Blog About Contact Tools ๐Ÿ“ฉ Login

GDPR compliance checklist for SaaS, tech and online business

gdpr Jul 30, 2020

And does the GDPR even apply to you?

You're probably wondering how many hours it will take to comply with the GDPR, the new European data protection and privacy law, applicable to almost every online business (across the world).

In short, if you promote or sell services to people in the EU, you need to comply with the GDPR. Simply promoting your stuff online to EU people (through email list building for example), is enough.

If you're a US company with a target market in California, and you happen to sell something to a dude in Germany once every blue moon, then you probably don't have worry about the GDPR. You got your own laws to worry about, though (CCPA), and GDPR-like laws are sprouting all over the world, so perhaps you might as well do *something* about how you handle personal data.

๐Ÿ‘‰ If you're still unsure, take the ICO's (the UK data protection authority) assessment here: Does data protection law apply to my business?

After spending well over a thousand hours studying and working on the GDPR, for a few hundred clients from solopreneurs to 550+ organisations, relying solely on credible sources, I know how demanding GDPR is, especially for small businesses.

In this article we'll go through how much time you need and should set aside to get your GDPR compliance in order (and how to achieve that).

Disclaimer: I’m not a lawyer and this article is for informational purposes only (read the full disclaimer).

This GDPR guide is about 5 000 words. I dare say it’ll probably be the most valuable 30-45 min. you spend on your basic GDPR knowledge. Make that investment.

Table of contents

  1. GDPR applies, even for a company of one
  2. How many hours does it take to become GDPR compliant?
  3. This will impact your GDPR hours significantly
  4. The 3 phases of GDPR compliance (for any online business)
  5. Phase 1: Gain a basic GDPR understanding
  6. Phase 2: Build the GDPR foundation (GDPR checklist)
  7. (Extra) GDPR compliance for SaaS startups
  8. Phase 3: Ensure ongoing compliance
  9. How much money should you spend on the GDPR?
  10. Final thoughts and tips

First, avoid these GDPR mistakes

In my experience, there are some mistakes I see over and over again:

  • You think you’re GDPR compliant already
  • You don’t think the GDPR applies to you
  • You haven’t done anything with the GDPR, you simply don’t have time…
  • You don’t think privacy is important ๐Ÿคจ

«You don’t know what you don’t know», is a great saying, especially for the GDPR. Many aren’t actually aware they’re in breach of the GDPR, and often also marketing laws. โŒ

Some companies think it’s enough with a privacy notice on their website. That they can use an online tool to «do GDPR», ensure compliance through a new system or subscribe to a service.

Or outsource everything to a lawyer or consultant.

This can quickly become a costly mistake. ๐Ÿ’ธ

Because it’s your responsibility, as the business owner, to ensure compliance with any laws applicable to your business, be it for accounting, taxes, GDPR or marketing.

It’s you who’ll get the fine (up to 4% of your global revenue or €20 million…).

First and foremost, you HAVE to understand the GDPR basics. Otherwise you won’t know if you are GDPR compliant (enough). And you risk hefty fines, even as a tiny, micro business.

1. GDPR applies, even for a company of one

Founders of SaaS companies, tech startups, solopreneurs, freelancers, and any online business entrepreneur or small business owner, don't have much spare time. It's in the nature of what we do.

We wear all the hats. We're the CEO, the accountant, the Chief of Marketing, customer support, the legal team, Head of PR, and the IT Director (or, if we're lucky, we have a CTO cofounder).

We not only have to be experts in AWS, Laravel, MySQL or WordPress, but also at online ads, email marketing, social media, building (and selling) online courses and so much more.

Like the GDPR. Oh dread. ๐Ÿ˜ฑ

The good news: You don't actually have to be a GDPR expert.

The (perceived) bad news. You really do have to do some work around the GDPR.

But this is not bad news at all! (Stop squirming.)

๐Ÿ‘‰ It also means that you’ll get a valuable overview of your systems and processes, reduce the risk of those hefty fines (significantly) and gain a marketing advantage, not only saying you “take privacy seriously” – you can actually demonstrate it.

2. How many hours does it take to become GDPR compliant?

200. At least that's what google replies when you ask. At a minimum, the article goes on saying. But this is for a 50-250 employee company.

