GDPR for Small Businesses: A Beginner's Guide to GDPR Compliance Requirements

Featured Image

Whether you’re a small business owner or a legal expert at a startup, addressing GDPR compliance can be a challenge when you’re not familiar with the basic requirements of the law. No worries. We’ve got you covered! Our beginner’s guide to the GDPR for small businesses includes tips, best practices, and everything you need to know to get started with your GDPR compliance program today.

GDPR 101

The General Data Protection Regulation (GDPR) is a global privacy law created by the European Union (EU) that regulates how businesses collect, handle, and protect personal data. This law took effect on May 25, 2018, and is a binding legislative act designed to strengthen privacy rights by giving data subjects control of how their Personally Identifiable Information (PII) is obtained, used, and shared.


Despite the scale of the EU GDPR, there is no exemption for businesses of any size. In general, businesses that process personal data or Personally Identifiable Information (PII) are subject to the rules and requirements of the GDPR. The GDPR restricts small business owners from collecting an individual’s contact information from a business card, LinkedIn profile, or general interaction without their direct consent. So even if they have less than 250 employees, small businesses still need to be GDPR-compliant and designate a data protection officer (DPO) if they plan to leverage any personal data collected.

However, for most U.S. based small businesses, there may be limited exemptions from specific requirements within the GDPR. For example, small businesses that occasionally process the personal data of EU residents may be exempt from extra record-keeping responsibilities. Additionally, exemptions may apply to small businesses that rarely offer goods or services to consumers in the EU.


First, let’s get familiar with some basic GDPR terms.

A Data Subject is any person who has their data collected, held, or processed by a controller or processor.

A Data Controller refers to the entity responsible for determining the purpose and lawful basis for processing personal data.

A Data Processor, who collaborates with the Data Controller, refers to the individual responsible for processing personal data on behalf of the controller.

Processing involves any automated or manual operation or set of operations performed on personal data or sets of personal data, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, and so on.

Personal data refers to any information related to an individual or data subject that can directly or indirectly identify that person as it relates to their private, professional, or public life, including a name, email address, photos, or even bank statements.

Obtaining the consent of the data subject refers to any “freely given, specific, informed and unambiguous indication” that the data subject agrees to the processing of personal data related to them. Data subjects can provide consent with either a statement or explicit affirmative action.


Collection & Processing – The GDPR notes that the collection of personal data must be accurate, gathered legally, and processed in a way that ensures security. Article 6 requires data controllers and even businesses, from large enterprises to small businesses with less than 250 employees, to establish a lawful basis for processing personal data, such as the informed consent of the data subject, processing regarding a contract, or an organization’s legitimate interest that poses minimal risk to data subject rights.

Consent – As outlined in Article 7, all businesses are required to demonstrate informed, freely given consent from any data subject when processing, collecting, storing, or using their data.

Security – Articles 23, 30 and 32 require companies to protect consumers’ data and privacy against loss or exposure by implementing the appropriate data protection measures.

Data Breach Notification – In the event of a data breach, controllers are required to notify Supervisory Authorities within 72 hours (Article 33 – 34). This notification must include specific details regarding the breach, including its nature and the approximate number of data subjects affected.

Data Protection Impact Assessments (DPIAs) – Under Article 35, companies subject to the GDPR are required to conduct a DPIA on their processes to identify risks to consumer data, especially in certain circumstances where processing may result in a “high risk to the rights and freedoms” of individuals when processing a large number of “special categories of data”. Businesses should complete this assessment before they begin to process any new personal data to ensure that data protection and privacy are in place by default or by design.

Data Protection Officer  (DPO) – Article 37 requires companies to hire or appoint one or multiple DPOs to ensure consistent compliance with GDPR requirements. The individual in this role is responsible for training and educating employees on the latest regulatory requirements, and acts as the liaison between the company and supervisory authority, and the company and data subjects.


Step 1: Create an Action Plan to Operationalize Your Privacy Program

Preparing small businesses for GDPR compliance starts with evaluating the existing privacy program to determine regulatory compliance is required. Conduct a readiness assessment to identify areas that are already adhering to the GDPR, followed by a risk assessment, such as the Data Protection Impact Assessment (DPIA), to identify and analyze the potential impact of risks and data privacy issues for consumers and their business. These assessments not only help to develop an action plan for compliance but also helps to ensure that the company safeguards against future high-risk processing activities.

Step 2: Establish a Processing Register

Next, map and inventory consumer data to understand what is collected and why. Under Article 30 of the GDPR, controllers and the controller’s representatives must maintain a record of processing activities.

Furthermore, businesses must audit their data and service providers to understand what they are collecting, how it is processed, how it flows, and which of their vendors are using that data. This step will help small businesses keep a centralized and up-to-date single source of truth of the processing activities for all personal data held within the company.  This inventory, in addition to a data map, will also help to identify other businesses and organizations that are controlling, processing, or storing personal data on behalf of one’s company and provide insight into how personal data flows both internally and externally across the organization.

