‘If your company is ready for GDPR (General Data Protection Regulation), please raise your hand’: the chairman asked the participants of the GDPR congress organized by Heliview. Guess how many people raised their hands?  Right, no one. The audience was full of representatives of large international businesses and public organizations, like ministries and such. Only lazy people have not been talking about GDPR last months and it seems like mostly large companies are very concerned about this new privacy regulation which will come in action on the 25th of May 2018.

But what if you  own a small business with a couple of employees? Or what if you are a solopreneur, a blogger, or a freelancer with a small e-mail list? Do you need to comply with GDPR? The answer is YES.

In the past few months I have investigated GDPR in depth, mostly in the context of data management. Also, my focus lied on large organizations, as I work in a large bank. I even wrote an e-book on a strategy which would help a business comply with GDPR. But believe it or not, only a couple of days ago I’ve realized that I also needed to do something about my own small (freelance consulting) business. I have a few opt-in forms on my website, and an e-mail list of a few hundred people. My Privacy Policy was written quite a while ago and needed some serious revision.

In this blog, I have summed up the top 5 GDPR tips for small businesses, based on what I did myself in the context of my own business. Are you a blogger, run a online webshop, or own a different small business, keep on reading and get in action!

1. Think what kind of personal data do you have and where it is stored.

When we talk about personal data, we mean data that identifies a natural person, such are you and me. Think of your customers, clients or subscribers, their names, addresses, e-mail addresses, contracts where names and addresses are mentioned. Photos of faces are also personal data, as well as comments that are left on your blog. In general, all data that could lead to the identification of a person is subject to GDPR requirements.

You should also think about the location of this data. You are probably using hosting services for your website or use some cloud applications (for example e-mail marketing software, such as Mailchimp) for gathering and keeping your client information.  Excel sheets with names and addresses of your clients should also be taken into account, even if you have only saved it as a draft on your personal laptop.

As soon as you know exactly what data you have and where it is located, it is time to make the next step and update your private policy.

2. Update your privacy policy.

It doesn’t matter whether you already have a privacy policy or not. You should either update the existing one or to create a new one. If you collect leads (possibly by offering free content), send out marketing emails or newsletters, or have contact forms which require filling in personal data, you can search for some standard policies at Internet. There are various websites that offer free policies, some require you to answer a few questions first in order to set up a policy that fits your activities.

For my website DataCrossroads.nl, I used a combination of several sources for my privacy policy. I would definitely recommend you to check out the following websites:

it provides a list of 12 best sites where you can download standard policies. Not all of them are free of charge. Some of them, like Shopify for example, focus on specific industries or countries

It is a German website, but don’t worry their policies are in English. I used the template provided on this site as the base, as in my opinion it was provided the most complete and elaborate version. The template takes into account a lot of typical different situations when you get personal data from your contacts.

When updating your policy, the following aspects are very important, so pay some special attention to them:

  • Which data are you collecting and in which situations;
  • What are the purposes of the use of the collected data;
  • How you satisfy the rights of data subjects (as defined in GDPR).


My last tip is: look up privacy policies of large corporations from your industry, or run a business similar to yours and see if you have missed out on any points.

3. Sign a data processing agreement with your website host and other parties that access your data. 

It is important to know in which part of the world your host keeps their servers, and consequently the personal data of your contacts. You will need to sign the data processing agreement with them. Also, don’t forget about other cloud services that might be storing your clients’ data.

According to GDPR, if you collect the information, you play the role of Controller. You delegate the responsibility to the Processor, in our case your website host, to process the data on your behalf. Be aware, in case of data leak you still will be accountable for that. It is important for you to sign the data processing agreement with your Internet services provider.

I was pleasantly surprised by multiple e-mails from Mailchimp – my e-mail marketing service, which collects and stores my e-mail lists.

When all of the preparatory paperwork is done, you still need to think about your existing contacts.

4. Send a request for consent to your existing contacts.

According to GDPR, after the 25th of May, you are only allowed to keep personal information of people, who have given you explicit written consent for keeping and using this information. So, what you need to do to ensure having received this consent, is to write an email where you request your contacts to (once again) allow you to use their data after 25th of May. Do not worry, they do not have to sign a contract or anything like that, checking the box on a contact form is already considered written consent. Keep in mind that you should be able to download the list of the ‘checked boxes’ as proof.

Now, the preparations are done, but what will you do on 25th of May and the days after?

5. Clean up your database with personal data and update your site

Officially, if your contacts haven’t given you explicit consent to keep their personal data, you need to delete their data on the 25th of May. It’s up to you, but I would strongly advice you to send some info or newsletters to people that haven’t given you their consent yet.The more people you can ‘keep’ the better, right? It is definitely worth a few extra e-mails!

After May 25th, you should also check your website’s functionality. You have to be sure that in the future all the new users will be able to give consent every time they share with their personal data. It means double checking all contact forms, opt-in forms, and pages where people have to enter their e-mail to get free content. Also, do not forget to put a link to your brand new privacy policy somewhere on your website (the footer is a great place for that)!

I hope that after reading this, GDPR has become a bit less scary, and that you now have a good idea about what you still have to do in  the following couple of days! Good luck!

free ebook gdpr data management
[ultimate_spacer height=”50″]

Oh, and if you want to read more on GDPR and how to large businesses are preparing for it, make sure to download my FREE e-book GDPR meets Data Management.

[ultimate_spacer height=”50″]