GDPR Compliance Guide for Small Businesses & Websites

GDPR — the General Data Protection Regulation — sounds intimidating. Hundreds of articles about it are written for compliance officers at large corporations. This one is different: it's written for solo founders, small business owners, freelancers, and developers who just want to understand what they actually need to do to comply, without the corporate legal jargon.

⚠️ Important disclaimer

This guide provides general educational information about GDPR, not legal advice. For specific compliance decisions for your business, especially in regulated industries, consult a qualified lawyer familiar with EU data protection law.

Does GDPR Apply to You?

This is the question that trips up many non-EU businesses. GDPR has extraterritorial reach — it doesn't just apply to businesses located in the EU. It applies to any organization that:

Offers goods or services to people in the EU (even for free), OR
Monitors the behavior of people in the EU (e.g., using analytics or tracking pixels on your website)

So if you're a developer in Nigeria running a SaaS app, a startup founder in India with EU customers, or a blogger in the US whose content attracts European readers — GDPR likely applies to you. The fact that it applies doesn't mean you'll be immediately fined; regulators generally prioritize larger violations. But ignorance isn't a defense, and compliance is both achievable and important.

GDPR Basics: The Core Principles

GDPR is built on seven core principles that should guide every data processing decision you make:

Lawfulness, fairness, and transparency — You must process data legally, fairly, and be open about what you're doing
Purpose limitation — Collect data for specific, explicit purposes, and don't use it for something else later
Data minimisation — Only collect what you actually need
Accuracy — Keep data accurate and up to date
Storage limitation — Don't keep data longer than necessary
Integrity and confidentiality — Protect data using appropriate security measures
Accountability — You must be able to demonstrate your compliance

Legal Bases for Processing Data

One of the biggest differences between GDPR and earlier privacy regimes is that you can't just collect and use data freely. Every data processing activity needs a legal basis — a specific justification under GDPR. The six legal bases are:

1. Consent

The user has given clear, specific, informed, unambiguous consent to the processing. This sounds like the obvious one, but it's actually harder to rely on than most people think. Under GDPR, consent must be freely given (not bundled with service terms), specific (for each purpose), informed (user must know what they're consenting to), and revocable (users can withdraw at any time). Pre-ticked boxes and vague consent language don't count.

2. Contract performance

Processing is necessary to perform a contract with the user, or to take pre-contractual steps at their request. If someone creates an account on your SaaS platform, you can process their name and email to provide the service — that's contract performance.

3. Legal obligation

Processing is required to comply with a legal obligation. For example, keeping financial records for tax purposes.

4. Vital interests

Processing is necessary to protect someone's life. Rarely applicable for standard websites.

5. Public task

Processing is necessary for a task carried out in the public interest. Usually applies to government bodies.

6. Legitimate interests

Processing is necessary for your legitimate interests (or a third party's), provided those interests are not overridden by the user's rights and interests. This is the most flexible basis and is commonly used for things like fraud prevention, security monitoring, or direct marketing (with existing customers). It requires a balancing test.

💡 Which basis should you use?

For most small businesses: contract performance for account management and service delivery; legitimate interests for analytics and security; consent for marketing emails. Don't just pick "consent" as your default — it comes with ongoing obligations that legitimate interests may not.

User Rights You Must Respect

GDPR gives individuals eight data rights. As a data processor, you must be able to honor requests to exercise these rights, typically within 30 days:

Right of access — Users can request to see all data you hold about them
Right to rectification — Users can ask you to correct inaccurate data
Right to erasure ("right to be forgotten") — Users can ask you to delete their data
Right to restriction of processing — Users can limit how you use their data
Right to data portability — Users can request their data in a machine-readable format
Right to object — Users can object to processing based on legitimate interests
Rights related to automated decision-making — Users have protections against purely automated decisions that affect them significantly

Privacy Policy Requirements Under GDPR

GDPR mandates specific content in your Privacy Policy. Under Articles 13 and 14, when collecting data from users, you must disclose:

Your identity and contact details (and your DPO's, if applicable)
The purposes and legal basis for each data processing activity
Legitimate interests relied upon (if that's your basis)
Any recipients or categories of recipients of data
Transfers to third countries and safeguards used
Retention periods (or the criteria used to determine them)
All applicable user rights and how to exercise them
The right to withdraw consent at any time (where processing is based on consent)
The right to lodge a complaint with a supervisory authority
Whether provision of data is a contractual/statutory requirement

🔒 Get a GDPR-ready Privacy Policy free

LegalyJet's Privacy Policy generator creates a document that addresses GDPR requirements — personalized to your actual business, not a generic template. Generate free →

GDPR Fines: How Serious Is This?

GDPR has two tiers of fines:

€10M

Or 2% global turnover — for less serious violations

€20M

Or 4% global turnover — for the most serious violations

Those numbers are for the largest companies. In practice, most small business fines are far lower — typically thousands to tens of thousands of euros. But even smaller fines are painful, and reputational damage from a public GDPR enforcement action can be worse than the fine itself.

Importantly, regulators rarely go after well-intentioned small businesses that are making genuine efforts to comply. Their focus is on systematic violations, careless handling of sensitive data, and organizations that ignore their obligations entirely. That said, "we didn't know" is not a defense, and getting basic compliance right isn't difficult.

Your GDPR Compliance Checklist

For a typical small business website or SaaS product, here's what you need:

✓
GDPR-compliant Privacy Policy — covers all required disclosures under Articles 13/14
✓
Cookie consent mechanism — for non-essential cookies (analytics, advertising), you need prior informed consent from EU users
✓
Clear legal basis identified for each type of data processing
✓
Process for handling user rights requests — access, erasure, portability within 30 days
✓
Data retention schedule — know how long you keep each type of data and why
✓
Data Processing Agreements (DPAs) with third-party processors (your analytics provider, email service, hosting, CRM)
✓
Security measures — encryption in transit, access controls, regular updates
✓
Breach notification procedure — plan for how you'd report a data breach within 72 hours
✓
Consent records — if relying on consent, document that consent was given and when
✓
Data minimisation review — only collect data you actually need and use

Cookies and GDPR

One of the most visible aspects of GDPR compliance is cookie consent. Under GDPR and the ePrivacy Directive, you may only place non-essential cookies on a user's device after obtaining their explicit, informed consent.

Essential cookies (needed for the website to function — session cookies, login cookies) don't require consent. Non-essential cookies (analytics, advertising, personalization) do.

This means: if you're running Google Analytics on your EU-facing website, you need a cookie consent banner that gives users a real choice to decline analytics cookies before they're placed. The "by continuing to use this site, you consent" approach is explicitly not valid under GDPR.

Third-Party Services and GDPR

Every third-party tool you use that processes user data makes you a data controller with responsibilities. You need Data Processing Agreements with these services. Most major providers already have these ready:

Google Analytics — Data Processing Agreement available in GA settings
Stripe — DPA available on request
Mailchimp — Data Processing Agreement in place
AWS / Google Cloud / Azure — All offer standard DPAs

The key rule: if a third party is processing personal data on your behalf, you need a written agreement covering what they can do with that data.

Where to Start: Priority Actions

If you're starting from scratch, focus on these three things first:

Write a proper Privacy Policy that covers GDPR requirements. Use LegalyJet to generate a personalized one for free.
Add a cookie consent mechanism. If you use Google Analytics or any advertising tools, you need proper consent from EU visitors before those cookies are set.
Map your data flows. Know what personal data you collect, where it goes, how long you keep it, and what your legal basis is. Even a simple spreadsheet covering these questions puts you ahead of most small businesses.