Does my one-person company need a GDPR register?

Yes, if you process any personal data, customer emails, supplier contacts, or even just your own personal data through business systems, the register obligation applies. The size of your company does not change the rule, only the way you keep the record.

I have fewer than 250 employees, am I exempt?

Almost certainly not. The Article 30(5) GDPR exemption only applies if your processing is occasional, does not involve special categories (health, biometric, etc.), and is not likely to risk people's rights. In practice, every business that processes customer or staff data on a regular basis falls outside the exemption.

What format does the register need to be in?

There is no mandatory format. Excel, Word, a database, or a tool like GDPRWise are all acceptable. What matters is that the register is current, complete, and can be shown to a supervisory authority on request.

Who is allowed to see my register?

Your national data protection authority can request it during an inspection or after a complaint. Internally, your DPO (if appointed) and anyone responsible for compliance should have access. It does not need to be public.

GDPR Register: Do I Need One? Quick Answer for SMEs

Yes, almost every business does. The 'fewer than 250 employees' exemption rarely applies in practice. Here's what the register must contain and how to start.

The short answer

Yes. If you process personal data of customers, staff, or suppliers, you need a GDPR register, also called Records of Processing Activities or RoPA. This is required by Article 30 of the GDPR, and the obligation kicks in the moment you have your first customer, supplier, or employee.

The “fewer than 250 employees” myth

Article 30(5) appears to exempt organisations with fewer than 250 employees. In practice, the exemption rarely applies because it has three carve-outs, and almost all businesses fall into at least one:

The processing is more than occasional. Sending invoices to repeat customers, paying staff every month, storing supplier contacts, all of these are regular activities, not occasional ones.
You process special categories of data. Health information, biometric data, data about minors, or anything covered by Article 9 disqualifies you.
The processing could risk individual rights. Customer profiling, marketing automation, employee monitoring, and similar activities all fall in this bucket.

In reality, the exemption was designed for very narrow cases such as a one-off charity drive. If you operate a real business with regular customers and employees, assume the register applies to you.

What the register must contain

Per Article 30(1), the register must list every processing activity with:

Who: whose data you process (customers, staff, suppliers, partners)
What: the categories of personal data (name, email, address, payment info, etc.)
Why: the purpose of the processing (invoicing, hiring, marketing, etc.)
Legal basis: consent, contract, legal obligation, legitimate interest, etc.
Recipients: which third parties receive the data, and whether they sit inside or outside the EU
Retention: how long you keep each category
Security: the technical and organisational measures in place

You should keep separate records for activities where you are the Data Controller (you decide why and how the data is processed) and where you are a Data Processor (you handle data on behalf of someone else).

What happens if you don’t have one

The supervisory authority can request your register during an inspection or after a complaint. If you can’t produce one, that itself is a GDPR breach. Penalties for missing or incomplete records have already been issued across the EU, including to SMEs. Beyond fines, the register is your own internal compass: without it, you can’t reliably answer data subject requests, manage breaches, or demonstrate accountability.

How to start

You have three options:

Build it yourself in a spreadsheet. Free, but high-maintenance and easy to leave incomplete.
Hire a consultant. Thorough, but expensive and dependent on their continued availability.
Use a tool like GDPRWise. The platform asks the right questions per business sector, generates the register from your answers, and keeps it current as your operations change.

auto_awesome Generate your GDPR register in minutes

GDPRWise scans your website, asks the right questions for your sector, and produces a complete Article 30 register, ready to show your supervisory authority.

Start a free scan