Privacy Regulations Apply to Businesses of Every Size
GDPR enforcement does not have a small-business exemption. The CNIL, ICO, and Irish DPC have all issued fines to organisations with fewer than 50 employees, often for basic failures such as missing privacy policies, unlawful marketing emails, or failing to respond to data subject access requests. Through 2024 and 2025, European data protection authorities imposed more than 2,200 fines totalling over 5.6 billion euros, and a growing share of those targeted SMBs.
The financial exposure is real. Under Article 83 of the GDPR, fines can reach up to 4% of annual global turnover. For a business generating 500,000 euros in revenue, that ceiling sits at 20,000 euros - enough to cause serious damage.
The good news is that building a privacy programme does not require enterprise-level spending. It requires focus.
Start with a Risk-Based Prioritisation
Trying to achieve full compliance on day one is a recipe for paralysis. A smarter approach is to rank your activities by risk and tackle them in order. Ask three questions about each data processing activity: how sensitive is the data, how many people does it affect, and what would happen if something went wrong?
Cookie consent and website tracking sit high on most SMB risk lists because regulators actively audit websites. A missing or misconfigured cookie banner is visible to anyone, including a regulator browsing your site.
Customer databases, email marketing lists, and employee records typically come next. Payment data carries its own compliance layer through PCI DSS, which your payment processor usually handles, but you remain responsible for how you store and access transaction records.
A Simple Priority Matrix
| Priority | Activity | Why It Ranks Here | Typical Cost |
|---|---|---|---|
| 1 - Immediate | Cookie consent and tracking compliance | Publicly visible, actively enforced | Free to low-cost CMP |
| 2 - Immediate | Privacy policy and cookie policy | Legal requirement under GDPR Article 13 | Template or generator tool |
| 3 - High | Data subject request process | 30-day response deadline under GDPR | Shared inbox or simple workflow |
| 4 - High | Vendor and processor agreements | Required under GDPR Article 28 | Template DPAs |
| 5 - Medium | Records of processing activities | Required for most controllers | Spreadsheet |
| 6 - Medium | Data breach response plan | 72-hour notification under GDPR Article 33 | Internal document |
| 7 - Lower | Data Protection Impact Assessment | Only mandatory for high-risk processing | Template or consultant |
Cookie Consent: The Most Visible Compliance Step
Your website is the first thing a regulator or a privacy-conscious visitor sees. Under Article 5(3) of the ePrivacy Directive, non-essential cookies require informed consent before they are set. That includes analytics trackers like _ga, advertising pixels like _fbp, and session replay tools.
A consent management platform is the most cost-effective compliance tool an SMB can adopt. It handles cookie scanning, categorisation, banner display, consent recording, and script blocking - tasks that would otherwise require developer time every time you add a new tool to your site. Kukie.io offers a free tier that covers many SMB use cases, including automated scanning and geo-targeted banners.
Getting this wrong is expensive. The CNIL fined several organisations in 2024 for setting _ga and _fbp cookies before obtaining consent, with penalties ranging from 10,000 to 100,000 euros depending on traffic volume.
Privacy Policies and Legal Documents on a Budget
Every website that processes personal data needs a cookie policy and a privacy policy. These documents must explain what data you collect, why, on what legal basis, and how visitors can exercise their rights.
Hiring a privacy solicitor to draft these from scratch can cost 1,500 to 5,000 pounds. For most SMBs, a policy generator tool provides a solid starting point. Several CMPs, including Kukie.io, offer built-in policy generators that stay synchronised with your actual cookie inventory.
The key is accuracy. A generic privacy policy copied from another website is worse than useless if it does not reflect your actual data processing. Regulators have fined organisations specifically for privacy notices that did not match reality.
Handling Data Subject Requests Without Dedicated Software
Under GDPR Article 15, individuals can request access to their personal data. You have 30 calendar days to respond. Other rights include erasure (Article 17), rectification (Article 16), and data portability (Article 20).
Enterprise-grade data subject request platforms cost thousands per year. An SMB processing a handful of requests per month does not need one.
Set up a dedicated email address such as privacy@yourdomain.com. Create a simple spreadsheet to log each request with the date received, type of request, requester identity verification status, response deadline, and completion date. This gives you an audit trail without any software cost. If request volumes grow, you can move to a ticketing system later.
Vendor Agreements and Third-Party Script Management
Every third-party service that processes personal data on your behalf needs a Data Processing Agreement under GDPR Article 28. This covers your email marketing platform, analytics provider, CRM, payment processor, and any tracking pixels on your site.
