GDPR for freelancers: the honest minimum

One person, client emails and an invoice folder — you are still a “controller”, but your real obligations fit on one page. Here is that page.

Yes, the GDPR applies to a one-person business; no, you do not need a consultant. Your realistic checklist: (1) Privacy notice on your site — who you are, what you collect (contact-form data, client project data, invoicing), why, how long, and the data-subject rights with your email. Plain language beats template legalese. (2) Records of processing (Art. 30) — a small business with regular, simple processing keeps a modest table: clients, prospects, newsletter, bookkeeping. One spreadsheet, an afternoon. (3) Retention discipline — invoices as long as national tax law commands; project files per contract; prospect data not forever (pick a rule, write it down, follow it). (4) Security basics — device encryption, 2FA on email and cloud, separate client folders, backups. A lost unencrypted laptop is a reportable breach; the same laptop encrypted usually is not. (5) Processor agreements (Art. 28) — your cloud, mail and accounting tools each need one; every mainstream provider has a standard DPA you accept online in minutes. (6) Requests and breaches — answer rights requests within a month; report qualifying breaches within 72 hours to your DPA. You almost certainly do NOT need: a DPO, a DPIA, or a consent banner for a cookieless portfolio site. Newsletter? Opt-in only, easy out — the marketing rules apply to you too, now from the other side.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← For small businesses📞 Your data protection authority