The baker knows their customers by name. The florist knows which flowers Mrs Johnson orders every spring. The bicycle mechanic remembers that Mr Wilson’s saddle has been replaced twice. That knowledge — built through years of good work — is the foundation of local retail and trades. It is also in a file. And that file belongs to you.
Local retail is the most recognisable entry point for anyone thinking about AI and privacy. Not because the challenges are large — but precisely because they are small and concrete. You have no IT department, no DPO, no legal team. You do have a customer list, an invoice history, supplier contacts, and perhaps a loyalty card. That is already enough to fall within the GDPR — and enough for AI to help you directly.
Ordinary data, real rules
A name and email address in an order list are personal data. A loyalty card with purchase history is a processing activity that requires explanation. The General Data Protection Regulation (GDPR) makes no exceptions based on turnover or headcount — it applies to every organisation that processes personal data, from a multinational to a neighbourhood bakery.
The GDPR does include a limited exemption for businesses with fewer than 250 employees: in certain cases you are not required to maintain a full processing register (Article 30(5)). But that exemption has a critical limit: it does not apply to regular processing activities. A loyalty card programme is a regular processing activity. Once you track reward points, the full registration obligation applies. The exemption is smaller than it sounds.
That said, the obligations for a small business are genuinely manageable. Know what data you hold, keep it secure, and tell your customers plainly what you do with it — that is the core of it. No hundred-page compliance documents. No lawyer on retainer. A half-page privacy notice and a password on your laptop will take you most of the way there.
The baker and the free AI tool
Imagine you use a free AI writing tool to draft your weekly promotions and reply to customer emails. Convenient, time-saving, and at no cost. Until you understand what is happening in the background.
Every time you paste a customer name or address into that tool for a personalised message, you are sending personal data to an external provider’s servers — possibly in the United States. Add your order list as context for a supplier email, and your supplier information and pricing agreements are now held by a third party. If that provider is acquired, or updates its terms of service, you have no answer when a customer asks how their name ended up in promotional emails from a company they have never heard of.
“Free tools are rarely truly free — the price is the data.”
A local AI tool running on your own laptop or server has none of these problems. You type the content, the AI generates the text, nothing leaves the workplace. The florist drafts the seasonal promotion, the bicycle mechanic writes the supplier order, the baker responds to an allergen enquiry — all without a single character of customer data going anywhere external.
What the law concretely requires of you
For local retail and trades, there are three legal and fiscal anchors to keep in mind:
Keep your invoices: both in Belgium (Code of Economic Law, Art. III.86) and in the Netherlands (General Tax Act, Art. 52), a 7-year retention obligation applies to accounting documents. This is not a GDPR obligation — it is a fiscal one. AI supporting your bookkeeping therefore works with data you must already retain for tax reasons.
Be transparent with your customers: a short privacy notice is sufficient for most activities. The GBA (Gegevensbeschermingsautoriteit) in Belgium offers a free model register, privacy notice generator, and checklist. In the Netherlands, the AP (Autoriteit Persoonsgegevens) has a dedicated SME section with practical tools and model contracts. UNIZO (Belgium) and MKB-Nederland both publish sector-specific guides for local businesses.
Basic security: does your laptop have a password? Is the drive encrypted? Do you back up your customer list regularly? Those three questions are the heart of what the GDPR asks of a small business when it comes to data security. A customer list on an unsecured laptop is a liability — not just legally, but practically in the event of loss or theft.
Three steps to start today
You do not need a DPO. You do not need an extensive processing register. You need three things:
1. Secure your customer list. A password on your laptop and drive encryption are the minimum measures the GDPR asks of you. If your customer list sits in an unprotected Excel file on an unlocked laptop, you are exposed — to a data breach, to theft, and to a complaint with the GBA or AP.
2. Write a short privacy notice. Use the free templates from the GBA or the AP. Post it behind the counter, put it on your website, or print it on your loyalty card sign-up form. If you run a loyalty programme, you also need a simple registration form that explains what you record and how the points work — consent at sign-up is the foundation. Fifteen minutes’ work, lasting reassurance.
3. Use AI locally for your daily communications. Social media posts for Instagram or Facebook, weekly order lists based on your sales history, replies to customer emails, stock management — these are the applications that save you time immediately. Most of them contain no personal data at all, making them the cleanest possible use of AI. And when AI runs on your own device, your customer data goes nowhere. The value you have built over years stays where it belongs: with you.