The one idea that makes GDPR make sense
If you just started a business and you’re reading about GDPR for the first time, you probably picked up a vague sense that there is a lot of paperwork, some fines, and some cookie banners. That picture is mostly noise.
The signal is simpler. GDPR has one core idea: be transparent with people about what you do with their data, and only do what you said you’d do. Everything else, the registers, the policies, the agreements, the rights, the breach reporting, all of it, is plumbing that exists to make that one idea real.
If you internalise that, the minimum gets a lot less intimidating. You don’t need a privacy lawyer. You don’t need a consultant. You don’t need a DPO. You need to be honest, in writing, with the people whose data you hold, and you need to be able to keep that promise when something goes wrong.
This article gives you the smallest, honest version of GDPR for a brand-new business. Five must-do’s grounded in transparency, a day-one checklist, a short guide to what shifts depending on the type of business you run, and a map for how to mature as you grow.
The minimum, in five must-do’s
These five cover what transparency actually requires on day one. Each one is something a regulator, a customer, or an angry ex-employee can ask you to produce, and you should be able to produce it without scrambling.
1. Know what data you hold (three core dossiers)
You can’t be transparent about something you haven’t catalogued. Before you write a privacy policy or sign anything, you need an honest answer to: which personal data flows into my business, why, and from whom?
Split it into three dossiers. Each dossier is organised by business process, and the data items live inside the processes that use them. That ordering matters: a process is what gives the data its purpose, legal basis and retention, so capturing the process first is what makes the rest of GDPR fall into place.
- Customer Dossier. The processes you run to find, sell to and serve customers (onboarding, billing, support, marketing, account management), and the data items each one touches: names, emails, addresses, billing data, support tickets, account data.
- Staff Dossier. The processes you run to hire, pay and manage staff (recruitment, employment, payroll, sickness, evaluations, time tracking, offboarding), including contractors and freelancers, and the data each process uses.
- Third Party Dossier. The processes that touch people at suppliers, partners and prospects (procurement, vendor management, partner enablement, prospecting), and the personal data those processes hold (the accountant’s bookkeeper, the agency’s client contact, the vendor’s account manager).
For each process, capture: what it does, why you do it (purpose), on what legal basis (consent, contract, legal obligation, legitimate interest), which data items it uses, how long they’re kept, and who else sees them (your hosting provider, your email tool, your accountant).
GDPRWise builds these three dossiers for you through a guided setup that starts with the processes and pulls the data items in from there; you can also do it on a spreadsheet if you prefer. What matters is that the process-level register exists before the policy does.
2. Name a Privacy Coordinator
GDPR transparency includes being reachable. People whose data you hold have the right to ask questions, file complaints, and exercise rights (access, rectification, deletion, portability). They need to know who to write to, and that name belongs in the privacy policy you publish in step 3.
You don’t need a formal DPO. For almost every SME, a Privacy Coordinator is enough: one named person inside the business who owns GDPR. Their job is to keep the dossiers current, take incoming privacy questions, and own the relationship with your supervisory authority if anything goes wrong.
Set up privacy@yourcompany.com and monitor it. Put both the coordinator’s name and the address in the privacy policy and the website footer.
3. Publish a tailored privacy policy
The privacy policy is the promise. It tells visitors, customers, and staff what you do with their data, who handles it, and what they can do about it.
The two failure modes are equally common. The first is having no policy at all. The second is copying one from another business and slapping your name on it. A regulator can read both your policy and your actual processing, and if they don’t match, the policy is worse than useless.
A compliant policy reflects your dossiers: your processing activities, your legal bases, your vendors, your retention periods, your contact details, and the Privacy Coordinator from step 2. It lives at a top-level URL, linked from the footer of every page on your site, never buried inside terms and conditions.
If you’ve done steps 1 and 2, GDPRWise generates the policy from your dossiers with the coordinator pre-filled. Read Drafting a privacy policy for the full structure.
4. Train the staff who handle personal data
A policy on the website is only as good as the people executing it day to day. The most consistent source of breaches is not hackers; it is staff: phishing clicks, BCC-vs-CC mistakes, attachments sent to the wrong recipient, weak or shared passwords, unencrypted laptops taken home, client data pasted into the wrong chat window.
For a new business, the minimum is short and cheap:
- Anyone who handles customer, staff, or third-party data goes through a basic privacy and security awareness session before they touch real data.
- The same session is refreshed once a year.
- New joiners get it during onboarding.
It doesn’t need to be a formal LMS rollout. A 30 to 60 minute walkthrough covering phishing, password hygiene, two-factor authentication, safe handling of personal data, and what to do when something goes wrong is enough at this stage. Track attendance so you can prove it later.
Read The human factor in data breaches for the full picture of why this matters and what a defensible programme looks like.
5. Get cookies right, or skip them
Cookies that can identify a visitor process personal data. Under GDPR plus the ePrivacy Directive, you need informed consent before any non-essential cookie is set, and rejecting must be as easy as accepting.
The honest minimum has two acceptable shapes:
- Skip non-essential cookies entirely. No third-party analytics with cookies, no marketing pixels, no embeds that drop trackers on page load. You get no banner, no consent platform, no audit overhead. For a new business this is often the smartest call. Read Privacy-respecting analytics alternatives.
