You're probably wondering how many hours it will take to comply with the GDPR, the new European data protection and privacy law, applicable to almost every online business (across the world).
In short, if you promote or sell services to people in the EU, you need to comply with the GDPR. Simply promoting your stuff online to EU people (through email list building for example), is enough.
If you're a US company with a target market in California, and you happen to sell something to a dude in Germany once every blue moon, then you probably don't have worry about the GDPR. You got your own laws to worry about, though (CCPA), and GDPR-like laws are sprouting all over the world, so perhaps you might as well do *something* about how you handle personal data.
π If you're still unsure, take the ICO's (the UK data protection authority) assessment here: Does data protection law apply to my business?
After spending well over a thousand hours studying and working on the GDPR, for a few hundred clients from solopreneurs to 550+ organisations, relying solely on credible sources, I know how demanding GDPR is, especially for small businesses.
In this article we'll go through how much time you need and should set aside to get your GDPR compliance in order (and how to achieve that).
Disclaimer: I’m not a lawyer and this article is for informational purposes only (read the full disclaimer).
This GDPR guide is about 5 000 words. I dare say it’ll probably be the most valuable 30-45 min. you spend on your basic GDPR knowledge. Make that investment.
In my experience, there are some mistakes I see over and over again:
«You don’t know what you don’t know», is a great saying, especially for the GDPR. Many aren’t actually aware they’re in breach of the GDPR, and often also marketing laws. β
Some companies think it’s enough with a privacy notice on their website. That they can use an online tool to «do GDPR», ensure compliance through a new system or subscribe to a service.
Or outsource everything to a lawyer or consultant.
This can quickly become a costly mistake. πΈ
Because it’s your responsibility, as the business owner, to ensure compliance with any laws applicable to your business, be it for accounting, taxes, GDPR or marketing.
It’s you who’ll get the fine (up to 4% of your global revenue or €20 million…).
First and foremost, you HAVE to understand the GDPR basics. Otherwise you won’t know if you are GDPR compliant (enough). And you risk hefty fines, even as a tiny, micro business.
Founders of SaaS companies, tech startups, solopreneurs, freelancers, and any online business entrepreneur or small business owner, don't have much spare time. It's in the nature of what we do.
We wear all the hats. We're the CEO, the accountant, the Chief of Marketing, customer support, the legal team, Head of PR, and the IT Director (or, if we're lucky, we have a CTO cofounder).
We not only have to be experts in AWS, Laravel, MySQL or WordPress, but also at online ads, email marketing, social media, building (and selling) online courses and so much more.
Like the GDPR. Oh dread. π±
The good news: You don't actually have to be a GDPR expert.
The (perceived) bad news. You really do have to do some work around the GDPR.
But this is not bad news at all! (Stop squirming.)
π It also means that you’ll get a valuable overview of your systems and processes, reduce the risk of those hefty fines (significantly) and gain a marketing advantage, not only saying you “take privacy seriously” – you can actually demonstrate it.
200. At least that's what google replies when you ask. At a minimum, the article goes on saying. But this is for a 50-250 employee company.
Does that mean you can simply divide 200 by 50 and get an estimate for you (a company of one)?
Sorry to disappoint you, but no one in the world can get GDPR compliant in 4 hours.
I certainly didn't understand everything around accounting, bookkeeping and payroll, in only 4 hours, either. And the GDPR is a huge law, just like your national law on accounting.
Running a business means you need to deal with excruciating stuff. π€·βοΈ It's not like we get to invoice every hour of our work day, or work exclusively on what we love.
Estimating how long time your GDPR compliance will take, is impossible without knowing more about your business.
It depends on several factors:
As you can see, it's not easy to give you a good estimate, with so many influencing factors. π€―
This is a huge question. Your answers from the last paragraph will largely determine how GDPR compliant you should/need to be.
Then you need to consider what level of compliance is enough, for you.
Here are some considerations:
Having enterprise or public sector clients will impact your GDPR efforts hugely.
