GDPR

What is GDPR and does it apply to my online business?

5 min read ·26 April 2026 ·By Trust Center

The General Data Protection Regulation — almost always shortened to GDPR — is the European Union's primary data protection law. It came into force in May 2018 and fundamentally changed how organisations handle personal data. Despite being EU legislation, it has a long reach: it applies to any organisation that processes personal data belonging to people in the EU, regardless of where the organisation itself is based.

Does GDPR apply to my business?

The threshold question is whether you process personal data of people in the EU or UK. If someone in France buys your online course, signs up for your newsletter, or simply visits your website where you collect their IP address via analytics — you are processing their personal data. That brings you within scope of GDPR.

Many small online businesses assume GDPR is only for large corporations. This is a dangerous assumption. The regulation explicitly applies to businesses of any size. The key test is not your headcount or revenue — it is whether you handle personal data of data subjects in the EU or UK.

The UK retained an equivalent framework after Brexit — known as UK GDPR — so businesses serving UK customers face the same obligations under domestic law even post-2021.

What does GDPR require?

GDPR imposes a set of principles on anyone who processes personal data. At a high level, you must:

  • Have a lawful basis for every processing activity. You cannot collect and use personal data simply because it is convenient. You need a legal justification — most commonly consent, contract, or legitimate interests.
  • Be transparent about what data you collect, why you collect it, how long you keep it, and who you share it with. This is typically communicated through a privacy policy.
  • Respect data subject rights. Individuals have the right to access their data, correct it, delete it, and in some cases object to its processing.
  • Implement appropriate security. You must take reasonable technical and organisational measures to protect personal data from loss, theft, or unauthorised access.
  • Report breaches. Serious data breaches must be reported to your supervisory authority within 72 hours.

The consequences of non-compliance

GDPR enforcement is not theoretical. Supervisory authorities across Europe have issued fines ranging from a few thousand euros to hundreds of millions. For small businesses, the more realistic risk is a complaint from a customer that triggers an investigation, an enforcement notice requiring you to change your practices, or reputational damage that erodes customer trust.

The good news is that compliance does not require an in-house legal team. A clear privacy policy, a proper cookie consent mechanism, and a documented process for handling data requests covers the majority of what most small online businesses need. The key is to start somewhere and build from there rather than treating compliance as an all-or-nothing exercise.

Ready to simplify your compliance?

Trust Center manages your privacy policies, cookie consent, and DSARs — one platform, all your brands, always up to date.

Get early access →

Related articles

GDPR

What to include in a GDPR-compliant privacy policy

A compliant privacy policy is more than boilerplate copied from another site. Here's every section regulators expect to see — and what each one needs to say.

6 min read · 26 April 2026
GDPR

Legitimate interests vs consent: which legal basis do you actually need?

Choosing the wrong lawful basis is one of the most common GDPR mistakes small businesses make. Here's how to tell the difference and get it right.

5 min read · 26 April 2026