What Size of Company Is Affected by the New GDPR Rules? Understanding Your Business Obligations

If you run a business in the UK, you’ve probably heard all sorts about GDPR - especially with ongoing updates and post-Brexit changes. Many business owners wonder: “What size of company is affected by the new GDPR rules?”

It’s a great question because there’s a common myth that only big companies need to worry about GDPR compliance. In reality, the UK GDPR applies to almost every type and size of business - not just the large multinationals with dedicated legal teams.

Getting your head around the requirements can seem daunting, especially if you’re a small or growing business. The good news? With the right knowledge and strategic preparation, you can set up your data practices for success, protect your reputation, and avoid hefty fines.

In this guide, we’ll clarify exactly which businesses must comply, how your size affects your GDPR duties, and practical next steps to tick every legal box. Let’s make GDPR manageable - keep reading to find out what matters for your business.

Does GDPR Only Affect Large Companies?

Short answer: No - just about every business is touched by GDPR if you process personal data of people in the UK (or the wider EU in some cases).

GDPR, or the General Data Protection Regulation, was introduced to give individuals greater control over their data. Its UK version (UK GDPR) came into effect after Brexit and sits alongside the Data Protection Act 2018.

Many people ask: what size of company is affected by the new GDPR rules? Here’s the bottom line:

• If you process, use, store, or manage personal data (whether employees, clients, or users), GDPR applies.
• There’s no minimum size threshold. SMEs, startups, sole traders, side hustles, charities, family businesses, and corporate giants all have to comply.
• There are a few situations where obligations are lighter for very small businesses - but those are the exception, not the rule. We’ll explain the details below.

What Counts as Processing Personal Data?

You’re probably affected by GDPR if you handle any information that can identify someone, either directly or indirectly. Practical examples for small businesses include:

• Customer email addresses and phone numbers held in an order system
• Marketing lists with names and email addresses, even for B2B contacts
• Employee payroll or HR records
• Supplier or contractor contact details stored in your CRM
• Online tracking cookies collecting IP addresses of website visitors

Processing covers everything from collecting and storing, to using, analysing, or deleting this information. Nearly all businesses do one or more of these activities as part of daily operations.

What Size Companies Are Affected By GDPR in the UK?

All company sizes are affected by UK GDPR if they process personal data as part of their activities. There’s no “exemption” just because you’re a small company, startup, or microbusiness.

However, some specific GDPR requirements are lighter for “small and medium-sized enterprises” (SMEs), defined as organisations with fewer than 250 employees. Here’s how it breaks down:

Basic GDPR Rules Apply To:

• One-person sole traders
• Small partnerships
• Limited companies (Ltd), even if just you and a co-founder
• Fast-growing startups and established SMEs
• Charities and not-for-profits

Basically, as soon as your venture handles personal data - even just a few email addresses - you must comply with the main UK GDPR principles.

SME Exemptions and Special Rules

If your company has fewer than 250 employees, you’re exempt from some administrative requirements:

• You don’t always have to keep detailed internal records of your processing activities (unless your processing is regular, high-risk, or involves sensitive data, which most businesses actually do).
• Small businesses may be able to outsource some compliance duties, but you’re still responsible for GDPR overall.

However, most of the main duties around data subject rights, transparency, security, consent, and breach notification apply regardless of company size. The “SME exemption” is quite limited in practice.

To get a sense of all the main requirements, check out our Essential Guide to Data Protection and Security Compliance under UK GDPR.

Does UK GDPR Only Apply to B2C Companies?

A common misconception is that GDPR is just for companies that sell to individual consumers (B2C). In reality, GDPR applies to B2B businesses too if you process the personal data of any individual - e.g. your clients’ contact details, suppliers, employees, or contractors.

Even if you’re a B2B only outfit - such as a software consultancy, trade supplier, or marketing agency - GDPR business to business rules still require you to safeguard any data that can identify an individual (like work email addresses or direct dials).

It’s also important to understand GDPR’s difference for data controllers and processors, which we cover in detail in our guide: Data Controller vs Processor: Working Out Your GDPR Role.

Who Does GDPR Affect? Some Real-World Scenarios

Let’s break down some example business types to show how widely GDPR applies:

• A single-person consulting business using an online calendar and emailing proposals: must comply if storing leads’ names and emails.
• A fledgling e-commerce shop with 3 part-timers: needs GDPR-compliant privacy notices for orders and marketing lists.
• A digital marketing agency supporting other SMEs: liable for GDPR on both client and staff data (and responsible even as a data processor in client campaigns).
• A growing software startup with under 50 staff: must have data protection policies and breach procedures in place for app users, even before scaling up.
• A regional retail store using a loyalty app: must explain how customer data is collected, ensure opt-ins, and respond to customer data requests.