Not only do they require (lots of!) thorough documentation, but you need to be able to discuss compliance, GDPR and security issues with legal and procurement teams.
Then, imagine you experience a personal data breach. How damaging can/will this be for your business/industry/among peers, if it made the front page of your local or national newspaper?
And if you're in the health and fitness industry, or if you process any personal data on children, the worse it gets (e.g. if your app is for logging health data or one that local schools use).
π‘ Key take-away: Several factors influence your GDPR efforts and the number of hours you need to spend. Giving an accurate estimate is impossible.
As you probably understand by now, there are too many variables in play to give you a sound estimate.
And, if I were to give you all of them, you would spend more time reading this article, than just getting on with it. π
So, the following estimate is to give you something to compare against, instead.
Benchmark:
The business owner decides to do all the work, without hiring help.
The mathematics (rough estimates):
In addition, you'll have to ensure your ongoing compliance. β
For a micro company, this could take 10-20 hours a year, depending on the number of internal GDPR audits and data subject access requests (people who want to know what you do with their data).
And remember, this is for an uncomplicated, tiny business that hasn't developed an app, isn't a data processor, doesn't do email marketing or webinars, sell to enterprise clients, haven't got complicated data flows, use AWS or transfer lots of data to the US…
All these things will add to your GDPR work, and especially if you're doing it on your own.
One aspect of the work will (could) impact the number of hours you spend on the GDPR (significantly), and how easy or difficult it will (could) be.
I say “could” as this is contingent on the quality of the help you get (which could be useless).
Below we’ll go through the 3 phases of your GDPR compliance.
Each phase is directly impacted by the following two factors:
1. Doing the work yourself (without help) = requires more of your time, but costs less (or nothing)
2. Getting someone to guide you (with help) = costs more money, but requires less of your time
If you opt for solution a) Without help, the number of hours depends in large on your personal interest in data protection laws and your general knowledge around compliance and security.
However, unless you’re a GDPR expert yourself, knowing exactly what to spend time on when doing your GDPR compliance, can be a huge time-waster.
π‘ Reading this article is anyway a great start and the GDPR insights here will help you plan and implement the work faster and better.
PS: Everything you need to learn about and implement the GDPR, can be found online, free of charge. Every piece of GDPR information. The content is free. The time you spend reading it, however, isn’t without cost.
Just make sure you rely only on credible sources and not advice found in Facebook groups or random blog posts.
The biggest pitfall of this approach is that you spend hours (and hours, and hours) reading up on GDPR stuff that doesn't apply to you.
Consider for example the data protection officer role, required for some companies as per the GDPR Article 37.
Did you notice I said "some"?
As recently as July 2020 I came across this Twitter thread where someone stated, exasperated:
This is not correct. β Any company doesn't have to have a DPO. Some do.
Small businesses don’t, most often, need to appoint a DPO (but it’s more likely with SaaS companies). Obviously, you need to check this, or talk to someone who will help you with such an assessment.
And in any case, document your consideration and decision.
It could be beneficial, though, to appoint a Privacy Officer. Also from a marketing perspective, to demonstrate your GDPR commitment.
Another example is writing your own privacy policy. An entrepreneur, who didn't want to spend anything on his GDPR compliance, proudly shared that he had spent around 40 hours on the policy alone... πΆ
No one should spend 40 hours on a privacy policy (!). You can spend that in total for (the first parts of) your GDPR compliance.
π If you want to do all the work yourself, make sure you use the ICO's website and take their GDPR assessment (click the "Read more" on every question, so you really get the full picture).
(Did you notice I said “qualified”?)
Getting GDPR help can mean everything from do-it-yourself templates to done-for-you services.
And just getting someone qualified to show you exactly what to read, understand, and implement, could be invaluable.
It not only saves you lots of time, but probably at least 52 grey hairs and an urge to throw your computer out the window.
Like when you have to:
Unless you find the GDPR interesting and fun, like I do! π€© Yep, I said fun!
