This article is written specifically for small businesses and therefore doesn’t include all aspects of the legislation that may apply to larger businesses and public entities. No information on this website constitute legal advice.
GDPR is short for the General Data Protection Regulation and it’s a European law about data protection, privacy and basic human rights.
A lot has been written about the GDPR and how to achieve GDPR compliance. My first and most important advice is: Only rely on credible sources. Meaning no random advice from Facebook groups or blog posts from companies that aren't GDPR experts.
The law applies if you operate inside of the EEA (the 28 27 EU member countries + the three EEA countries Norway, Liechtenstein and Iceland), or you (happen to) promote or sell goods/services to people in the EEA.
Notice that I said «people», not citizens, inhabitants or with this or that nationality. As long as the people you target, or happen to target, are geographically inside of the EEA, that’s enough.
That means that if you intend to sell to Americans, but you have an online business and people from all over the world can sign up for your freebies, newsletters etc. and some of these could be from the EEA, then you also need to comply with the GDPR.
Including SaaS companies, tech startups, freelancers and all types of online entrepreneurs.
The law applies to all types of companies, associations, sports teams, schools and organizations, whether from the private or public industry, non-profits, charities or fully commercial businesses.
It doesn’t matter if you have employees or not, target consumers or only companies, sell engines for airplanes or «just run a small blog» - you simply don’t escape this law as long as you process personal data.
GDPR is important because privacy and other human rights are important. The law is designed to protect you and to keep you (not Facebook or others) in control of your own data.
You might think that it doesn't matter, and you might not be as concerned about your privacy.
You may be happy to exchange personal information for free, whether it’s to use an app, get your tenth overnight stay for free or a complimentary chai latte on your birthday.
We like to get things for free. There’s nothing wrong with that (I do it myself and I enjoy my coffee app).
The problem is when your personal data is misused for financial purposes, or to influence international politics – that have consequences for all of us.
PS: Although you might think that it’s not a big deal how your personal data is processed, you have no right to make that decision for others. As a responsible business owner, you’re obliged to take good care of the personal data of customers, employees and others.
GDPR is not here to make our lives as business owners more difficult.
The intention is to help us process personal data in a good way. However, the people writing the law text should have consulted with small business owners before releasing the final document… 🙈
My guess is that you haven’t read the law text, nor the guidelines from the national data authorities.
And if you have (tried to), you’re still feeling overwhelmed, frustrated and still not sure what to do – in which order – and when it’s actually good enough, for a small business.
Because the issue with the GDPR is exactly that. The law states many requirements, which data protection authorities reiterate, but few state what’s good enough for a small business.
There is, after all, a (huge) difference between a company of 130 000 employees and global revenue of 1 billion US dollars, and a solopreneur with 50 000 USD in national revenue.
Yet, the GDPR doesn’t really distinguish between the two. 🤯
👉 Skip to the answer: GDPR compliance checklist for small, online businesses
My guess is that you’re not as excited over GDPR as myself, and you would rather walk without shoes in the rain than reading the actual law. ;) I get it.
Fortunately, I’ve spent around a thousand hours studying and working with GDPR, with a particular focus on simplifying the law for small business owners.
And my sources are exclusively the law text itself, the guidance from the EU Commission and the European Privacy Board (those who wrote the law), the information given from the data authorities in Norway, the UK, Germany and Denmark, and information and training from lawyers that are experts on privacy.
Fortunately, I’m not a lawyer, so I can give you tailormade, practical advice. I (and privacy lawyers too) believe small business owners don’t have to, or should, spend extensive time, money and resources following the law to the letter. Then we might as well close down the business.
Fortunately, I’m here to explain the GDPR to you in a way that makes it easy, not only to understand, but to implement.
And, in short, you need to:
There are other requirements, but I’d start there. Also check out this more detailed GDPR checklist for small businesses.
Want to know more? Sign up here to get notified of further GDPR resources for small businesses, and other tips on how to run your business professionally and profitably.
GDPR explained so you actually understand it - tailored for professional online business owners! Submit the form to get notified as soon as we release our professional website checklist (including the GDPR stuff!).
You won't be added to our general marketing list and your personal data is processed only for sending you the checklist when it's ready, as well as one follow-up email to ask if you found it useful. Opt out at any time. Privacy notice