Who Does GDPR Affect? UK SMEs, Startups And Online Businesses

byAlex Solo27 February 20269 min read

eCommerce Startups Regulatory Compliance Data & Privacy

Contents

What Is GDPR (And Why Does It Matter For Small Businesses)?
- What Counts As “Personal Data” In A Business Context?
- Why Should SMEs Care?
So, Who Does GDPR Affect?
- GDPR Usually Affects You If You Do Any Of The Following
Does GDPR Apply To My Business Model? Common SME Scenarios
When Does GDPR Not Apply? (The Common Misconceptions)
What Does GDPR Require Businesses To Do? The Practical Checklist
Key Takeaways

If you run a small business, a startup, or an online shop, it’s easy to assume GDPR is “just for big tech” or businesses with huge databases.

In reality, GDPR affects most UK businesses at some point - often from day one - because almost any business that deals with customers, users, leads, or staff will touch personal data.

This guide explains, in practical terms, who does GDPR affect, how it applies to common business models, and what to prioritise so you can stay compliant without turning it into a full-time job.

GDPR is the General Data Protection Regulation. In the UK, it’s implemented through the UK GDPR (which is the UK’s version of GDPR post-Brexit) and the Data Protection Act 2018.

At a high level, these laws regulate how your business can collect, use, store, share, and delete personal data.

What Counts As “Personal Data” In A Business Context?

Personal data isn’t just passport numbers or medical records. For SMEs, it usually looks like:

Customer names, email addresses, phone numbers and delivery addresses
Employee records (payroll details, next of kin, performance notes)
Online identifiers (IP addresses, cookie IDs, device IDs)
Client notes (including call logs, meeting notes, and support tickets)
Marketing data (newsletter lists, lead magnets, CRM data)

Even if you only store a handful of customer emails in a spreadsheet, GDPR can still apply.

Why Should SMEs Care?

From a business-owner perspective, GDPR matters because it affects:

Trust: customers are more cautious about who they give data to
Sales and marketing: you can’t just email or retarget people however you like
Partnerships: many suppliers and enterprise clients will ask you about GDPR before onboarding you
Risk: mishandling data can lead to complaints, investigations, reputational damage, and (in serious cases) fines

It can feel like a lot - but if you focus on the right building blocks, compliance becomes manageable.

Let’s get specific. If you’re searching for who does GDPR affect, the most useful way to think about it is: GDPR affects any organisation that processes personal data, and that includes most businesses.

In practice, GDPR affects:

Companies, sole traders and partnerships (the business structure doesn’t matter)
Online and offline businesses (a shop with a loyalty programme can be affected just like an eCommerce store)
Businesses established in the UK that process personal data
Businesses outside the UK if they offer goods/services to people in the UK or monitor their behaviour (for example, via analytics or behavioural advertising)

You’re very likely within scope if you:

Take online orders and deliveries
Collect enquiries through a contact form
Run email marketing campaigns
Use website analytics or advertising cookies
Use a CRM to manage leads
Use outsourced suppliers who handle customer data (hosting providers, email platforms, accountants, payroll providers)
Hire employees or contractors and store HR/admin info

In other words: GDPR affects most SMEs because “processing” is a broad concept. It includes collecting, storing, updating, viewing, emailing, sharing, deleting - basically anything you do with personal data.

Sometimes the easiest way to answer “who does GDPR affect” is to map it to real business setups.

1) eCommerce Stores And Online Retailers

If you sell online, you almost certainly process personal data, such as delivery addresses, email confirmations, payment references, and customer service communications.

You’ll usually need a properly drafted Privacy Policy explaining what data you collect, why you collect it, who you share it with (for example, couriers or payment providers), and how long you keep it.

If you use marketing/analytics cookies (which many stores do), you’ll also want to get your Cookie Policy and consent approach right, because cookies can involve personal data (or data that becomes personal when combined with other information).

2) SaaS, Apps, And Digital Platforms

For SaaS and app businesses, GDPR compliance usually goes beyond just “having a privacy policy”.

Depending on your product, you may also need to think about:

Account creation and identity verification processes
In-app analytics and tracking
User permissions and admin access controls
Data retention rules (how long user data stays in your systems)
Responding to data subject requests (like access or deletion)

If you process personal data on behalf of business customers (for example, you provide software used to manage their customer lists), you’ll usually be a “processor” and your customer is the “controller”. In that case, you’ll typically need a Data Processing Agreement in place.

3) Service Providers (Agencies, Consultants, Trades, Clinics)

Service businesses often underestimate how much personal data they hold because it’s not always stored in a big system - it might be in emails, project folders, WhatsApp messages, proposals, and invoices.

GDPR can affect you if you:

Keep client files and project notes (especially if they include personal circumstances)
Use subcontractors who access client info
Offer appointments and keep booking details

If you’re using cloud tools, make sure your internal practices match what you tell customers in your privacy documentation (and that access is limited to people who need it).

4) Businesses With Employees (Even Small Teams)

If you employ staff, you will process employee personal data as part of running payroll, managing leave, and supervising performance.

This is where GDPR overlaps with employment policies and workplace governance. For example, if you monitor staff IT usage, you need a clear and fair approach - and you should be careful about how you collect and store monitoring records. It’s worth understanding the practical boundaries around internet monitoring at work as part of your broader compliance efforts.