Step 3: Demonstrate Proper Consent

When it comes to consent, small businesses look to prove to authorities that consent is requested and appropriately obtained. As previously mentioned, businesses are required to demonstrate that they have received informed, freely given consent from data subjects through a clear and specific request. So, when building consent request forms, make sure it is easily accessible and comprehensible. Requests for consent should not hide within lengthy contracts or terms of service, but in an easy-to-use opt-in mechanism that clearly distinguishes the request for consent. Also, data subjects can withdraw consent at any time, so a consent request form should also inform consumers of how they can withdraw their consent through the same way they gave consent.

So, when building a consent request form, consider:

  • Reviewing the process for obtained consent and ensure it meets GDPR requirements
  • Review and update privacy policies and notices to clearly state the request for consent
  • Look into providing consumers with a granular set of consent options, such as medium or frequency of communication

Step 4: Manage Data Subject Access Requests

Once a consumer grants proper consent, small businesses will then begin to experience an increase in Data Subject Access Requests (DSAR). The GDPR gives consumers a set of core rights that they can leverage at their discretion, including the right to access, the right to rectification, the right to delete, and the right to export. Small businesses that are holding the personal data of consumers must be prepared to manage consumer rights requests as they are submitted, whether manual or automated.

When a data subject request is submitted, there are three steps to check off the list.

  • Submitting Requests. When a data subject decides to submit a request, they must be able to do so manually or electronically in a commonly used format. They also should not have to include an overwhelming amount of information when submitting their requests, so take the time to create a request form that gathers the necessary information needed to fulfill the request.
  • Validation. One of the biggest challenges with receiving data subject requests is validating the individual making the request. In order to ensure the release of personal data to the individual it belongs to, take the time to validate that the individual making the request is the one who should be receiving the information.
  • Fulfillment. Once a request is received and validated, present the requested information without undue delay within one month. However, if small businesses receive an excessive and complex number of requests, under the GDPR, they can extend their fulfillment deadline to 3 months.

Step 5: Remediate Vendor Risks

With a small business, it is common to have several vendors involved in business practices and processes. However, they may not be GDPR-ready. Article 28 of the GDPR requires businesses to establish processing agreements between data controllers and processors to ensure they fulfill GDPR mandates. As the marketing, product development, and IT teams continue to evaluate and partner with various third parties, make sure they meet the same bar of GDPR-compliance. Take the time to create a list of vendors receiving data and identify if that vendor is a controller or processor. Once complete, small businesses can develop a plan to ensure both parties have a plan to be ready for the GDPR.

Step 6: Data Breach Notification & Reporting

Last, but not least, the GDPR addresses notification and reporting requirements in the event of a personal data breach. As defined in Article 4 of the GDPR, a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” So, when this type of breach occurs, one must report the breach to supervisory authorities within 72 hours and notify the affected data subjects whose rights are at risk. At a minimum, small businesses who experience a data breach much include in their notification:

  • A description of the nature of the personal breach
  • The name and contact details of the DPO or other points of contact to obtain more information regarding the breach
  • A description of the possible and likely consequences of the personal data breach
  • A description of the measures taken or proposed to address the personal data breach, including measures to mitigate any adverse effects


Taking the initiative to build a GDPR-compliant privacy program can give small businesses a considerable advantage when it comes to proving compliance. Those that have not, and are deemed non-compliant, are more susceptible to incur reprimands, temporary or permanent bans on data processing, orders to restrict or erase data, or the suspension of data transfer to third countries by supervisory authorities. Article 83 of the GDPR warns businesses against potential violations and penalties with discretionary fines (imposed on a case-by-case basis) that ensure companies handle personal data in a legally and ethically. These fines include:

  • Up to €10 million ($11 million) or 2% of annual global turnover
  • Up to €20 million ($23 million) or 4% of annual global turnover


As many small businesses strive for full GDPR compliance, take a moment to consider an essential list of “dos” and “don’ts” to help ensure privacy and security teams are on track for success.


  • Collect information on a legal basis
  • Collect minimal data
  • Be transparent about who collects the data, how it is processed, and purpose of use
  • Implement safeguards for any automated data processing
  • Make it easy for data subjects to withdraw their consent
  • When requested, erase data immediately
  • Develop comprehensive and transparent policies and procedures for collecting and processing data


  • Do not ignore requests from individuals
  • Do not mislead consumers on the use of their data
  • Do not collect sensitive personal data, unless necessary
  • Do not disclose personal data without express consent from that individual

Although this may seem like a lot to prepare for compliance, there is no need to panic. Small businesses that are collecting or processing data regularly can achieve compliance. With the help of OneTrust Pro, small businesses can make GDPR compliance easy while adding value to the business. Do not delay. Start the journey towards GDPR compliance with

Onetrust All Rights Reserved