Does that mean you can simply divide 200 by 50 and get an estimate for you (a company of one)?

Sorry to disappoint you, but no one in the world can get GDPR compliant in 4 hours.

I certainly didn't understand everything around accounting, bookkeeping and payroll, in only 4 hours, either. And the GDPR is a huge law, just like your national law on accounting.

Running a business means you need to deal with excruciating stuff. ๐Ÿคท‍โ™€๏ธ It's not like we get to invoice every hour of our work day, or work exclusively on what we love.

Factors that will directly impact the number of hours

Estimating how long time your GDPR compliance will take, is impossible without knowing more about your business.

It depends on several factors:

  • Your knowledge on compliance, privacy and security issues from before
  • The level of GDPR compliance you’re aiming for: following the law to a T, or “good enough” for your kind of business?
  • How big or small your company is: number of employees
  • For how long has your business existed: do you have years and years of archives?
  • The complexity of your business: number of systems, volume of personal data (both in terms of number of data entries, and the varieties of data)
  • Types of personal data: “normal”, sensitive and special category (like health data, data that is specifically regulated by the GDPR)
  • What you sell: are you a SaaS company/tech startup, building digital solutions/apps?
  • If you're only a controller, or also a data processor
  • Your marketing efforts: do you use pixels and tags on your website, email newsletters, freebies, sales webinars, affiliate programs?
  • Your global revenue (as GDPR fines are calculated based on this, regardless of whether you're making money, or not)
  • How structured you and your business processes already are (the more structure you have from before, the easier and quicker GDPR compliance will be)

As you can see, it's not easy to give you a good estimate, with so many influencing factors. ๐Ÿคฏ

How GDPR compliant do you want to be?

This is a huge question. Your answers from the last paragraph will largely determine how GDPR compliant you should/need to be.

Then you need to consider what level of compliance is enough, for you.

Here are some considerations:

  • Do you sell to consumers, or only to other businesses?
  • Do you have enterprise/corporate clients?
  • Do you have public sector clients?
  • How important/crucial is your business reputation and will it be damaged by a personal data breach? How severely?
  • What industry are you in? Do you process health data or the personal data of children?

Having enterprise or public sector clients will impact your GDPR efforts hugely.

Not only do they require (lots of!) thorough documentation, but you need to be able to discuss compliance, GDPR and security issues with legal and procurement teams.

Then, imagine you experience a personal data breach. How damaging can/will this be for your business/industry/among peers, if it made the front page of your local or national newspaper?

And if you're in the health and fitness industry, or if you process any personal data on children, the worse it gets (e.g. if your app is for logging health data or one that local schools use).

๐Ÿ’ก Key take-away: Several factors influence your GDPR efforts and the number of hours you need to spend. Giving an accurate estimate is impossible.

GDPR hours estimation for a simple, micro business

As you probably understand by now, there are too many variables in play to give you a sound estimate.

And, if I were to give you all of them, you would spend more time reading this article, than just getting on with it. ๐Ÿ™„

So, the following estimate is to give you something to compare against, instead.

Benchmark:

  • One-person company in the EU
  • Traditional brick-and-mortar shop
  • Been in business for less than three years
  • Doesn't have paper files/archives
  • Uses 8 systems (email, calendar, website with contact form, booking, CRM, accounting, cloud storage, Facebook company page), with two of them in the US
  • Never used personal/private systems (email etc.) for business purposes (which is not only a breach of vendor terms, but also a GDPR breach)

The business owner decides to do all the work, without hiring help.

The mathematics (rough estimates):

  • Understanding the GDPR: 10-20 hours
  • Creating the personal data inventory and adding processes and systems: 2-3 hours
  • Checking where personal data is stored: 1-2 hours
  • Obtaining data processing agreements: 2-3 hours
  • Obtaining safeguards for the international transfer of personal data: 1-2 hours
  • Completing details on processing activities (type of data, purpose, legal grounds, recipients etc.): 2-4 hours
  • Doing a personal data risk assessment: 2-4 hours
  • Updating and implementing security measures: 1-3 hours
  • Writing internal policies and procedures: 5-15 hours
  • Writing and publishing the privacy policy: 4-8 hours
  • Ensuring a GDPR compliant website: 1 hour

In addition, you'll have to ensure your ongoing compliance. โœ…

For a micro company, this could take 10-20 hours a year, depending on the number of internal GDPR audits and data subject access requests (people who want to know what you do with their data).

