Consent Preferences

Does GDPR apply to a single person business or small SME?

by | Apr 23, 2023 | Ask Eileen, GDPR Advice

In a nutshell…..Yes, it does.

GDPR came into law on 25th May 2018 and from that date it has become the responsibility of the business to make sure they are operating with the GDPR guidelines. it does not matter if your business consists of just you, or you and one other, or you and 20 others – as a business owner it is up to you to abide by the GDPR Guidelines.

As an operating business, you must have clients or customers to make money and usually in order to make that money you have to collect some sort of personal data from them.

Lets look at a business selling via social media as an example. This (fictional) company sells via their instagram account.

Buy Gems Onlinee has under 400 followers, and under 50 customers, they hold one sale a week of whichever stock they have & each piece is €20. Customers can message in or comment on the post with what they want to buy and the person running the business messages them to confirm & send an invoice and PayPal link to pay.

It seems innocent enough however there is a lot of personal data being collected there. Names, Addresses, Card Details on Paypal, while there is certainly less data being collected than a larger operation selling online and in a store, under the regulations Data is Data and must be protected.

This seemingly simple social media seller needs to be putting policies in place and making sure that the Data they are collecting is compliant within the GDPR Guidelines.


If you offer services as opposed to a product the same rules apply. To carry out a service you need to collect some personal data. Using a Gas repair person as an example, if a client contacts you by phone to talk about their broken boiler you now have their phone number. If you write down their address on a bit of paper then you are responsible for that data. If you then enter this address into Google Maps its now on your phone. This is all personal data and how you not only gather (in this case phone and paper),  process, use, store and retain this information are all areas to look at. Google Maps will save that address in its cache for how long? Once you’ve completed the job what happens to the bit of paper with the address written on?

1) Why am I gathering this information – is it strictly necessary or is it excessive

ie do I need three contact numbers for the client?

2) Am I processing this data only for what it was gathered for? Are you adding names

and emails to marketing/mailing lists because they are clients/customers? This is a big no-no


3) How long are you storing this personal information for? Did you offer a guarantee

with the sale of your product or service? Do you need to record the personal data in a few

different areas on your business? Accounts, receipts, mailing lists, emails, social media etc


4) How are you storing this personal data? Is it stored on paper? Or maybe on the

computer or in a CRM? Is it secure? Finally – are you storing if for longer than necessary?


Go through the above questions and see If you have information that could be deleted- it will surprise you to see just how much personal data you are storing.

This is one step your GDPR programme no matter the size of your business!