Many SMEs also use CCTV for safety or security. That can involve processing personal data (images of staff and visitors), so the question isn’t just “can we install cameras?” - it’s “how do we do it lawfully and transparently?”. If that’s relevant to your setup, see the practical issues around cameras in the workplace.

5) Businesses Using AI Tools Or Chatbots

If your team uses AI tools to draft emails, summarise meetings, or handle customer support, you need to think about what data gets input and where it goes.

A common risk is staff pasting personal data (or confidential client information) into tools without clear rules. This can create privacy and confidentiality issues, which is why it’s worth having an internal position on whether using AI tools is confidential and what employees should and shouldn’t share.

Most of the time, GDPR will affect your business. But there are a few common misunderstandings worth clearing up.

“I’m A Small Business, So I’m Exempt”

There isn’t a blanket small business exemption. Some obligations scale depending on what you do with data and the level of risk (for example, most SMEs won’t need a Data Protection Officer - DPO requirements are generally limited to public authorities or organisations doing large-scale, high-risk processing). But the core rules still apply.

“I Only Have Business Contacts, Not Personal Data”

Even in a B2B context, you’ll often hold personal data - for example, “jane.smith@company.co.uk” is still personal data if it identifies an individual.

“I Don’t Store Data - It’s In My Email/CRM/Cloud Tools”

If you can access it, use it, or decide what happens to it, you are still “processing” it.

If you’re outside the UK but you offer goods/services to people in the UK, or you monitor UK user behaviour online, UK GDPR can still be relevant. Cross-border compliance can get technical fast, so it’s a good one to get tailored advice on.

GDPR compliance can sound abstract, but for most SMEs it comes down to a set of practical controls and documents.

1) Know Your Role: Controller, Processor, Or Both

Controller: you decide why and how personal data is processed (many SMEs are controllers for customer and employee data).
Processor: you process personal data on someone else’s instructions (common for agencies, SaaS providers, outsourced services).

Some businesses are both - for example, you might be a controller for your own marketing list, but a processor when delivering services for a client.

2) Have The Right Privacy Information In Place

You’ll generally need to explain clearly:

what personal data you collect
the lawful basis you rely on (for example, contract necessity, legitimate interests, consent)
who you share data with
whether data goes overseas
how long you keep it
how people can exercise their rights

For many online businesses, this starts with a solid Privacy Policy, supported by operational practices that match what the policy says.

Consent is one lawful basis, but it’s not always the best fit.

For example:

Marketing emails are often regulated by PECR as well as data protection law. Depending on who you’re emailing and how you collected their details, you may need opt-in consent (for many B2C campaigns) or you may be able to rely on the “soft opt-in” for existing customers - but you’ll still need a clear opt-out in every message.
Cookies used for advertising/analytics typically require user consent, unless they’re strictly necessary for the service. This usually means using a consent mechanism and a clear Cookie Policy.

The main point: don’t rely on vague, bundled consent. If you’re going to ask for consent, it needs to be specific, informed, and freely given.

4) Use Supplier Contracts That Match How Data Flows

If third parties handle personal data for you (email platforms, booking systems, hosting providers), you should understand:

what data they handle
where it’s stored
what security they provide
what contractual terms apply

If a supplier is processing personal data on your behalf, you’ll often need GDPR-required terms in place - commonly handled through a Data Processing Agreement (or an equivalent addendum in their contract).

5) Build A Process For Data Subject Requests

Individuals have rights over their personal data, such as the right to access it and (in some cases) delete it or correct it.

For an SME, the key is not to panic - it’s to have a repeatable internal process so your team knows:

who receives the request
how you verify identity
where you search for the data (email, CRM, support tools)
how you respond within the right timeframe

If your business regularly handles these requests, it can help to use a documented workflow and templates so responses are consistent and compliant.

6) Prepare For Data Breaches Before They Happen

Even careful businesses can have breaches - a lost laptop, an email sent to the wrong recipient, or a compromised password.

What regulators (and customers) tend to care about is how you prepared and how you responded. Having a Data Breach Response Plan can help you act quickly, limit harm, and meet any reporting obligations.

7) Make It Practical With Policies And Training

For SMEs, compliance often breaks down at the “people and process” level - not because you don’t care, but because everyone’s busy.

A simple, workable Acceptable Use Policy can help set expectations on things like:

passwords and device security
accessing customer data remotely
using personal devices for work
what staff can upload into third-party tools

This is one of the easiest ways to protect your business from day one, especially as you start hiring and delegating.

Key Takeaways

In practical terms, GDPR affects most UK SMEs because most businesses process some form of personal data (customers, leads, suppliers, or employees).
If you’re asking who does GDPR affect, the answer is usually: any business that collects, stores, uses, shares, or deletes personal data - including small online businesses and startups.
Common business activities like online orders, contact forms, email marketing, cookies, and CRMs often bring you within scope of GDPR obligations.
Getting the basics right usually means having clear privacy information (like a Privacy Policy), appropriate cookie compliance, and supplier contracts that match your data flows.
Operational readiness matters: set up a process for data subject requests, and have a plan for handling data breaches before they happen.
Simple policies and staff training can prevent everyday mistakes that create big GDPR headaches later.

If you’d like help getting your GDPR compliance sorted, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call