How GDPR affects small businesses?

What you as a business owner should know

Ipshita Guha
8 min readJul 21, 2021


If you have a small business or even a side hustle, today it is rather simple to reach out to a wider audience. You can position your product or service to a global market from the confines of your home. And you can choose to serve a precise slice of a segment.

All you need is a website up and running, setup your social media channels and start posting to reach out to your target audience. WIX and Wordpress are effortless ways to create a website with zero external help. Digital marketing experts like Neil Patel and Brian Clark are blunt about the need to create an email list. It is like getting an explicit permission to connect with your prospects. You can build your list using your website. There are simple add-ons and plug-ins to do the job for you.

If you are using something like Kajabi, you can offer courses and sell coaching services and the likes. Imagine your own shop selling stuff wherever your prospects and customers are. Operating an entire shopfront from order to payment and delivery using a simple interface. The possibilities are limitless and it is exciting.

Digital media and online services are evolving which is empowering and exhilarating for small business owners like us. But the business environment is evolving too and we must adequately familiarize ourselves with the changes and their impact on our operations.

In this post, I want to call your attention to the EU’s General Data Protection Regulation (GDPR) law and how it can affect you if you are transacting with someone residing in the EU or an EU citizen residing anywhere in the world. Forewarned is forearmed.

Let us assume that person X owns a house in Germany. If there is a dispute about the land with the neighbors or the records of the property are challenged, the German court of law will be the legal authority to preside over the case. The reason being the land is in German territory and the opposing parties are also residing in Germany.

Consider an alternate scenario. A German citizen purchases a valve or motor sold online by a website. The buyer accepts all the cookies while browsing the website. These cookies start tracking the buying behavior of this individual and share it with other entities residing in a different country.

How will this buyer protect his privacy?

Which country’s law will be effective when a large volume of data is stored in cloud-based servers?

A brown board on which scrabble alphabets are scattered with 3 of them forming the word LAW
Photo by CQF-Avocat from Pexels

When the Internet came into existence, it offered astonishing opportunities for individuals and businesses. The gradual development of the technology and transformation of operating business created newer opportunities on one hand while slowly but severely compromising the privacy and security of individuals often unknown to them.

The corporate entities protected themselves from legal implications by creating complex privacy policies displayed on the website. There is nothing wrong in that.

The legal language and terminology are intricate and can be competently interpreted only by legal experts. This left the average user of the services open to loss of privacy and security.

Identity thefts, credit card frauds have become commonplace.

There is a need to protect individuals.

General Data Protection Regulation (GDPR) is one of the leading laws of privacy and security in the world drafted and passed by the European Union. The law came into effect on May the 25th, 2018. Laws are usually restricted to the geographical boundaries of a nation but the nature and scope of GDPR are complex and so its reach.

Tenet of GDPR

The layperson’s explanation of GDPR would be that the law is reading the privacy policy of websites for individuals and protecting the privacy and security of EU citizens across the planet.

The right to privacy is not new. It has been in existence since the 1950s under the aegis of the European Convention on Human Rights.

Laws are supposed to be relevant and responsive to the changes in the environment. They must evolve with the evolution of technology and systems in the world.

The Internet is one such change that has caused a ripple effect of transformation in many existing businesses while giving rise to newer ones like machine learning, artificial intelligence, predictive analysis, and recommendation engines, etc.

Simply clicking on an “Accept” button at the end of a complicated privacy policy does not constitute informed and explicit consent.

If the services and facilities used by citizens are inadvertently compromising their privacy and security the laws of the land must protect them by putting in legal systems. The provisions in the law must hold the entities accountable for collecting personal data and using it for any kind of business transaction without detailed and explicit consent.

Here’s a question for you.

If a company is giving away free samples of milk to citizens and they come forward to accept the samples, does it allow the company to experiment with a new ingredient or additive without disclosing its effect on the consumer?

The company might argue that the sample was distributed for free and there was no exchange between the two entities. This is the logic used by most digital companies, services, websites, and mobile applications to justify the collection of personal information using cookies.

The marketing term is to enhance customer experience but the ulterior motive is to run predictive analysis and create a digital profile of the user. Facebook owns Instagram, Google owns YouTube. They are profiling the users to an unnerving grave accuracy when you observe the recommendations.

One of the inducements behind GDPR could be the surreptitious behavior of certain businesses which takes advantage of the ignorance of citizens (and users of the service) or their incapability to visualize the extent of the impact of their action.

The Scope of the Law and Impact on SMEs

As a small business owner, you must be aware of the impact of the law on your business.

