Building a GDPR privacy program for small businesses

March 1, 2022


The General Data Protection Regulation (GDPR) is a robust privacy law that took effect on May 25, 2018. When the European Union (EU) signed the GDPR into law, it generated a ripple effect extending far beyond its Member States’ borders. 

The law regulates how organizations collect, use, and protect the personal data of EU residents. If you operate a small or midsize business (SMB) that interacts with EU-based individuals online, the GDPR likely applies to you. 

SMB leaders and operators face the ongoing challenge of balancing resources across business priorities. This makes it easy for seemingly less consequential tasks to fall through the cracks, such as building a GDPR privacy program. 

Although this isn’t optional if the GDPR applies to your organization, building a modern privacy program offers many benefits to your organization beyond just compliance. You increase transparency with customers, building trust and loyalty for long-term success.

Automating compliance with the GDPR will improve privacy outcomes, protect your team’s resources, and position your organization for success.

Read on to discover more about the GDPR’s scope and how it may apply to your business. We’ll also share concrete steps to enable privacy automation for startups on the path to compliance. 

GDPR privacy program for startups and SMBs

The GDPR applies to businesses of all sizes. Your first step is determining whether your operations fall under the GDPR’s scope:

  • Material scope — Does the GDPR regulate my data processing activity? 
  • Territorial scope — Does the GDPR apply to me based on my location or the location of my users or customers? 


GDPR material scope

If your organization processes personal data by partially or entirely automated methods, the GDPR applies to you. 

From 30,000 feet, this applies to the following data processing activities: collecting, recording, storing, accessing or viewing, using, analyzing, combining, disclosing, or deleting personal data.

In context, this might look like capturing personal data on web forms, order forms, account sign-ups, and more. This also applies if your organization uses third-party systems to process data, such as marketing automation software, database software, point-of-sale systems, et al.  

GDPR territorial scope

If your startup or SMB is EU-based, the GDPR’s territorial scope applies to you.

Also, if your organization processes personal data belonging to customers or users based in the EU, the GDPR applies to you. This is true no matter where your operation is. 

Known as extraterritorial scope, organizations outside the EU must comply with GDPR under these conditions.

The GDPR’s territorial scope covers the following types of activities:  

  • Providing goods or services to EU-based customers.
  • Collecting IP addresses of EU-based website visitors for analytics tracking.
  • Receiving donations for your non-profit organization, including EU-based donors.


GDPR compliance obligations 

The GDPR establishes and protects individual privacy rights. It places obligations on organizations that interact with and handle applicable data. The law refers to the individuals whose data you collect as data subjects. 

The GDPR outlines eight fundamental data subject rights that organizations must respect. 

You must equip yourself with a privacy policy that identifies these rights as they relate to your data collection and processing activities. You also must be ready to handle and fulfill requests from data subjects. Known as a data subject access request (DSAR), you need to complete these requests within one month or sooner. 

8 Data Subject Rights from the GDPR:

To make it easier to read, we’ve paraphrased the GDPR’s 8 data subject rights for you:

  1. Right to be informed: Data subjects have the right to know that you’re collecting and using their personal data. 
  2. Right to access: Data subjects can ask for copies of the data you’ve collected. 
  3. Right to rectification: Data subjects have the right to ask you to update or correct inaccurate or outdated personal data. 
  4. Right to be forgotten/right to erasure: Data subjects can request that you delete their personal data. There may be exceptions to this in some instances. 
  5. Right for data portability: Data subjects have the right to ask you to transfer their data to another controller or provide it to them. You must deliver the data in an accessible, digital format. 
  6. Right to restrict processing: Data subjects can ask you not to process their data or suppress it. 
  7. Right to object: Data subjects can object to the processing of their personal data.
  8. Right to object to automated processing: Data subjects have the right to object to decisions made with their data through automation.


GDPR and individual consent

Individual consent is an essential requirement of the GDPR

Data subjects can withdraw their consent at any time. According to the law, your requirement is to fulfill consent withdrawals as soon as possible. You must respect consent withdrawals across all locations where you’re using or processing data. 

Consequences of GDPR Non-Compliance

If the GDPR applies to your organization, it’s your responsibility to get your processes up to speed with compliance obligations. 

Non-compliant activities can include: 

  • Not responding to DSARs, or taking too long to fulfill them.
  • Failing to update your privacy policy if you change your data-processing activities. 
  • Collecting sensitive personal data without an express purpose (such as social security numbers).
  • Giving personal data to third parties without an individual giving you permission to do so.

Non-compliance with the GDPR may result in temporary or permanent bans on data processing. The authorities may require you to restrict or erase data. They may also tell you to suspend data transfers to other countries. 

