GDPR Game Plan for the Small Business

— September 14, 2017

One of the main reasons people start a small business is so that they can work for themselves. Many soon realize, however, that they’re at the mercy of a really tough boss. In a Gallup survey of small business owners, 39% of respondents reported working more than 60 hours per week. On top of that, there’s the never-ending awareness that the buck stops with you. Even if you delegate, everything ultimately ends up back on your desk.

When you’re under that kind of pressure, you have to prioritize. In doing so, people tend to ignore things that aren’t jumping up and down right under their noses. An example would be a data privacy law implemented on the other side the world…right?

Wrong.The EU’s General Data Protection Regulation, which goes into effect May 25, 2018, applies to companies of any size that have as much as a single customer, prospect, employee, or partner in any EU member nation. So the GDPR may very well apply to you, whether you realize it or not. And implementing the flawed childhood trick of pretending, “If I close my eyes really tight, maybe they won’t see me,” isn’t going to work. As much as you may cringe at the thought of putting yet another weighty issue on your to-do list, GDPR compliance won’t wait — and ignorance of the law isn’t an excuse.

However, while you can’t just ignore GDPR compliance, you don’t have to do it the same way as enterprise-level corporations. You can develop a gameplan that’s more in line with your own resources. Here are some suggestions:

Start with mapping your data

The hype about Big Data has led us to accept the assumption that more is better — so we scoop up every bit of data we can and store it away in case we need it some day. But you can quickly end up with a scenario reminiscent of the scene in Raiders of the Lost Ark where the Ark of the Covenant was put in a nondescript wooden box and stashed away in a warehouse full of other nondescript boxes.

Before you decide whether and how you’ll approach GDPR, you have to know where all of your data is (physically) as well as who has access to it. Some things will be obvious, like the data in a CRM platform. But this process also requires turning over a few rocks and thinking about things like emails that contain personal data, shared spreadsheets, HR and accounting records, etc.

Next, map your people

Another important step is to find out where the people you have data on live. If you in any way collect, process, or store data on EU citizens — even if it’s just one person — you have to follow the law.

Confront the elephant in the room: Is it worth it?

Nobody likes to fire a good employee or contractor — much less a customer! But, if you only have a handful of customers or partners in the EU, it’s only fair to ask yourself if the relationship is worth the time and resources it will take to become GDPR compliant. While buying an insurance policy is always an option, there are costs associated with that route, too. So, whether it’s a customer who only makes a few low-ticket purchases a year or a contractor you turn to occasionally when you need some backup, GDPR compliance may cost more than the relationship is worth.

On the other hand, the EU isn’t the only governing body shining a spotlight on digital regulations. And having a comprehensive digital policy can go a long way toward maximizing the opportunities and minimizing the risks of running a business in the digital age. So GDPR could be the perfect motivation to start a journey toward digital privacy and security.

The bottom line is that only you can answer this question — and that starts with asking it.

Identify the steps necessary for compliance

This is where you make your to-do list. The GDPR spells out the requirements, so it’s a simple matter of identifying areas where you’re not compliant. If you don’t currently have a breach notification process, for example, that should be at the top of your list. If you don’t track and monitor who has access to customer data, that needs to be on the list, too.

Prioritize your list

This step is an exercise in risk management. Since doing everything at once would be a tough burden for many small businesses, the best approach is to decide what you’re going to tackle now and what you’ll save for later. Here are some good questions to guide those decisions:

  • Where are your biggest risks? Consider everything from the fines that could be levied for violations to the likelihood that particular practices could be audited. Your top priorities, of course, should be the situations where the fines are large and the risk of being caught in non-compliance is high. After that, it comes down to your company’s financial resources and your tolerance for risk. It’s definitely a balancing act, and it will be different for every company that goes through this process.
  • How hard will it be? If you’ve already started down the road to compliance and only need to make a few tweaks to be GDPR compliant — that’s an easy call. If you have to start from scratch and build a GDPR compliant system from the ground up, that’s a lot harder (especially if data will be inaccessible during the transition). And it won’t happen overnight.
  • How much will it cost? It’s a balancing act — you have to weigh certain costs now vs. possible costs later. While it’s easy to put things off because there’s no room in your budget, realize that, by putting compliance off until later, you’re accepting the risk of having to pay even more in fines and remediation.

Some priorities will be obvious. However, since all of these factors play off of one another in subtle ways, expect some heated discussions on the way to developing a list of everything you need to do and how you’ll do it.

Put your plan into action

Many small businesses will need to take compliance one step at a time. Other companies, with broader skill sets, may be able to divvy steps up among your employees so that you can work on several simultaneously.

Another option — and one that deserves serious consideration — is outsourcing. Many small companies simply don’t have the skill sets in-house. Or, if they do, it would require putting other projects on hold. In addition, digital compliance is one area where you definitely want someone with experience.

If you do choose to outsource, it’s important to consider that you’re only as compliant as your third-party providers. In other words, if you’re going to outsource compliance, it’s crucial that you choose a vendor who is already compliant.

There are a couple of ways to approach that issue. One way is to ask detailed questions about the vendor’s approach to the issues addressed by GDPR. Another option is to include the issue of compliance in your contract, stating that the vendor agrees to maintain compliance and to notify you immediately if their compliance lapses.


I don’t want to minimize the impacts of GDPR: It’s a big deal. On the other hand, it’s doable — for even the smallest business — especially if you have the right support. And if you are still uncertain of how GDPR will impact your business, need to assess your preparedness or create a plan for getting it right, consider a hands-on workshop such as Gearing Up, Getting It Done: Make Your Team A GDPR Success taking place this November.

Digital & Social Articles on Business 2 Community