documentation requirements may be proportionate to your business size

But note: these reliefs concern specific additional requirements. The core obligations apply to everyone.

Real examples

This is not theory. Supervisory authorities across Europe actively enforce against small organisations:

  • Greece (2023): a small employer received a fine of $8,000 for installing cameras without adequately informing employees
  • Spain (2023): a local gym was fined $7,000 for sharing members’ health data without consent
  • Italy (2022): a small webshop received a fine of $10,000 for not honouring a deletion request
  • Poland (2024): a sole trader received a fine of $4,500 for lacking a processing register

The supervisory authorities have repeatedly emphasised that business size does not exempt you from the GDPR.

Why this is actually an opportunity

Instead of seeing GDPR as a burden that doesn’t apply to you, you can look at it differently. As a small business, you have an advantage: you probably process less personal data than a large company, which means your compliance is simpler.

Most SMEs can get their GDPR basics in order in a few weeks. No month-long projects, no expensive consultants. Just get the basics right:

1. Map what you process

Make a list of all personal data you process: customers, employees, suppliers, website visitors. That is your processing register.

2. Arrange your agreements

Enter into processing agreements with your accountant, email provider, CRM vendor, and other processors.

3. Inform your customers and employees

Draft a privacy policy that matches what you actually do. Not a copied document from the internet, but a clear explanation of your processing activities.

4. Make a plan for requests and incidents

Know what to do when a customer asks for access or deletion. Know what to do in case of a data breach.

auto_awesome Want to know where you really stand?

GDPRWise scans your website and gives you a complete picture of your GDPR status. In 15 minutes you'll know what's in order and what you still need to arrange.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.