GDPR for solopreneurs: a 2026 data practitioner’s guide
most solopreneurs treat GDPR like a tax: pay a lawyer once, copy a privacy policy from a competitor, hope nobody asks questions. that worked in 2019. it does not work in 2026, when one angry European customer can file an Article 77 complaint with their data protection authority and trigger a regulatory inquiry that costs you 80 hours of email and remediation, regardless of whether your business is technically subject to the regulation.
the good news is that GDPR compliance for a one-person business is genuinely tractable. it is not the 200-page enterprise compliance program that consultancies sell. it is six concrete actions: identify your lawful basis under Article 6, build a basic privacy policy that matches Article 13 disclosure requirements, set up a data subject rights process that handles Article 15 access requests within 30 days, sign a data processing agreement with each major vendor under Article 28, document a breach notification process aligned with Article 33, and run an annual review.
this guide walks each step, with templates, a compliance checklist table, and the specific Articles you can cite if a customer asks. it is informational, not legal advice. but it gets you 90% of the way to defensible compliance for a one-person business handling EU customer data.
who actually has to comply
GDPR applies to any business that:
– offers goods or services to people in the EU/EEA, OR
– monitors the behavior of people in the EU/EEA
it does not matter where your business is registered. a US solopreneur selling Stripe-checkout downloads to a customer in Berlin is in scope. a Singapore-based SaaS founder running Google Ads in Spain is in scope.
the GDPR is the EU’s general data protection regulation, in force since May 2018. it gives EU residents specific rights over their personal data and imposes obligations on any business processing that data, regardless of where the business is located. for solopreneurs, the practical core is six articles: 6 (lawful basis), 13 (disclosure), 15 (access rights), 17 (deletion), 28 (processor contracts), 33 (breach notification). compliance for a one-person business takes one weekend of setup plus 30 minutes per month thereafter, and reduces both regulatory risk and customer trust friction.
step 1: pick your lawful basis under article 6
every personal data processing activity needs a lawful basis from Article 6(1). solopreneurs typically use one of three:
| basis | when to use | example |
|---|---|---|
| Article 6(1)(a) consent | marketing emails, analytics cookies | newsletter signup |
| Article 6(1)(b) contract | account, billing, service delivery | Stripe customer record |
| Article 6(1)(f) legitimate interest | basic analytics, security logs, anti-fraud | server access logs |
map every type of personal data you collect to one basis. write it down in a simple register.
example register:
| data type | source | lawful basis | retention |
|---|---|---|---|
| email + password | account signup | Article 6(1)(b) contract | until account deletion + 30 days |
| stripe customer ID | checkout | Article 6(1)(b) contract | 7 years (tax law) |
| newsletter email | signup form | Article 6(1)(a) consent | until unsubscribe |
| GA4 IP + cookie ID | analytics | Article 6(1)(f) legitimate interest | 14 months |
| support ticket content | helpdesk | Article 6(1)(b) contract | 3 years |
common pitfall: solopreneurs default to “consent” for everything. this is wrong. consent has the highest withdrawal risk (a customer can revoke at any time, requiring deletion). use contract or legitimate interest where genuinely applicable.
step 2: write a defensible privacy policy
Article 13 requires you to inform data subjects at the time of collection about specific items.
minimum disclosure list:
| disclosure required | where to put it |
|---|---|
| who is the controller (your business + contact email) | privacy policy |
| what data you collect | privacy policy |
| why you collect it (purpose) | privacy policy |
| lawful basis | privacy policy |
| who you share it with (vendors) | privacy policy |
| international transfers (US, etc.) | privacy policy |
| retention periods | privacy policy |
| data subject rights (Articles 15-22) | privacy policy |
| right to lodge complaint with DPA | privacy policy |
| automated decision-making (if any) | privacy policy |
a 1,500-word privacy policy covers all of these. avoid the 50-page template a $400 service generates; nobody reads them and the regulator does not give you extra credit for length.
step 3: build the data subject rights process
Article 15 (access), Article 16 (rectification), Article 17 (erasure), Article 18 (restriction), Article 20 (portability), Article 21 (objection).
practical workflow:
- designate one inbox:
privacy@yourbusiness.com - monitor it weekly minimum
- when a request arrives, log it (date, type, requester) in a tracker
- verify the requester’s identity (matching email on file is usually sufficient for solopreneurs)
- respond within 30 days per Article 12(3)
- document the response in your tracker
| request type | typical action | typical hours |
|---|---|---|
| access (Article 15) | export their account data + email it | 1 hour |
| erasure (Article 17) | delete account + Stripe data + analytics rows | 2 hours |
| portability (Article 20) | export as JSON or CSV | 1 hour |
| objection to marketing | unsubscribe immediately | 5 minutes |
most solopreneurs receive 1-3 requests per year. it is manageable.
step 4: sign data processing agreements
Article 28 requires a contract with every “processor” (vendor that processes personal data on your behalf).
solopreneur vendor inventory typically includes:
| vendor | role | DPA available? |
|---|---|---|
| Stripe | processor (billing) | yes, in dashboard |
| Google Workspace | processor (email, drive) | yes, online |
| AWS / Vercel / Render | processor (hosting) | yes |
| Mailchimp / ConvertKit | processor (email marketing) | yes |
| Intercom / Helpscout | processor (support) | yes |
| Notion / Airtable | processor (workflow) | yes |
| Zoom | processor (calls) | yes |
| Plausible / GA4 | processor (analytics) | yes |
action: log into each vendor, accept their DPA, save the executed copy to a Drive folder. an afternoon’s work.