Put simply, almost every business and organisation has some GDPR responsibilities. If you’re in doubt, it’s far safer to assume GDPR does apply and act accordingly.

Key GDPR Obligations for Small and Medium Businesses

Whether you’re setting up your first business, planning to scale, or running an established company, here are the main GDPR compliance steps that likely apply:

• Provide a clear and accessible Privacy Policy explaining what data you collect and why
• Have a lawful basis for collecting and processing each type of personal data (e.g. consent, contractual necessity, legitimate interests)
• Respect data subject rights (access, correction, deletion, data portability, restriction, objection)
• Keep data secure - use encryption, regular access audits, and break down who internally needs access to which data
• Promptly report personal data breaches to the ICO and affected individuals where required
• Ensure you have valid Data Processing Agreements with suppliers or partners who process data on your behalf
• Train staff on recognising data protection issues and following good practices

Our practical GDPR Compliance Checklist for Small Businesses breaks these down in more detail for busy owners.

What Are the Risks of Ignoring GDPR?

Non-compliance with GDPR can result in:

• Significant fines (up to £17.5m or 4% of global turnover for the most serious breaches)
• Investigations by the ICO (the UK’s data regulator), with power to name-and-shame your business
• Lawsuits from customers, suppliers, or employees whose data has been compromised
• Contractual difficulties when working with larger companies who require proof of GDPR compliance
• Loss of customer trust and potential brand damage - even a small incident can go viral

For most businesses, a data breach or regulatory fine would be deeply disruptive at best - and can sometimes be fatal for small companies. Getting your GDPR obligations right is as much about business risk management as it is about legal compliance.

If you’re worried about exactly what documents and policies you need, explore our GDPR Compliance Pack: Documents Your Company Can’t Skip.

Essential Documents and Processes to Protect Your Business

Every business that GDPR covers should, at a minimum, have:

• A tailored, up-to-date Privacy Policy and (if needed) a Cookie Policy on their website and linked to signup forms, apps, or any channel collecting user data
• Internal data protection processes - including a way for customers or staff to make “Subject Access Requests” and receive clear, timely replies (see our step-by-step guide)
• Well-drafted contracts with suppliers, cloud providers, or freelancers that process data for you (including Data Processing Agreements)
• Regular staff training - including how to spot phishing attacks and what to do in the event of a data breach
• Policies for deleting old data and storage limitation (so you don’t keep customer records longer than needed - see our data retention guide)

You may also need some sector-specific policies (for example, schools or health providers can have extra duties), but for most SMEs these are the core essentials.

Do Microbusinesses and Sole Traders Have to Register with the ICO?

Many very small businesses wonder if they have to register with the ICO as a data controller. Most companies and sole traders do - unless you are not processing personal data electronically (which is rare in practice).

The registration is quick and usually costs between £40 and £60 annually, depending on your size. Some types of business (like manual-only data processing) are exempt, but this is uncommon. If you’re in doubt, it’s safer (and usually required) to register.

How Can Small Businesses Stay on Top of Their GDPR Duties?

GDPR doesn’t have to be a burden on your growing business. Here are a few practical tips:

• Map your data flows: Make a simple list of what data you collect, how you use it, where it’s stored, and who you share it with
• Get your legal foundations right: Have professionally drafted templates and privacy notices
• Stay up to date: Track relevant developments - for example, the ICO regularly issues new guidance, and there have been tweaks post-Brexit (see why reviewing ICO guidance matters)
• Don’t copy policies from other websites - your documents must match your real-world practices to be effective (and enforceable)
• If in doubt, chat to a legal expert - especially if your business is changing or expanding into new areas

Key Takeaways on Company Size and the New GDPR Rules

• UK GDPR applies to any business processing personal data, of any size or sector, if it processes information about people in the UK.
• Small businesses (fewer than 250 employees) have slightly lighter admin duties but must still comply with core GDPR principles and most requirements.
• B2B companies and sole traders are not exempt - if you handle names, emails, phone numbers, or other identifying info, GDPR rules apply.
• Core duties include having a Privacy Policy, respecting data rights, ensuring security, reporting breaches, and training staff.
• Penalties for ignoring GDPR are steep and risk your customer trust and business viability - compliance is essential from day one.
• Taking a proactive approach with clear processes, contracts, and up-to-date documents will keep you compliant and prepared for growth.

If you want to make sure your business is fully protected under the new GDPR rules, or you’re unsure what obligations apply to your size of company, our friendly experts can help. Reach us at team@sprintlaw.co.uk or give us a ring on 08081347754 for a free, no-obligation chat about your legal needs.