And remember, this is for an uncomplicated, tiny business that hasn't developed an app, isn't a data processor, doesn't do email marketing or webinars, sell to enterprise clients, haven't got complicated data flows, use AWS or transfer lots of data to the US…

All these things will add to your GDPR work, and especially if you're doing it on your own.

3. This will impact your GDPR hours significantly

One aspect of the work will (could) impact the number of hours you spend on the GDPR (significantly), and how easy or difficult it will (could) be.

I say “could” as this is contingent on the quality of the help you get (which could be useless).

Below we’ll go through the 3 phases of your GDPR compliance.

Each phase is directly impacted by the following two factors:

1. Doing the work yourself (without help) = requires more of your time, but costs less (or nothing)

2. Getting someone to guide you (with help) = costs more money, but requires less of your time

If you opt for solution a) Without help, the number of hours depends in large on your personal interest in data protection laws and your general knowledge around compliance and security.

However, unless you’re a GDPR expert yourself, knowing exactly what to spend time on when doing your GDPR compliance, can be a huge time-waster.

๐Ÿ’ก Reading this article is anyway a great start and the GDPR insights here will help you plan and implement the work faster and better.

PS: Everything you need to learn about and implement the GDPR, can be found online, free of charge. Every piece of GDPR information. The content is free. The time you spend reading it, however, isn’t without cost.

Just make sure you rely only on credible sources and not advice found in Facebook groups or random blog posts.

Understanding GDPR on your own will require more of your time

The biggest pitfall of this approach is that you spend hours (and hours, and hours) reading up on GDPR stuff that doesn't apply to you.

Consider for example the data protection officer role, required for some companies as per the GDPR Article 37.

Did you notice I said "some"?

As recently as July 2020 I came across this Twitter thread where someone stated, exasperated:

This is not correct. โŒ Any company doesn't have to have a DPO. Some do.

Small businesses don’t, most often, need to appoint a DPO (but it’s more likely with SaaS companies). Obviously, you need to check this, or talk to someone who will help you with such an assessment.

And in any case, document your consideration and decision.

It could be beneficial, though, to appoint a Privacy Officer. Also from a marketing perspective, to demonstrate your GDPR commitment.

Another example is writing your own privacy policy. An entrepreneur, who didn't want to spend anything on his GDPR compliance, proudly shared that he had spent around 40 hours on the policy alone... ๐Ÿ˜ถ

No one should spend 40 hours on a privacy policy (!). You can spend that in total for (the first parts of) your GDPR compliance. And, with even just a small investment, save lots of time.

๐Ÿ‘‰ If you still want to do all the work yourself, make sure you use the  ICO's website and take their GDPR assessment (click the "Read more" on every question, so you really get the full picture).

Getting (qualified) GDPR help will save you time (and grey hair)

(Did you notice I said “qualified”?)

Getting GDPR help can mean everything from do-it-yourself templates to done-for-you services.

And just getting someone qualified to show you exactly what to read, understand, and implement, could be invaluable.

It not only saves you lots of time, but probably at least 52 grey hairs and an urge to throw your computer out the window.

Like when you have to:

  • Determine the credible sources to base your understanding and efforts on ๐Ÿ‘ฉ‍๐ŸŽ“
  • Read the law, the actual legal text ๐Ÿ“œ
  • Figure out what parts apply to your specific business ๐Ÿ”Ž
  • Prioritise and plan the work, for your specific business ๐Ÿ“
  • Understand how to stay compliant โœ…
  • Understand law speak, the legalese, the legal jargon โš–

Unless you find the GDPR interesting and fun, like I do! ๐Ÿคฉ Yep, I said fun!

๐Ÿ’ก Key take-away: You need to understand a minimum of the GDPR yourself. Having a GDPR guide could get you further along the way, faster.

4. The 3 phases of GDPR compliance for any online business

Or any business, of any size, for that matter.

