The articles on this website are written intentionally for small businesses and therefore don’t include all aspects of the legislation that may apply to larger businesses and public entities. No information on this website constitute legal advice.
What is the GDPR - in a nutshell?
GDPR is short for the General Data Protection Regulation and it’s a European law about data protection, privacy and basic human rights.
A lot has been written about the GDPR and how to achieve GDPR compliance. My first and most important advice is: Only rely on credible sources. Meaning no random advice from Facebook groups or blog posts from companies that aren't GDPR experts.
The law applies if your business/organization is based in the EEA (the 27 EU member countries + the three EEA countries Norway, Liechtenstein and Iceland), or you (happen to) promote or sell goods/services to people in the EEA.
Notice that I said «people», not citizens, inhabitants or with this or that nationality. As long as the people you target, or happen to target, are geographically inside of the EEA, that’s enough.
That means that if you're based in the US, but have an online business and people from all over the world sign up for your freebies and newsletters, including from the EEA, then you likely need to comply with the GDPR.
Including SaaS companies, tech startups, freelancers and all types of online entrepreneurs.
The law applies to all types of companies, associations, sports teams, schools and organizations, whether from the private or public industry, non-profits, charities or fully commercial businesses.
It doesn’t matter if you have employees or not, target consumers or only companies, sell engines for airplanes or «just run a small blog» - you simply don’t escape this law as long as you process personal data (of "data subjects", i.e., people, in the EEA).
Why is GDPR important?
GDPR is important because privacy and other human rights are important. The law is designed to protect you and to keep you (not Facebook or others) in control of your own data.
You might think that it doesn't matter, and you might not be as concerned about your privacy.
You may be happy to exchange personal information for free, whether it’s to use an app, get your tenth overnight stay for free or a complimentary chai latte on your birthday.
We like to get things for free. There’s nothing wrong with that (I do it myself and I enjoy my coffee app).
The problem is when your personal data is misused for financial purposes, or to influence international politics – that have consequences for all of us.
PS: Although you might think that it’s not a big deal how your personal data is processed, you have no right to make that decision for others. As a responsible business owner, you’re obliged to take good care of the personal data of customers, employees and others.
Good Data Processing, Really
GDPR is not here to make our lives as business owners more difficult.
The intention is to help us process personal data in a good way. However, the people writing the law text should have consulted with small business owners before releasing the final document… 🙈
My guess is that you haven’t read the law text, nor the guidelines from the national data authorities.
And if you have (tried to), you’re still feeling overwhelmed, frustrated and still not sure what to do – in which order – and when it’s actually good enough, for a small business.
Because the issue with the GDPR is exactly that. The law states many requirements, which data protection authorities reiterate, but few state what’s good enough for a small business.
There is, after all, a (huge) difference between a company of 130 000 employees and global revenue of 1 billion US dollars, and a solopreneur with 50 000 USD in national revenue.
Yet, the GDPR doesn’t really distinguish between the two. 🤯
So, what do you really need to do?
👉 Skip to the answer: GDPR compliance checklist for small, online businesses
In short, you need to:
- Understand the basics
- Document all personal data you process
- Do risk assessments
- Validate that the data processors and systems you use for managing personal data in your business, are GDPR compliant
- Enter into legal agreements with these data processors (data processing agreements)
- Inform the people you have personal data on, typically in a privacy notice on your website
- Conduct privacy/GDPR training for your employees, that ideally includes data security guidelines
There are other requirements, but I’d start there. Also check out this more detailed GDPR checklist for small businesses.