Most major SaaS providers already offer standard DPAs. Check their legal or trust pages. Google, HubSpot, Mailchimp, and Stripe all provide downloadable DPAs at no cost. Your job is to collect and store them.
For the scripts running on your website, conduct a vendor risk assessment. Run a cookie scan to identify every third-party domain your site contacts. For each vendor, confirm that a DPA is in place and that the cookies are correctly categorised in your CMP. This single exercise often reveals tracking scripts left over from campaigns that ended months ago.
Records of Processing and Breach Response
Article 30 of the GDPR requires controllers to maintain records of processing activities. Many SMBs assume this is optional for small organisations, but the exemption under Article 30(5) is narrow - it only applies if your processing is occasional, does not include special category data, and is unlikely to result in a risk to individuals. Regular website analytics and email marketing do not qualify as occasional.
A spreadsheet is sufficient. For each processing activity, record the purpose, categories of data subjects, categories of personal data, recipients, retention periods, and a general description of security measures. The ICO and CNIL both publish free templates.
Your breach response plan does not need to be a 40-page document. It needs to answer four questions: who assesses the breach, who decides whether to notify the supervisory authority, how you notify within 72 hours, and how you document the incident. Write it down, share it with your team, and test it once a year.
Affordable Tools for Each Compliance Layer
The total cost of a basic privacy programme for an SMB can sit well below 1,000 pounds per year if you choose tools strategically. Free and low-cost options exist for every core requirement.
| Compliance Area | Free or Low-Cost Option | When to Upgrade |
|---|---|---|
| Cookie consent | CMP with free tier (e.g. Kukie.io) | When traffic exceeds free tier limits |
| Privacy and cookie policies | CMP-integrated policy generator | When processing becomes complex or multi-jurisdictional |
| Data subject requests | Dedicated email + spreadsheet log | When request volume exceeds 10 per month |
| Records of processing | Spreadsheet using ICO/CNIL template | When processing activities exceed 20-30 |
| DPA management | Folder of signed agreements | When vendor count exceeds 30-40 |
| Cookie scanning | Free cookie scanner | When you need scheduled, automated scans |
| Breach response | Internal document and checklist | When you handle sensitive data at scale |
The pattern is clear: start with the simplest tool that meets the legal requirement, and upgrade only when your processing activities or request volumes outgrow it.
Building Compliance Into Daily Operations
A privacy programme fails when it exists only as a set of documents in a folder. The SMBs that stay compliant are the ones that build privacy checks into their existing workflows.
Before launching any new marketing campaign, ask: does this involve a new tracking pixel or cookie? If yes, update your CMP configuration and run a cookie scan. Before signing up for a new SaaS tool, check whether a DPA is available and whether the tool transfers data outside your jurisdiction.
Schedule a quarterly review. Spend one hour checking that your cookie scan results match your banner categories, your privacy policy still reflects reality, and your records of processing are up to date. This single habit prevents the slow drift from compliance to non-compliance that catches most organisations off guard.
Train your team. Privacy awareness does not require a formal course - a 30-minute briefing covering how to recognise a data subject request, what constitutes a data breach, and who to escalate to is enough for most small teams.
Frequently Asked Questions
Do small businesses need to comply with GDPR?
Yes. The GDPR applies to any organisation that processes personal data of individuals in the EU, regardless of the organisation's size or revenue. There is no small business exemption.
How much does GDPR compliance cost for a small business?
A basic privacy programme using free and low-cost tools can cost under 1,000 pounds per year. The main expenses are a consent management platform, policy documents, and occasional legal advice for complex questions.
What is the first step in building a privacy programme?
Start with cookie consent and your website privacy policy, because these are publicly visible and actively enforced by regulators. A CMP handles the technical side of consent, while a privacy policy addresses your legal disclosure obligations.
Can I use a spreadsheet for GDPR record-keeping?
Yes. The GDPR does not prescribe a specific format for records of processing activities. A spreadsheet using a template from the ICO or CNIL meets the requirement, provided it contains all the fields specified in Article 30.
Do I need a Data Protection Officer if I am a small business?
Most SMBs do not. A DPO is mandatory only if your core activities involve large-scale monitoring of individuals or large-scale processing of special category data. A small e-commerce site or marketing agency typically does not meet this threshold.
What happens if a small business ignores data subject requests?
Failing to respond within 30 days can result in a complaint to the supervisory authority, an investigation, and a fine. Even modest penalties of a few thousand euros can be significant for a small business.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