if any vendor does not offer a DPA, switch vendors. this is non-negotiable under GDPR.
step 5: prepare for breach notification
Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach (with limited exceptions). Article 34 requires notification to data subjects when there is “high risk.”
prepare a 1-page breach response checklist:
| step | timing |
|---|---|
| confirm breach occurred | hour 0 |
| contain the breach (revoke keys, lock accounts) | hour 0-2 |
| assess scope (which records, which fields) | hour 2-12 |
| document in breach register | hour 12-24 |
| notify supervisory authority if required | hour 24-72 |
| notify affected data subjects if high risk | hour 24-72 |
| post-mortem and remediation | week 1-2 |
most solopreneurs never have a notifiable breach. but if you do, the 72-hour clock is unforgiving and the documentation requirement is strict.
step 6: run an annual review
once a year, repeat the audit:
- update the data register
- reconfirm DPAs are signed
- review retention periods (are you keeping things too long?)
- audit recent access requests (did you respond within 30 days?)
- update privacy policy if vendors or data flows changed
calendar the review for the same week each year. 4 hours of work.
the compliance checklist
this is the practical checklist for a one-person business handling EU data.
| item | done? | article |
|---|---|---|
| lawful basis register written | Article 6 | |
| privacy policy live and accurate | Article 13 | |
| privacy policy has supervisory authority complaint right | Article 13(2)(d) | |
| data subject rights inbox monitored | Articles 15-22 | |
| 30-day response process documented | Article 12(3) | |
| DPA executed with every processor | Article 28 | |
| breach notification process documented | Articles 33-34 | |
| annual review scheduled | (best practice) | |
| international transfer mechanism in place | Articles 44-49 | |
| children’s data not collected (or under 16 consent flow) | Article 8 | |
| records of processing activities (ROPA) maintained | Article 30 |
if you cross-reference Article 30 (records of processing), it technically exempts businesses under 250 employees from maintaining a formal ROPA, but solopreneurs should keep the simple register described in step 1 anyway. it is the foundation everything else builds on.
comparing GDPR to other regulations
| regulation | jurisdiction | applies if you… | similar to GDPR? |
|---|---|---|---|
| GDPR | EU/EEA | sell to or monitor EU residents | baseline |
| UK GDPR | United Kingdom | sell to or monitor UK residents | nearly identical |
| CCPA / CPRA | California | meet revenue/data thresholds | similar but different rights |
| PDPA | Singapore | collect Singapore resident data | similar consent model |
| LGPD | Brazil | sell to or monitor Brazil residents | based on GDPR |
| PIPEDA | Canada | conduct commercial activities | weaker than GDPR |
if you comply with GDPR, you typically meet 70-80% of CCPA, PDPA, LGPD requirements with light additions. our cookie compliance for analytics 2026 guide covers the cookie-specific overlay, and our first-party data strategy for small business 2026 explores the strategic side of compliance-first data work.
frequently asked questions
do I need a DPO?
Article 37 requires a Data Protection Officer if you are a public authority or you process special category data at scale, or your core activity is large-scale systematic monitoring. solopreneurs almost never meet these thresholds. document the analysis once, file it, move on.
what about Schrems II and US data transfers?
if you use US-based vendors (most solopreneurs do), you rely on Standard Contractual Clauses or the EU-US Data Privacy Framework. all major vendors (Google, Stripe, Vercel, etc.) have these in place. confirm in their DPA.
how big are the fines really?
Article 83 caps fines at €20M or 4% of global revenue, whichever is higher. solopreneurs face vastly smaller exposure (usually €0 to €5,000 in practice for first-time minor violations), but the 72-hour breach notification clock and 30-day data subject rights deadlines are strict.
can I just block EU traffic?
technically yes (geographic blocking removes the “offering goods or services to” trigger), but it is rarely worth the lost revenue. compliance is cheaper than the lost market.
do I need cookie banners?
if you use non-essential cookies (analytics, marketing). our cookie compliance for analytics 2026 guide covers this in detail.
what about analytics?
GA4 is permissible under GDPR with proper IP anonymization, consent (where required by ePrivacy Directive), and a DPA. our GA4 for non-marketers 2026 guide covers analytics setup.
conclusion: ship the basics this weekend
GDPR is one of those compliance topics where 90% of the value comes from 20% of the work. the data register, the privacy policy, the DPA folder, and the rights inbox cover the vast majority of regulatory exposure. the rest is documentation discipline.
block four hours this weekend. inventory your data, map each type to a lawful basis, write a 1,500-word privacy policy, log into your top 8 vendors and accept their DPAs, set up privacy@yourdomain.com, and document a 1-page breach response checklist. you will be 90% compliant.
then schedule an annual review. that is GDPR for solopreneurs in 2026: not a project, a discipline.
for connected work, our data security basics for solopreneurs 2026 covers the technical security measures GDPR Article 32 expects, and our client data agreements templates covers the contract layer for B2B clients.
disclaimer: this guide is informational, not legal advice. consult a qualified data protection lawyer for specific GDPR application to your business. references to GDPR Articles are based on Regulation (EU) 2016/679.