What Gdpr Means for a Small Business Selling to European Customers

What GDPR Is and Why It Reaches You

GDPR is a comprehensive data privacy law enacted by the European Union in 2018. Its core principle is that individuals have the right to control their own personal data – who collects it, how it's used, how long it's kept, and whether it can be shared. The law applies to any organization, anywhere in the world, that processes personal data belonging to EU residents. Personal data under GDPR is broadly defined: it includes names, email addresses, IP addresses, purchase history, location data, cookie identifiers, and anything else that can be used to identify a person.

If you run an e-commerce store that ships to Germany, a newsletter that EU residents subscribe to, a SaaS product with European users, or a service business that's signed a client in France – GDPR is in play. The regulation was designed specifically to have extraterritorial reach, meaning the EU is explicitly asserting jurisdiction over foreign businesses that serve EU residents. Enforcement has become increasingly active since the early years of implementation, and fines have been issued to businesses large and small across a wide range of industries.

What Counts as Personal Data

This is where many small business owners underestimate their exposure. Under GDPR, personal data is essentially anything that can be linked back to an identifiable individual, either directly or indirectly. A first name and email address is obviously personal data. So is a name combined with a company. But so is an IP address logged in your analytics platform, a cookie ID stored in a website visitor's browser, a shipping address, a phone number, purchase history linked to an account, and behavioral data about how a user interacts with your website.

This matters because most small businesses are collecting more personal data than they realize, through mechanisms they may not have actively set up. Your website analytics tool collects IP addresses and behavioral data. Your email marketing platform stores email addresses and engagement data. Your e-commerce platform stores purchase history and shipping addresses. Your support tool stores names and conversation history. Each of these data points, under GDPR, comes with obligations around how it's handled.

The Core Obligations for Small Businesses

GDPR imposes several specific requirements. Not all of them are equally burdensome for a small business, but they all need to be addressed.

Lawful basis for processing. Under GDPR, you need a legitimate legal basis for collecting and using personal data. For most small businesses, the relevant bases are consent (the person explicitly agreed to their data being used for a specific purpose), contractual necessity (you need the data to fulfill an order or provide a service the person purchased), or legitimate interest (you have a genuine business reason that doesn't override the person's rights). You need to identify and document your lawful basis for each type of data processing you do – this doesn't have to be complex, but it needs to exist.

Privacy notice. You're required to tell people what data you collect, why you collect it, how long you keep it, who you share it with, and what their rights are. This is typically done through a privacy policy page on your website. Most small businesses have some version of this already, but many existing privacy policies don't meet GDPR's requirements for specificity and clarity. If your privacy policy was generated by a generic tool and hasn't been reviewed recently, it likely needs updating.

Cookie consent. If your website uses cookies – and virtually all of them do – you're required to obtain prior consent before placing non-essential cookies on a visitor's device. Analytics cookies, advertising cookies, and social media tracking pixels are all non-essential cookies. The consent must be specific, informed, and freely given: a pre-ticked box or a banner that says "By using this site you agree to cookies" doesn't meet the standard. Proper cookie consent management requires a consent banner that gives users a real choice and doesn't place non-essential cookies until they agree.

Data subject rights. EU residents have specific rights regarding their personal data that you're obligated to honor. These include the right to access their data (they can ask what you have on them and you must provide it), the right to correction (they can ask you to fix inaccurate data), the right to erasure (the "right to be forgotten" – they can ask you to delete their data), the right to data portability, and the right to object to certain types of processing. You need a process for receiving and responding to these requests within one month.

Data processing records. Businesses that regularly process EU residents' data are expected to maintain records of their processing activities – what data they collect, why, where it's stored, how long they keep it, and who they share it with. For a small business, this doesn't need to be elaborate, but some form of documented record should exist.

Data breach notification. If you experience a data breach that affects EU residents' personal data, you're required to notify the relevant supervisory authority within 72 hours of becoming aware of it. If the breach poses a high risk to the individuals affected, you must also notify them directly. This means you need a basic incident response process in place before a breach happens, not after.

The Cookie Consent Problem Most Small Businesses Have

Cookie compliance is the area where most small businesses are the furthest out of compliance, because it requires both a technical implementation and an ongoing management process. A compliant cookie setup requires a consent management platform (CMP) – a tool that intercepts non-essential cookies before they're placed, presents a real consent choice to visitors, records consent decisions, and only activates cookies that a visitor has consented to.

Several CMP solutions are designed for small businesses and integrate with common website platforms. Cookiebot and Usercentrics are widely used options that work with WordPress, Shopify, and most other platforms. Pricing typically starts around $10 to $15 per month for small sites. Free options exist but often have limitations on functionality or traffic volumes. This is one area where skimping on implementation creates real legal exposure, because cookie compliance is one of the more visible and easily auditable aspects of GDPR.