- Run a real consent flow. Nothing fires before consent, Reject is as prominent as Accept, no pre-ticked boxes, no dark patterns. Read Cookies and consent: what you need to know.
The unacceptable shape: cookies firing on page load, a banner that only has Accept, or copy that says “by using this site you accept cookies”. Regulators fine all three regularly.
”But I run a …” — minimum by business type
The five must-do’s are universal. The traps are different depending on what you sell.
SaaS startup. You are a processor for your customers’ data and a controller for your own users. That means two-sided DPAs: you sign DPAs with your vendors (the controller-to-processor side), and your customers will ask you to sign their DPA (the processor-to-sub-processor side). Publish a public DPA on your site or in your terms. Make your hosting region clear (EU vs US matters to enterprise buyers). Maintain a sub-processor list and notify customers when it changes.
Webshop or e-commerce. Your traffic-and-conversion stack is the danger zone: tag managers, ad pixels, abandoned-cart trackers, recommendation engines, and payment fraud tools all set cookies and ship data to third parties. Audit every script. Marketing consent (newsletter, retargeting) is a separate basis from the order itself; capture each one explicitly. Your retention policy needs to cover order history, accounting requirements, and warranty periods, which often conflict; document the longest applicable period per data category.
B2B services, consultancy, accounting, bookkeeping. Most of your data is other people’s people: your client’s customers, employees, suppliers. That makes you a processor for almost everything you touch. Your minimum is heavier on DPAs (one with every client, not just every vendor), and on access control (which staff member sees which client’s records). Accountants and bookkeepers in particular have a legal retention obligation that overlaps with GDPR retention rules; document the legal basis (legal obligation) for the long retention, and don’t let it bleed into other uses.
ZZP or freelancer. GDPR applies even with no employees and one client. The minimum is the same five steps but lighter. Your three dossiers might fit on a single page each. Your privacy policy can be short. Your DPAs are mostly the standard ones from your SaaS vendors. The one trap: don’t store client data in personal cloud drives or personal email; a clean separation between personal and professional accounts is the cheapest security control you have.
Marketing or design agency. You’re often the processor and your client is the controller, which inverts who answers data subject requests. Your contracts with clients should make that explicit. Tools-of-the-trade (Figma, Canva, Mailchimp, ad platforms) each need a DPA. Asset libraries and old project folders are silent retention liabilities; schedule deletion when an engagement ends.
The day-one foundation checklist
Print this or paste it into your tracker. If every box below is ticked, you have an honest, defensible GDPR minimum.
Know your data
- Customer dossier complete (categories, purpose, legal basis, retention, recipients)
- Staff dossier complete (even if it’s just you)
- Third-party dossier complete (suppliers, partners, prospects)
Be reachable
- Privacy Coordinator named internally
-
privacy@yourcompany.commailbox active and monitored - Coordinator’s role documented and known to the team
Tell people about it
- Tailored customer privacy policy published
- Privacy Coordinator named in the policy
- Linked from the footer of every page
- Reflects the dossiers, not boilerplate
- Includes data subject rights and complaint route to your supervisory authority
Train the team
- Everyone who handles personal data has done a basic privacy and security awareness session
- Attendance tracked and stored
- Refresh scheduled annually and built into onboarding
Cookies
- Either: no non-essential cookies, confirmed in a private window with dev-tools open
- Or: consent flow validated (nothing fires before consent, Reject as prominent as Accept, no pre-ticked boxes)
That’s the foundation. Five must-do’s, sixteen checks.
Growing into more compliance as you grow
The minimum above is enough to start. It is not enough forever. As your business grows, your risk profile shifts, and a few additional steps stop being optional.
More customers means more potential rights requests, so you need a documented Data Subject Access Request (DSAR) procedure with templates and a register, not an ad-hoc reply each time.
More staff means a separate staff privacy policy (different from the customer one), a signed code of conduct, and the awareness training from step 4 formalised into something you can prove (attendance lists, completion records, a refresh cycle).
More vendors and partners means signed Data Processing Agreements (DPAs) with every external party that handles personal data on your behalf: hosting, email, CRM, analytics, payments, accountant, support tools. Most SaaS vendors publish a DPA you can sign in two minutes; for smaller suppliers, send your own. Once you have a few, you also need a register telling you which DPAs you have, which need renewal, and which sub-processors changed last quarter. Read Data processing agreements.
More revenue and more data means you’re a bigger target. Annual security reviews per system, real backup-restore tests, periodic access reviews (who can see what, and do they still need to), and a documented breach procedure that gets you from “something went wrong” to a regulator notification inside 72 hours.
Higher-risk processing (large-scale monitoring, special category data like health or biometrics, automated decisions with legal effect) means a Data Protection Impact Assessment (DPIA), and possibly a formal DPO.
The full GDPR Checklist for SMEs walks through the thirteen steps that cover this maturity ladder. Treat this article as the foundation; treat the checklist as the destination.
A word on what you don’t need yet
A formal DPO. A privacy lawyer on retainer. A consultant engagement. A DPIA for routine processing. An ISO 27001 audit. A six-month implementation project.
What you do need: an honest catalogue of what data you hold, a policy that reflects it, one human reachable to answer questions, signed agreements with your vendors, and a clean cookie story. That’s the minimum. Start there, grow into the rest.
GDPRWise scans your website, builds your three dossiers, and generates a tailored privacy policy. The free scan is the easiest day-one starting point.