As a longtime data privacy expert, I understand that complying with the General Data Protection Regulation (GDPR) can overwhelm small businesses.
Ignoring it can lead to lost customer trust, legal issues, and potential fines. But, with the right approach, you can navigate GDPR compliance without a legal team or a big budget.
In this checklist, I walk you through the GDPR requirements and provide steps for your small business to start complying.
GDPR Small Business Checklist
Below is my GDPR checklist for small businesses featuring links to relevant sections of the law to help simplify your compliance efforts.
Step 1. Understand Your Responsibilities
Before taking action, determine if and how the GDPR applies to your business.
Check if the GDPR applies to your small business.
If your business is in the European Union (EU) or European Economic Area (EEA), or if you’re located elsewhere but you collect personal data from individuals in the EU/EEA, you must follow the GDPR (Chapter 1, Article 3).
Know if you’re a data controller or processor.
The GDPR classifies businesses as either controllers or processors: A controller determines how and why data is collected, while a processor handles data on behalf of the controller (Chapter 1, Article 4).
Determine if you need a Data Protection Officer (DPO).
A DPO is appointed by a business to ensure that they follow data protection laws (Chapter 4, Article 37).
The GDPR requires a DPO for businesses that:
- Are government or public organizations.
- Handle sensitive information on a large scale.
For example, if you run a hospital, you would likely need a DPO due to the frequent processing of patient data, such as health records, medical history, and patient identification.
This type of data is classified as sensitive, and processing it requires heightened protections to safeguard patient privacy.
Step 2. Conduct a Privacy Audit on Your Website
A privacy audit maps out what data you collect, where it’s stored, and how it’s shared.
Know what data you collect and where it’s stored.
Identify all personal data your business collects, including customer details and analytics data.
Determine the legal basis for your data collection.
Under the GDPR, businesses must have a lawful basis for collecting and using personal data. To ensure compliance, you’ll need to document the legal basis for each type of data collected (Chapter 2, Article 6).
The six legal bases under the GDPR in are:
- Consent: You run a newsletter and ask users to opt-in by providing their email addresses for future marketing communications.
- Contractual obligations: You operate a software company and collect user data to fulfill the terms of a subscription or service agreement.
- Legal obligations: As a tax consultant, you collect client information to comply with legal requirements for filing taxes.
- Vital interests: If you’re a healthcare provider, you collect medical data to protect the vital interests of your patients during emergency treatment.
- Public task: If you’re a government agency, you collect personal data to carry out functions that are necessary for the public good.
- Legitimate interests: As a retail store, you collect data for marketing purposes, assuming the customers have an existing relationship with your business.
Step 3. Get Permission To Collect and Use Data
If consent is your legal basis for processing consumer data, you must obtain explicit, legal opt-in agreement from users before collecting their personal data.
Ask for clear opt-in consent.
You must ask for consent using “clear and plain language” (Chapter 2, Article 7 and Chapter 3, Article 12). Users must actively agree to data collection (e.g., through a cookie consent banner).
Allow people to withdraw their consent at any time.
Users should be informed of their right to withdraw before consenting, and it should be as easy to withdraw as it is to consent (Chapter 2, Article 7).
Your website should provide a straightforward way for users to request a copy of their data, request that their data be deleted, and make any modifications to their preferences (Chapter 3, Article 15 and Article 17).
Step 4. Create a Compliant Consent Banner
A GDPR-compliant cookie consent banner informs your customers about data collection and allows them to choose before cookies are stored on their devices.
Your consent banner should:
- Clearly state that your website uses cookies.
- Explain the purpose of data collection (e.g., analytics, marketing).
- Provide a link to your cookie policy and privacy policy.
Offer clear choices
You must allow users to accept all cookies, reject all non-essential cookies, and customize their cookie preferences. Pre-ticked boxes are not permitted under the GDPR (Recital 32).
Step 5. Keep Records of Consent and Data Processing
The GDPR requires you to document user consent, which authorities may request (Chapter 4, Article 30).
Log user consent properly
Keep records that include when and how consent was obtained, what users were told at the time of consent, and any updates to preferences.
Maintain a data processing record
Your data processing record must include:
- Types of data collected.
- Purpose of processing.
- Data storage locations.
- Any data-sharing agreements with third parties.
Termly’s Consent Management Platform (CMP) helps you tackle these tasks by allowing you to capture, manage, and store user consent records.
Step 6. Publish and Maintain a Clear and Accessible Privacy Policy
A GDPR-compliant privacy policy ensures transparency about how your small business handles personal data by including key privacy components (Chapter 3, Article 13 and Article 14). Make sure your privacy policy is easily accessible on your website.
Your privacy policy must clearly state the following:
- Identity and contact details of the data controller or business
- Contact details of the Data Protection Officer (DPO), if applicable
- Purpose and legal basis for processing
- Categories of personal data collected
- Recipients of the data
- International data transfers
- Data retention policy
- Rights of data subjects and how to exercise them
Step 7. Ensure Compliance With Data Processors
Under Chapter 4, Article 28, data controllers (your business) must have a legally binding contract with any data processors (third-party vendors that process data on your behalf).
This contract is known as a Data Processing Agreement (DPA).
For example, if you run a marketing agency that uses third-party email marketing platforms to send out newsletters, you would need a DPA.
The platform processes personal data, such as client names, email addresses, and potentially other information like demographic data.
The DPA outlines the platform’s responsibilities to safeguard that data, specifying how it can be used, stored, and protected.
