This article is written specifically for small businesses and therefore doesn’t include all aspects of the legislation that may apply to larger businesses and public entities. No information on this website constitute legal advice.
GDPR is short for the General Data Protection Regulation and it’s a European law about privacy. The law applies if you operate inside of the EEA (the 28 27 EU member countries + the three EEA countries Norway, Liechtenstein and Iceland), or you (happen to) promote or sell goods/services to people in the EEA.
Notice that I said «people», not citizens, inhabitants or with this or that nationality. As long as the people you target, or happen to target, are geographically inside of the EEA, that’s enough.
That means that if you intend to sell to Americans, but you have an online business and people from all over the world can sign up for your freebies, newsletters etc. and some of these could be from the EEA, then you also need to comply with the GDPR.
Further, the law applies to all companies, associations, sports teams, schools and organizations, whether from the private or public industry, non-profits, charities or fully commercial businesses.
It doesn’t matter if you have employees or not, target consumers or only companies, sell engines for airplanes or «just run a small blog» - you simply don’t escape this law as long as you process personal data.
Read more: What is personal data?
GDPR is important because privacy is important. The law is designed to protect you and to keep you (not Facebook or others) in control of your own data.
You might think that it doesn't matter, and you might not be as concerned about your privacy. You may be happy to exchange personal information for free, whether it’s to use an app, get your tenth overnight stay for free or a complimentary chai latte on your birthday. We like to get things for free. There’s nothing wrong with that (I do it myself and I enjoy my coffee app).
The problem is when your personal data is misused for financial purposes, or to influence international politics – that have consequences for all of us.
PS: Although you might think that it’s not a big deal how your personal data is processed, you have no right to make that decision for others. As a responsible business owner, you’re obliged to take good care of the personal data of customers, employees and others.
GDPR is not here to make our lives as business owners more difficult. The intention is to help us process personal data in a good way. However, the people writing the law text should have consulted with small business owners before releasing the final document…
My guess is that you haven’t read the law text, nor the guidelines from the national data authorities. And if you have (tried to), you’re still feeling overwhelmed, frustrated and still not sure what to do – in which order – and when it’s actually good enough.
Because the issue with the GDPR is exactly that. The law states many requirements, which data protection authorities reiterate, but few state what’s good enough for a small business.
There is, after all, a (huge) difference between a company of 130 000 employees and global revenue of 1 billion US dollars, and a solopreneur with 50 000 USD in national revenue. Yet, the GDPR doesn’t distinguish between the two.
My guess is that you’re not as excited over GDPR as myself, and you would rather walk without shoes in the rain than reading the actual law. ;) I get it.
Fortunately, I’ve spent around a thousand hours studying and working with GDPR, with a particular focus on simplifying the law for small business owners.
And my sources are exclusively the law text itself, the guidance from the EU Commission and the European Privacy Board (those who wrote the law), the information given from the data authorities in Norway, the UK, Germany and Denmark, and information and training from lawyers that are experts on privacy.
Fortunately, I’m not a lawyer, so I can give you tailormade, practical advice. I (and privacy lawyers too) believe small business owners don’t have to, or should, spend extensive time, money and resources following the law to the letter. Then we might as well close down the business.
Fortunately, I’m here to explain the GDPR to you in a way that makes it easy, not only to understand, but to implement.
And, in short, you need to document all personal data you process, in a particular way, perform risk analysis and enter into legal agreements with all the companies that process personal data on your behalf, such as Dropbox, Google, Kajabi and so on, and also inform all the people you have personal data on, typically in a privacy notice on your website. You also need to have a privacy/GDPR training for your employees, that ideally includes data security guidelines. There are other requirements, but I’d start there.
In the following articles we’ll dive deeper into each area, and I’ll guide you, step-by-step, on everything you should do, in the recommended order.
Welcome to GDPR made simple!
Want to know more? Sign up here to receive more free, expert advice on how to run your business efficiently, professionally and profitably.
GDPR explained so you actually understand it - tailored for professional online business owners! Submit the form to get notified as soon as we release our website checklist.
You won't be added to our general marketing list and your personal data is processed only for sending you the checklist when it's ready, as well as one follow-up email to ask if you found it useful. Opt out at any time. Privacy notice