This is how I plan and run GDPR projects for larger organisations. The same methodology is applicable to entrepreneurs, freelancers and online business owners, just on a smaller scale.

In addition to the process described below, there are certain requirements only applicable to SaaS and tech companies/startups. Make sure you also read those if you’re a (co-)founder, developer, CTO. ๐Ÿ‘‡

Before setting sails for your GDPR compliance journey, you should consider three phases:

  1. Gaining a basic understanding of the GDPR, and what it means for your business
  2. Building the GDPR foundation
  3. Ensuring ongoing compliance

We’ll delve into each phase in the following sections.

Finding out how much time you will have to spend on the GDPR, should be estimated for each phase.

And, again, the number of hours will, in each phase, depend on the amount of work you decide to do yourself, vs. with a GDPR guide.

๐Ÿ’ก Key take-away: Plan and do your GDPR work in phases. Don’t aim to be fully GDPR compliant if you’re not even making any money in your business today.

5. Phase 1: Gain a basic understanding of the GDPR

Whatever you do – make sure you, yourself, truly understand what the GDPR is and means for your business.

Below is a list of the GDPR phrases you should (need to) know, at least initially. You really do need to understand these things once, in order to build the GDPR foundation.

Then, you don’t have to go around remembering this to a T, but at least be familiar with it.

If you hired help before and all of these words are completely new to you, and you don’t know if you have obtained data processing agreements or safeguards, you might want to consider asking for a refund… ๐Ÿคจ

The ICO assessment mentioned before could also be a good place to start.

The GDPR definitions you should know:

  • What personal data is, including special category personal data
  • What constitutes “processing” of personal data
  • What “controllers” and “(data) processors” are
  • Your responsibilities as a controller, and as a data processor, if you are one
  • If you’re building an app, what Privacy by design and default is, and how to implement it
  • What a data processing agreement is, and when and how you need to obtain one
  • How to build the (mandatory) personal data inventory
  • What the legal grounds are for processing personal data and which ones apply in your business
  • How to define (and document) the purpose for processing personal data
  • When and how to conduct a personal data risk assessment
  • When to delete personal data
  • What “recipients” and “third parties” mean with respect to the GDPR
  • What a safeguard for international transfers of personal data, is, which one(s) to obtain, and how (including what an “international transfer” means)
  • What a valid consent is, as per the GDPR
  • What to do if you experience a personal data breach, and when you’re required to notify a data protection authority and people affected by the breach
  • What a privacy policy is and what needs to be included for it to be valid as per the GDPR
  • What you need to do to have a GDPR compliant website and do GDPR compliant email list building and email marketing
  • Our rights as per the GDPR (which are the rights your customers have, for the processing you do on their personal data)

If this list makes you want to run away screaming, you should definitely consider getting help. Talking to someone who gets both the legalese, and is able to translate it to words you actually understand, is invaluable.

๐Ÿ’ก Key take-away: You need to understand a minimum of the GDPR yourself, at least initially.

6. Phase 2: Build your GDPR foundation (the most hours)

So, you got a basic understanding of the GDPR and how it affects your business. ๐Ÿ‘Š

Next, you’ll get down to business and set up your GDPR foundation. This is where the bulk of the work is, and where a GDPR plan will be very helpful.

GDPR checklist for small businesses

  1. Don’t faint, but I’d like you to glance at the law text, mostly so that you understand how complex the law is (just have a peek!)
  2. Get clear on what personal data is (just about anything)
  3. Build your personal data inventory* (“records of processing activities”), where you list all the systems and data processors you use (like MailChimp, Gmail, Dropbox, ProtonMail – every single system where you store personal data of others)
  4. For each data processor, do a GDPR due diligence on their company and system (it's our responsibility to only use GDPR compliant vendors...), and obtain (and validate) a data processing agreement
  5. Find out where the personal data (for each system) is stored (where are their servers) and if the data processor is based outside of the EEA (EU + the three EEA countries Iceland, Norway and Liechtenstein)
  6. If necessary, obtain safeguards for international transfers (data stored or data processor used outside of the EEA), such as the EU Model Clauses
    (NB! the Privacy Shield certification scheme was made invalid by the EU on 16 July 2020!)
  7. For each processing activity*, determine the personal data involved, for whom, the purpose, legal basis, retention period and recipients
  8. Do a risk assessment for the processing of personal data you do
  9. If necessary, define and implement additional technical and organisational security measures
  10. Write/update your privacy notice and publish on your website (numerous privacy policies aren’t GDPR compliant so double check yours or get a template)
  11. Ensure your website is GDPR compliant (SSL, privacy notice with links in footer and on all forms, cookie notice describing use of cookies, pixels, web beacons etc.)
  12. Add regular internal GDPR audits to stay compliant going forward (including GDPR training for employees)
  13. Be prepared in case you receive a data subject request, if someone wants to know what data you process on them, or have them deleted