Fines are a common consequence of non-compliance. They’re discretionary, meaning the amount should align with the severity of the violation: 

  • Up to €10 million ($11 million) or 2% of global turnover every year
  • Up to €20 million ($23 million) or 4% of annual global turnover

Your GDPR-compliant privacy program is a significant consideration for the authorities. Your organization may be subject to smaller penalties if you can prove that you’re making genuine attempts to comply. 

Enabling privacy automation for your startup

If time and resources are scarce, utomation will be critical as you build or update your privacy program for GDPR compliance.

The benefits of privacy automation for startups are many. As regulations, data, and technology continually evolve, automation enables you to stay in front of change. 

Additionally, as smaller teams work through their obligations, automation streamlines the process from start to finish. By making your privacy policies and workflows clear, you can count on more effective collaboration across business stakeholders. 

The must-haves for your updated privacy program include:

  • Gaining access to real-time information.
  • Operating in the context of the latest regulations that apply to your business, especially as they evolve. 
  • Leveraging workflows that streamline efforts and increase accuracy. 
  • Integrating privacy into every step of the data lifecycle. 

Automation makes it possible for startups and SMBs with limited resources to achieve these outcomes. No matter where you’re at in the process, you can start to take steps to automate your privacy program today.

Step 1: Evaluate your current privacy program

Take a look at how you’re currently dealing with privacy compliance internally. Are there gaps between your operations and your obligations?

Whether or not you have a dedicated privacy team, GDPR requirements apply to everyone in your organization. 

Start by uncovering the areas where your organization may be falling short: 

  • When was the last time we looked at our privacy policy? 
  • Are we tracking and fulfilling DSAR requests quickly enough?
  • Do our third-party vendors put us at risk?  

From here, you can start to figure out how you can enhance your privacy program and improve compliance outcomes. 

Step 2: Put automation at the center of your privacy program  

Automation can power many of your privacy compliance processes.

You need to map and store consumer data in a centralized location. Automation can help you achieve this by consolidating your many personal data sources into one centralized location. This enables you to understand what you’re collecting and why — and fulfills your record-keeping requirements. 

You need to track DSARs — and fulfill them quickly. If you’re relying on manual processes to handle DSARs, you’re at risk of letting some fall through the cracks. This is a significant risk. Automation solves this problem by creating a centralized repository for requests and enabling teams to track fulfillment. 

You have to be able to prove consent every step of the way. Consent records are key to GDPR compliance. If you’re not keeping up-to-date, centralized records on consent, it will be difficult to prove whether you’ve obtained it. 

You need to be able to prove granular consent. If you can’t attribute time-stamped consent records to specific data processing activities, you may be at risk. 

These obligations require a significant amount of resources to fulfill. This is where automation provides substantial advantages to startups and SMBs. You’ll gain peace of mind knowing you’re current on your requirements, especially as the team keeps busy with other priorities. 

Step 3: Prepare for a data breach

The time to prepare for a data breach is now, not after one occurs. 

Startups and SMBs have to be mindful of how they’re spending resources at all times. The response effort post-breach comes down to hours and minutes — something you might not have at the time of an incident. 

In the unfortunate event that a breach happens, you’ll thank yourself for doing your due diligence. 

In some cases, the GDPR requires near-immediate notification to those affected by a data breach. If your data records aren’t up-to-date, readily available, and contain the proper contact information, you’re at risk of not fulfilling your obligations.  

Conclusion: Automate privacy with OneTrust 

Earning consumer trust is paramount to the health and survival of your business. As a result, taking data privacy seriously is a must for startups and SMBs today. 

Building and maintaining a compliant privacy program will help prevent reputational damage in the event of a breach. Your efforts will also help you avoid the fines and negative consequences of GDPR non-compliance. 

If your startup or SMB is subject to the GDPR, you should be taking advantage of automation to the fullest extent possible. Not only will it enhance your compliance outcomes, but you’ll also be able to conserve precious resources for your most important business activities. 

OneTrust helps you automate your privacy program. Our large team of experts will expand the capabilities of your legal department, especially when they aren’t 100% dedicated to privacy. 

OneTrust’s software enables you to automate privacy by design across your organization. With our tools, you can:

  • Discover and classify personal data across your IT ecosystem.
  • Apply up-to-date business and regulatory context through OneTrust DataGuidance.
  • Populate a central data inventory & catalog to serve as the foundation of your privacy, security, and data governance initiatives.
  • Enable privacy workflows that create processing records, manage incident response, and automate DSAR fulfillment.
  • Enforce data retention, data minimization, and data access policies.

Get started today by requesting a free demo

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more