There is a steep fine for companies violating the GDPR law. According to the provisions of this law, the defaulting party might be charged up to EUR20 million or 4% of the global revenue of the business whichever is higher. The fine is a huge deterrent. Small businesses and owners must be acutely alert of any violations.

The other provision of the GDPR law allows the aggrieved party to separately sue the company. It is the responsibility of the SMEs to consider the impact of GDPR on the business and create appropriate checks and balances to comply with the law.

Owners must be aware that the law protects all EU citizens, or residents, and even those who are living anywhere outside the region.

If an SME is supplying any goods or services to these sets of people then they are bound by the GDPR law. This is applicable since the SME will have access to personal data shared by the buyer while paying for the transaction or due to accepting cookies while browsing the SME’s website.

Does it affect you dear SME owner?

Yes, it probably does since you might be collection some amount of data through your website. Even a simple email address to send a newsletter or to download a resource like an eBook.

Based on the seven protection and accountability principles outlined in Article 5.1.2 — the core theme is transparency for the data subject, security, and accountability of the data controller.

SMEs are at a higher risk because they are often dependent on third-party cloud services and payment service providers to manage, process, and store their data. It also adds to the cost of operations for the SME.

The GDPR law allows some concessions for SMEs like the appointment of Data Protection Officers. If the SME is not involved in processing personal data as a core business offering then they are exempted from appointing a Data Protection Officer. This is a specific exemption.

The other provisions of GDPR are still effective on SMEs and all other entities of various sizes.

The bottom line for SMEs is to define and demonstrate data protection by using the latest technology. There is enough ambiguity in the standards of this demonstration and its effect on SMEs.

The law is not one-sided.

GDPR allows for the processing of personal data under certain conditions like unambiguous consent, the existence of a legal contract, court order, public interest and to save somebody’s life.

As an SME owner, you should document the logic, reasoning, or argument in favor of data processing and share it with the data subjects as a precaution or forward intimation to avoid litigation.

The focal point of this law is an exchange of data between a data subject (user, viewer, website visitor) and a data controller/ processor (the company) based on consent.

GDPR is clear about consent.

The request for consent must be in plain language which is unambiguous and can be comprehended by average data subjects (users, viewers, audience). Small businesses must seek specific consent and use the data only for that purpose.

You can demonstrate transparency through the use of language and simplicity of the consent document exemplifying the intent of the company to empower the data subject.

If you want to send newsletters to a data subject, seek consent specifically for that and do not use the consent for any other activity like sending alerts of sales or promotions.

Your data subjects must have the right to revoke consent and their data removed from the database.

How should you prepare to be GDPR compliant?

The first line of defense should be precise documentation of consent, data collection, data protection measures, security checks and logs, and the timeline of updates and why.

SMEs must document the list of data collected and justify how each data element is important for the business.

A single line within the law is the eighth privacy right of data subjects which says rights concerning automated decision making and profiling. This is the biggest privacy and security concern as services like Netflix and YouTube amass and process a huge chunk of individual data to feed their algorithm and run their recommendation engine using predictive analysis. It is said that every Netflix user sees a customized homepage entirely driven by personal usage data.

If you are in the e-commerce business, you might use predictive analytics to present more offers to your target customers. Such an option is possible only through careful collection and processing of data that helps identify the data subject.

In a real-world situation, with the best of intentions and deployment of technology and security measures; there is always a chance of data breach. If this unfortunate event occurs, SMEs must intimate their data subjects of the breach within 72 hours.

The Way Forward for SMEs

The measures are stringent and demonstration of compliance is not only expensive but complex. The law is always open to interpretation and companies cannot feign ignorance.

Thomas Jefferson believed that

Ignorance of the law is no excuse in any country. If it were, the laws would lose their effect, because it can always be pretended.

It is John Selden, the British legal antiquarian and politician who gave an exhaustive view on laws by stating ignorance of the law excuses no man; not that all men know the law, but because ’tis an excuse every man will plead, and no man can tell how to refute him.

It is highly recommended that SME owners like you must read the entire law and get an expert opinion of lawyers about its possible impact in the context of the business.

Owners should either dedicate an individual/ agency or person as a retainer to track the GDPR-related issues occurring in the world and advise the company to set up defense mechanisms and demonstrate compliance.

The bottom line for SMEs is to be careful about collecting and processing data from EU citizens and residents. Privacy and security are rising concerns and lawmakers are serious about protecting individual rights.

I write about small businesses, health, and life as I see it on Medium, LinkedIn, and my website.



Ipshita Guha

In quest of living my unlived life | Linkedin:/ipshitabasuguha | Twitter:@ipshitaguha | Insta: @theipshitaguha