And when all this is done, you should also define and write up some key internal GDPR policies and procedures (e.g. for what to do if someone asks for access to their data).

So, there you have it. If you’re feeling like this right now: ๐Ÿคฏ… I totally get it.

GDPR is overwhelming, and anyone telling you it’s “easy” either don’t run their own business, or don’t themselves understand the complexity of the law.

๐Ÿ›‘ The personal data inventory is one of the most important GDPR requirements. If you aren't fully aware of all your processing activities, you will have a false sense of comfort, so make sure you fully understand what to do here.

* Here is an example of what it could look like:

Article 30 required information

Description

Type of processing

Sending newsletters

Data processor/system

MailChimp, The Rocket Science Group

International transfer safeguard

EU standard contractual clauses (SCCs)

Security measures

Internal: Access control, backup, NDA signed with marketing bureau. Data processor's security: https://mailchimp.com/about/security

Data processor agreement

Yes, signed and stored in GDPR folder

Personal data

Name and email address

Data subjects

Newsletter subscribers

Purpose

Sharing news, offers, information about events etc. to leads, customers and other contacts

Legal basis

GDPR Article 6-1 a) Consent

Retention period

For as long as the data subject subscribes. When they unsubscribe, we delete their data at the latest [x weeks/months] afterwards

Recipients

Marketing bureau X who manages our newsletter on our behalf (we have signed a DPA with them)

 Sign up for my e-letter and reply to the first email to get a free GDPR template when it’s ready.

7. (Extra) GDPR compliance for SaaS startups/companies

If you’re building tech, software or any digital solution (“app”), there are additional requirements for you.

๐Ÿ‘‰ First; take this seriously, to avoid reputational damage such as this:

* This Twitter discussion on a GDPR deletion request breach sparked several other similar tweets about the same company and probably made a huge dent in their reputation.


Second, you need to determine if you’re only a controller, or also a data processor. The ICO has detailed guidance on both roles and I recommend that you read this carefully (or get help assessing your role(s).

If you're (also) a data processor, that in itself means you have additional responsibilities, cf. Article 28.

You’re not only responsible for your data, but someone else’s data, and you need to provide a data processing agreement as per the GDPR Article 28-3.

๐Ÿ›‘ Not complying with the GDPR as a data processor is a huge risk.

In sum, here are the other aspects you should consider/do:

  • Read in particular Article 25 (and 28)
  • Appoint a Privacy Officer, if you don’t require a DPO (add to an internal role, hire someone or hire one as a service)
  • Check if you’re required to appoint a EU Data Representative, cf. Article 27
  • Ensure your app is built with data protection by design and default (previously privacy by design – the key change with the GDPR is that it’s now a legal requirement),
  • ...that it’s set up for easy data portability,
  • ...and (preferably self-service) account deletion, cf. Article 17 (but, of course, you need to be 100% sure you are legally able to delete personal data, and not required to keep it for accounting, tax or other business purposes)
  • Create a data map, showing all data flows of your app, and make sure you include everything in your personal data inventory (log files, diagnostics data, backups etc.)
  • Consider if a DPIA (data protection impact assessment) is necessary
  • For data processors; create and maintain records of all categories of processing activities, cf. the GDPR Article 30-2
  • Write and add a GDPR statement to your website (in addition to your privacy notice), including information on the data processing agreement

๐Ÿ’ก TIP: Whenever you consider/check/decide on something, document it. If you decide you don’t need a DPO, the authorities might disagree, but you can significantly reduce the risk of a fine if you can prove you actually made a conscious decision

This is not a complete list of everything you need to take into consideration, but it’ll get you pretty far.

