This article is written specifically for small businesses and therefore doesn’t include all aspects of the legislation that may apply to larger businesses and public entities. No information on this website constitute legal advice.
The GDPR is already a complicated area for many, and most people feel overwhelmed. They’re not sure what to do, in which order, and when it’s good enough – for their kind of business. They’re often also worried about the price of getting help.
👉 If this is the case, go straight to the ultimate GDPR compliance checklist for small and online businesses
Also visit the website of your national data protection authority (DPA). All you need to know about the GDPR, can usually be found there. Free of charge.
Just make sure you know when to get help with the GDPR, what to get help on, and that you do your due diligence on any GDPR "helpers" first.
Here is a list of the members of the European Data Protection Board. Also note that a DPA in one country, e.g. the ICO in the UK, can take action against a company in a different country, as they have many times (e.g. their very first GDPR notice was to a Canadian company).
You just have to dedicate time, and be patient (if you're going to do this on your own). Unfortunately, many still struggle to understand exactly what to do, even after spending hours reading about the GDPR.
Then it's easy to resort to Google searches and Facebook groups to get answers to your burning questions. Unfortunately, there is a lot of misinformation out there on the GDPR. Some of it is just imprecise, but much of it is outright wrong. ❌
And often, people forget that the GDPR is not the only relevant law, you also have to know about and adhere to relevant marketing laws. Read more below.
Unfortunately, we've read research articles (written by actual research scientists) that lean on incorrect sources (e.g. referring to "gdpr-info.eu" as an official EU website).
Unfortunately, we've listened to several podcasts with US attorneys who clearly haven’t read the actual law text, since they give incorrect advice.
Unfortunately, we've seen websites by lawyers that aren't compliant with, or even breaches, the GDPR (e.g. by using pre-ticked consent boxes).
Therefore, it’s crucial that you know you only rely on credible sources when working with the GDPR in your business, or that the help you rely on, do so.
If you're going to get help with GDPR compliance, ask your potential provider to name the sources they rely on, and compare those to the sources stated below.They should match!
And it shouldn't be necessary, but you even need to ask lawyers the same, as a legal education isn't a seal of approval when it comes to the GDPR.
First and foremost, the actual law text can be found on EUR-Lex, the European Union’s website for all EU laws: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
There you can download a copy in English or any of the 23 other official EU languages (if you're that interested in reading the whole law yourself).
Next, we recommend bookmarking the EU’s website on data protection rules, which also contains several useful examples.
And, finally, the website of the European Data Protection Board (EDPB), an independent European body which contributes to the consistent application of data protection rules throughout the EU, and promotes cooperation between the EU’s data protection authorities.
Several people refer to pages they believe are managed by the EU, such as the research scientists mentioned above. However, only pages with “europa.eu” in the URL, are official pages from the EU. The website gdpr-info.eu is an example of a site many believe is owned and operated by the EU, but is in fact managed by a privately owned consulting company.
For those in the US, we recommend the website of the ICO – the UK’s data protection authority. Here you’ll find useful guides, tools, assessments and more, also specifically tailored for small businesses.
If you understand Danish, Denmark's data protection authority has an informative website. They also regularly publish GDPR related verdicts and decisions that are worth being aware of.
Many of the questions we see in Facebook groups are related to marketing, e.g. newsletters, Facebook pixel, Google Analytics, "freebies" or opt-in material/campaigns and similar.
Remember, if you do any kind of marketing, you also need to adhere to marketing laws, in addition to the GDPR, if it involves the use of (processing) personal data.
Here you need to find out what laws are applicable to you. In Norway, for instance, we have the Marketing Control Act. The UK's ICO also has good information on this topic, read more here: The rules around business to business marketing, the GDPR and PECR
If I'd like to send out newsletters (that, in Norway at least, is almost always considered to be marketing), I need to ensure that I obtain contents that are valid both from a marketing and a GDPR perspective.
Some people think that "B2B" (business-to-business) marketing is exempt from the GDPR, because it's "business data" and not "personal data". This is wrong. As long as personal data is involved, like the name or email address of someone you can identify, the GDPR applies.
This means that a company/business email address in the format of firstname.lastname, or simply with initials, is considered as personal data in the GDPR. This is also the case in most marketing laws.
Which means that you cannot send marketing to such a person, without first getting consent from that person (or relying on a different legal basis).
If you're completely new to the GDPR, our first (and strongest) recommendation is to learn the basics.
Don't skip this step! You can outsource a fair bit around privacy in your business, but far from everything, and certainly not your own understanding.
You, as the business owner, need to have some basic knowledge, as it'll be you who'll have to answer to the authorities if you get a complaint or experience a data breach - not your consultant.
If you're pressed on time (as most of us are) and want to spend your time on your actual business (as most of us want to), feel free to outsource the practical things around getting compliant.
This could be to help you get an overview of the processing you do of personal data in your business, where personal data is stored, if the data has been secured (good enough), assuring you only use GDPR compliant processors, helping you write a GDPR compliant privacy notice for your website etc.
And, of course, when selecting a vendor, do make sure that they know what they're doing.
Cheap advice can quickly become expensive, if you suddenly face fines for not being properly compliant (like the website owners getting slapped with a €15 000 fine "only" for non-compliant cookie management and privacy notice).
PS: And Bedre Bedrift AS (GDPR Start), of course, only rely on credible GDPR sources in our work (along with the practical hands-on experience from working with over one hundred GDPR assignments so far).
Want to know more? Sign up here to receive more free, expert advice on how to run your business professionally and profitably.
GDPR explained so you actually understand it - tailored for professional online business owners! Submit the form to get notified as soon as we release our professional website checklist (including the GDPR stuff!).
You won't be added to our general marketing list and your personal data is processed only for sending you the checklist when it's ready, as well as one follow-up email to ask if you found it useful. Opt out at any time. Privacy notice