What Happens If You Ignore It

GDPR fines are calculated as a percentage of global annual revenue, which is designed to make them proportional at any company size. The maximum fines are €20 million or 4% of global annual turnover for the most serious violations, and €10 million or 2% for less serious ones. For a small business, the fine amounts in practice have generally been lower – but enforcement actions against smaller businesses do happen, and the reputational damage of a public enforcement action is real regardless of the fine amount.

More practically for US-based small businesses: EU-based supervisory authorities can and do act on complaints from individual consumers. If an EU customer files a complaint with their national data protection authority about how your business handled their data, that authority can investigate and impose requirements even if your business has no physical presence in the EU. The complaint mechanism is accessible to individual consumers and has been used. EU residents who take privacy seriously – and there are many of them – know these rights exist.

Beyond regulatory risk, there's a practical business case for compliance. EU customers are increasingly privacy-aware and more likely to choose businesses that visibly respect their data rights. A clear, honest privacy practice builds trust in a way that opaque data handling doesn't.

A Practical Starting Point for Small Businesses

Getting to a reasonable baseline of GDPR compliance doesn't require a legal department or a complete technology overhaul. A practical starting point for most small businesses involves four concrete steps.

First, audit what personal data you actually collect and where it goes. Map your customer journey from initial contact through sale and follow-up, and identify every point where personal data is collected, stored, or shared with a third party (payment processors, email platforms, analytics tools, shipping providers). This audit is the foundation for everything else.

Second, update your privacy policy to meet GDPR's transparency requirements. If you don't have a GDPR-compliant privacy policy, Termly and iubenda are tools that help small businesses generate compliant policies for a monthly fee (typically $10 to $25 per month). For anything complex or if significant revenue is at stake, having a lawyer review your policy is worth the investment.

Third, implement a proper cookie consent solution on your website. This is non-negotiable if your site uses any analytics, advertising, or social media tracking. Choose a CMP, configure it correctly, and test it to confirm that non-essential cookies are not placed before a user consents.

Fourth, create a simple process for handling data subject requests. This can be as straightforward as a dedicated email address for privacy requests, a documented internal process for how you'd retrieve and export or delete a specific person's data, and a note in your calendar to respond within the required one-month window.

What to Avoid

Assuming GDPR doesn't apply because you're a US business is the most costly assumption you can make. The regulation explicitly applies based on where your customers are, not where you are. If you're actively selling into the EU – accepting payment, shipping goods, providing services – you're in scope.

Treating a generic privacy policy as sufficient is another common gap. Most generic privacy policy generators don't produce GDPR-compliant output. The specificity required around lawful basis, data retention periods, and data subject rights is often missing from templated policies.

Implementing a cookie banner that doesn't actually block cookies until consent is given is worse than having no banner at all from a regulatory standpoint – it creates a false impression of compliance while still placing cookies without consent. Test your implementation to confirm it's working correctly.

Finally, not keeping any records of your compliance efforts is a mistake. Regulators look more favorably on businesses that have made genuine, documented efforts to comply, even if those efforts aren't perfect. A simple document recording your data inventory, lawful bases, retention periods, and vendor list takes an afternoon to create and demonstrates good faith.

FAQ

Does GDPR apply to me if I only occasionally sell to EU customers? Yes. GDPR applies based on targeting EU residents, not on transaction volume. If you're marketing to EU residents or accepting orders from them, even occasionally, the regulation applies. Some businesses choose to geo-block EU visitors to avoid the compliance obligation, though this also means losing EU business entirely.

Do I need to appoint a Data Protection Officer (DPO)? Probably not, for most small businesses. The DPO requirement under GDPR applies to public authorities, businesses whose core activities involve large-scale systematic monitoring of individuals, or businesses whose core activities involve large-scale processing of special categories of sensitive data (health data, biometric data, etc.). Standard small business operations – selling products or services, marketing to customers – typically don't trigger this requirement.

What do I do if an EU customer asks me to delete their data? Honor the request. Export or compile whatever personal data you hold for that person, delete it from your systems (including email lists, CRM records, and any other platforms where it's stored), and confirm to them in writing that it's been done. If you have a legitimate legal reason to retain certain data – for example, tax records of a transaction may need to be kept for a statutory period – you can retain that specific data while deleting everything else.

Can I use US-based cloud services (Google, AWS, Shopify) to store EU customer data? Yes, with appropriate safeguards. Major US cloud providers have established data transfer mechanisms that allow EU personal data to be transferred to and stored in the US legally, including Standard Contractual Clauses (SCCs) and participation in the EU-US Data Privacy Framework. Most major platforms (Google Workspace, AWS, Shopify, Mailchimp, etc.) have made the required commitments and provide the necessary documentation. Check your service providers' data processing agreements to confirm.

What's the difference between GDPR and the UK GDPR? Following Brexit, the UK established its own version of GDPR – UK GDPR – that is closely modeled on the EU regulation but operates independently. If you sell to UK customers as well as EU customers, you technically need to comply with both. In practice, the requirements are very similar, and compliance with EU GDPR generally covers UK GDPR requirements as well, though there are some differences in supervisory authority and data transfer mechanisms.