๐Ÿ’ก Key take-away: View your GDPR compliance as a journey. It might not be the most thrilling journey you’ve ever been on, but it makes the work less overwhelming. Document everything.

To be added later: A SaaS/tech GDPR resources list (privacy and security).

8. Phase 3: Ensure your ongoing GDPR compliance

Good news: We’re almost there! ๐Ÿ™Œ This is the last phase of your GDPR compliance journey.

Bad news: It never ends. ๐Ÿ™ˆ

Sorry to have to break it to you, but GDPR compliance is no different from any other business compliance. It’s ongoing, just like bookkeeping and taxes.

The law itself doesn’t say exactly when you need to perform certain tasks. It just outlines the requirements, and then it’s your responsibility to ensure you comply.

The GDPR is a fairly new law and there are still grey areas. Some are in the legal system already and the enthusiasts among us are eagerly waiting for judgements – that will set precedence going forward.

For example, GDPR Article 5-1-e states a storage limitation.

You can’t keep personal data for longer than you “need” it, but this “need” has to specified (purpose) and legally valid (legal grounds for processing).

Recital 39 elaborates: “In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

๐Ÿ‘‰ In order to stay GDPR compliant, plan and conduct regular GDPR audits/reviews.

How often should you do GDPR audits?

If you’ve built a solid GDPR foundation, keeping up GDPR compliance won’t be too demanding. It also depends on how much you’re going to do yourself vs. delegating or outsourcing.

My recommendation for a small, uncomplicated business such as in the example above, is to do an annual review/audit, or every 18 months.

Anything less will likely raise eyebrows at the authorities.

The number of GDPR reviews every year depends on the same factors that impact the number of hours required to work with your privacy compliance.

It depends on how complex your business and personal data inventory are, how much data you process, and how sensitive it is.

Any SaaS company with a few employees should at least do an annual audit, and perhaps more if you’re also a data processor.

Newly founded businesses can see my comment in the next section.

๐Ÿ’ก Key take-away: GDPR is ongoing. Plan for regular audits (add them to your calendar) and document each one.

9. How much money should you spend on the GDPR?

Let me start by saying this: You can't outsource GDPR 100%.

You, as the business owner, have to understand a minimum of what the GDPR is and means for your business. Ultimately, it's you who's held accountable if you're not GDPR compliant.

Not the GDPR lawyer or consultant you hired. Not the GDPR tool, system or plugin you purchased, or the vendor providing it.

The GDPR fine is issued to the controller, that is, you. ๐Ÿ’ธ

The question you need to ask yourself, is What will an investment in GDPR compliance give me?

If an investment isn’t making you more money in your business, you need to consider what it’s preventing.

In the case of the GDPR, we’re doing our compliance to:

  • Comply with business laws and regulation ๐Ÿคท‍โ™€๏ธ (most people think this is a good enough reason)
  • Reduce the risk of a personal data breach, to protect the people we process data on (so a good thing to do for our customers)
  • Protect our business assets as the GDPR risk assessment and subsequent security measures will raise the level of security in our business, in general
  • Reduce the reputational damage in case of a breach (that we all are at risk of experiencing, no matter how good our security is)
  • Reduce the risk of facing a GDPR audit by a data protection authority
  • Significantly reduce the risk of a fine if you still got audited

๐Ÿ‘‰  Think of investing in GDPR like an insurance policy, that could save you both money and embarrassment.

What SaaS and tech startups need to consider

A SaaS or tech startup (or any fledgling business) shouldn’t spend money on GDPR requirements in the starting phase of their business. Especially if your turnover is zilch (!).

For the first year or two it’s pretty much about building your business case, pitching at demo days, competing in angel challenges and writing investor presentations…

Or, perhaps the better way, just working your b*tt off (and validating your product/idea before pouring more money into devops), bootstrapping your way to profit.

๐Ÿ‘‰ However, as soon as you start approaching hockey stick growth, making  a profit, attracting the attention of investors, the GDPR traffic light switches from green to amber.