Establish a DPA that outlines:
- The scope and purpose of data processing
- Confidentiality obligations
- Security measures
- Sub-processor requirements
- How data is handled if the partnership ends
- Audit and compliance provisions
Step 8. Data Security Requirements
Build privacy and security into your business processes to protect personal data from unauthorized access, loss, or misuse (Chapter 4, Article 25 and Article 32).
Ensure your systems and processes:
- Minimize data collection
- Restrict access
- Use encryption and pseudonymization
- Ensure ongoing security monitoring
- Allow user control
By incorporating these safeguards, businesses comply with privacy by design principles and reduce the risk of data breaches.
Step 9. Regularly Review and Update Compliance Measures
GDPR compliance is a process that requires regular updates, and the burden of proof is on your business.
Conduct periodic compliance checks.
Review your cookie consent process, privacy policy, and third-party agreements.
Staying informed about the GDPR requirements is essential to ensure your small business remains compliant as new guidance emerges.
How the GDPR Impacts Small Businesses
Next, I’ll look closer at how the GDPR impacts small businesses so you can more easily understand, use, and apply the checklist.
What Is the GDPR?
The GDPR is a data privacy law that regulates how businesses collect, store, and use the personal information of individuals in the EU/EEA.
Scope of the GDPR
All businesses in the EU/EEA must comply with the GDPR.
Businesses outside the EU/EEA must also comply if they offer goods or services to individuals in the EU/EEA or monitor their behavior.
GDPR Requirements for Small Businesses
For your small business, complying with the GDPR involves several key requirements:
- Create a privacy policy that includes what personal data you collect, why you collect it, how long it’s stored and users’ rights over their information.
- If consent is your legal basis, obtain clear opt-in consent from users before collecting data by displaying a consent banner that allows users to accept, reject, or modify cookies.
- Establish a Data Processing Agreement (DPA) with any vendors processing data on your behalf covering the scope of the processing, confidentiality, data handling, and more.
GDPR Best Practices for Small Business
I recommend the following best practices to small businesses aiming for GDPR-compliance:
- Determine if GDPR applies to your business before taking action.
- Perform a privacy audit to help identify what personal data you collect, where it’s stored, and how it’s shared.
- Know your legal basis for data collection and inform users in a compliant privacy notice.
- Review and update your cookie and privacy policies.
To streamline compliance efforts, work with Termly to publish and regularly review your privacy policy and consent banner.
Fines and Penalties for Violating the GDPR
The Regulation outlines two tiers of fines depending on the severity of the violation in Chapter 8, Article 83:
- Up to 10 million euros or 2% of your global annual turnover (whichever is higher) for less severe violations, such as failing to keep proper records of data processing activities.
- Up to 20 million euros or 4% of your global annual turnover (whichever is higher) for more serious violations, such as not obtaining valid consent for data collection or disregarding data subject rights.
These penalties are designed to ensure you take data protection seriously and maintain strong compliance with the GDPR.
SOC 2 Compliance
System and Organization Controls 2 (SOC 2) is a voluntary compliance framework created by the American Institute of Certified Public Accountants (AICPA).
While not required by the GDPR, adopting it shows your commitment to data protection.
SOC 2 compliance is typically verified through an independent audit, and you can share the report with customers to build trust and show transparency.
For more information, visit AICPA’s SOC2 page.
Compliance Tips for Small Businesses
Staying compliant with the GDPR and other data privacy laws can be challenging, especially for small businesses with limited resources.
Here are my practical tips to help ensure you’re on the right track:
- Tip 1: Use Termly’s Solutions. Using online tools and generators like Termly’s Privacy Policy Generator help you save time and meet legal requirements.
- Tip 2: Limit the Data You Collect. Only collect data you need, as required by the GDPR. Stick to collecting data that is necessary to achieve the specific purposes as expressed to consumers in your GDPR privacy policy.
- Tip 3: Implement Strong Security Measures. Protecting your customers’ data is required by the GDPR, so invest in security measures like encryption, firewalls, and secure passwords to reduce the likelihood of a breach.
- Tip 4: Consult a Data Privacy Expert. If you’re unsure about the specifics of compliance, consider speaking to a data privacy expert. They can help guide you through the process, especially if multiple laws apply to your small business.
These tips can make GDPR-compliance more manageable and demonstrate your small business’s commitment to protecting customer data.
How Termly Helps Small Businesses With GDPR Compliance
We know that navigating compliance can be challenging, especially for small businesses with fewer resources, which is why we offer solutions to help with the GDPR requirements.
With our Privacy Policy Generator, you can create a customized, legally backed privacy policy that includes clauses that aligns with the GDPR standards.
Our Consent Management Platform (CMP) enables you to easily set up a GDPR-aligned cookie consent banner and record preferences so you can manage and track user consent effectively.
It also features a free Data Subject Access Request (DSAR) form, so you can offer a form to allow users to easily submit requests to access, correct, delete, or transfer their personal data.
For more details, explore Termly’s suite of GDPR solutions and take the first step toward ensuring your business is equipped to handle the GDPR and other data privacy regulations.
I get it — GDPR compliance can feel like a lot to keep up with.
Between managing cookie consent, updating your privacy policy, and ensuring you’re handling user data correctly, it’s easy to feel stuck.
But you don’t have to tackle it alone.
With Termly, you can automate the heavy lifting, from setting up a consent banner to generating policies and managing user preferences, so you can stay focused on running your business.
Disclaimer: Automated tools like Termly can streamline compliance, but consult a legal professional to ensure alignment with GDPR’s nuanced requirements.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