Regardless, you should do something with privacy when you launch your business. There are free resources (like this site and the ICO’s) to get you started.

You can spend a few hours learning the basics and writing up a privacy notice for your website. IMHO.

And when you’ve proved your business case, then make a plan for how you’re going to deal with the GDPR. Come back to this article and read it again, thoroughly.

Getting the wrong kind of help can get very expensive

GDPR consulting is big business. ๐Ÿค‘ Make sure you know that the person helping you, knows their stuff, and doesn’t sell you more than you need right now.

First, if someone hasn't even read the (entire) legal text, they shouldn't be giving advice on the GDPR. Including lawyers.

There are thousands different laws and regulations and being a lawyer doesn't mean they know anything about the GDPR.

If you get audited, it won't help saying that you "didn't know". It’s 100% your responsibility to ensure compliance, as the business owner and controller.

Second, as shown in this article, several factors impact the level of your GDPR efforts. Plan your GDPR work in phases and get help where it makes sense for your business, where it’s at right now.

A decent GDPR consultant or lawyer will discuss this with you and advise on how compliant you should be.

Ultimately, however, it’s a risk assessment, and one you have to do yourself.

When deciding how much to spend on getting help, and what kind of help you should look for, there are some things to be aware of.

๐Ÿšฉ Red flags you should look for when considering GDPR helpers:

  • They haven’t specialized in the GDPR, but offer GDPR services more or less random, in addition to all other types of advisory services
  • They call data subjects “consumers” or state you must rely on Privacy Shield (which is now, anyway, invalid)
  • They promise you’ll get fully GDPR compliant after working with them (no one can promise you that, not even me)
  • They sell a “GDPR plug-and-play” service and claim it’s the only thing you need to “be GDPR compliant” (failing to mention that the tool or plugin only (and only perhaps) solves a tiny part of the entire GDPR work)
  • They don’t keep continuously up to date on relevant regulatory changes (like the invalidation of the Privacy Shield certification that’s impacting personal data flows between the EU and the US in a significant way)
  • They offer to trade GDPR services for access to your product
  • They charge $50 an hour
  • They have no demonstrated experience with or references from prior work
  • They dodge the question or won’t answer when you ask them if they’ve actually read the entire legal text

๐Ÿ’ก Key take-away: Get help, but from the right kind of expert and for the business stage you’re at right now.

10. Final thoughts and tips

First, congratulation on making it all the way to the end! ๐Ÿ™Œ

One of my goals is to curate GDPR information for the smallest businesses, with the smallest budgets, and I’ve spent days trying to make sure this article would be as useful as possible for you.

When you now get ready to put down the work, here are some final tips for you:

  • Document everything that you do with the GDPR. Every single GDPR effort (even reading this article!). If you do get audited by the ICO or another supervisory authority, this document will be very valuable, since it’ll demonstrate your commitment to taking privacy seriously
  • Don’t freak out. GDPR is complex, but not impossible. You didn’t become an accountant overnight either, still you do invoicing and online payments. Consider getting GDPR compliant as a journey. Do one step at a time. But do something
  • Work systematically. Don’t try to cover all steps above in one day. Decide what you’re going to work on in a given day, and do only that
  • Be patient. Most likely you’ll have to read the same stuff a few times to really get it. Even I, with a burning passion for privacy and a huge interest in the law, struggled to understand it all. It took months before I was truly confident with the requirements

And there you have it.

I truly wish you the best of luck with the GDPR, and, not the least, with your awesome business!

If you’d like to stay up to date on other GDPR articles and other tips on how to run a professional and profitable small business, sign up for my e-letter.

I’d love to hear what you thought about this guide and if you have any tips on how to improve it. If you signed up for my e-letter you can simply reply to the first email you get. Otherwise feel free to reach out.

Close

50% there!

Grab the GDPR Website Checklist (to be released soon)

GDPR explained so you actually understand it - tailored for professional online business owners! Submit the form to get notified as soon as we release our professional website checklist (including the GDPR stuff!).

๐Ÿ™Œ

You won't be added to our general marketing list and your personal data is processed only for sending you the checklist when it's ready, as well as one follow-up email to ask if you found it useful. Opt out at any time. Privacy notice