π‘ Key take-away: You need to understand a minimum of the GDPR yourself. Having a GDPR guide could get you further along the way, faster.
Or any business, of any size, for that matter.
This is how I plan and run GDPR projects for larger organisations. The same methodology is applicable to entrepreneurs, freelancers and online business owners, just on a smaller scale.
In addition to the process described below, there are certain requirements only applicable to SaaS and tech companies/startups. Make sure you also read those if you’re a (co-)founder, developer, CTO. π
Before setting sails for your GDPR compliance journey, you should consider three phases:
We’ll delve into each phase in the following sections.
Finding out how much time you will have to spend on the GDPR, should be estimated for each phase.
And, again, the number of hours will, in each phase, depend on the amount of work you decide to do yourself, vs. with a GDPR guide.
π‘ Key take-away: Plan and do your GDPR work in phases. Don’t aim to be fully GDPR compliant if you’re not even making any money in your business today.
Whatever you do – make sure you, yourself, truly understand what the GDPR is and means for your business.
Below is a list of the GDPR phrases you should (need to) know, at least initially. You really do need to understand these things once, in order to build the GDPR foundation.
Then, you don’t have to go around remembering this to a T, but at least be familiar with it.
If you hired help before and all of these words are completely new to you, and you don’t know if you have obtained data processing agreements or safeguards, you might want to consider asking for a refund… π€¨
The ICO assessment mentioned before could also be a good place to start.
The GDPR definitions you should know:
If this list makes you want to run away screaming, you should definitely consider getting help. Talking to someone who gets both the legalese, and is able to translate it to words you actually understand, is invaluable.
π‘ Key take-away: You need to understand a minimum of the GDPR yourself, at least initially.
So, you got a basic understanding of the GDPR and how it affects your business. π
Next, you’ll get down to business and set up your GDPR foundation. This is where the bulk of the work is, and where a GDPR plan will be very helpful.
And when all this is done, you should also define and write up some key internal GDPR policies and procedures (e.g. for what to do if someone asks for access to their data).
So, there you have it. If you’re feeling like this right now: π€―… I totally get it.
GDPR is overwhelming, and anyone telling you it’s “easy” either don’t run their own business, or don’t themselves understand the complexity of the law.
π The personal data inventory is one of the most important GDPR requirements. If you aren't fully aware of all your processing activities, you will have a false sense of comfort, so make sure you fully understand what to do here.
* Here is an example of what it could look like:
Article 30 required information |
Description |
Type of processing |
Sending newsletters |
Data processor/system |
MailChimp, The Rocket Science Group |
International transfer safeguard |
EU standard contractual clauses (SCCs) |
Security measures |
Internal: Access control, backup, NDA signed with marketing bureau. Data processor's security: https://mailchimp.com/about/security |
Data processor agreement |
Yes, signed and stored in GDPR folder |
Personal data |
Name and email address |
Data subjects |
Newsletter subscribers |
Purpose |
Sharing news, offers, information about events etc. to leads, customers and other contacts |
Legal basis |
GDPR Article 6-1 a) Consent |
Retention period |
For as long as the data subject subscribes. When they unsubscribe, we delete their data at the latest [x weeks/months] afterwards |
Recipients |
Marketing bureau X who manages our newsletter on our behalf (we have signed a DPA with them) |
If you’re building tech, software or any digital solution (“app”), there are additional requirements for you.
π First; take this seriously, to avoid reputational damage such as this:
* This Twitter discussion on a GDPR deletion request breach sparked several other similar tweets about the same company and probably made a huge dent in their reputation.
Second, you need to determine if you’re only a controller, or also a data processor. The ICO has detailed guidance on both roles and I recommend that you read this carefully (or get help assessing your role(s).
If you're (also) a data processor, that in itself means you have additional responsibilities, cf. Article 28.
You’re not only responsible for your data, but someone else’s data, and you need to provide a data processing agreement as per the GDPR Article 28-3.
π Not complying with the GDPR as a data processor is a huge risk.
In sum, here are the other aspects you should consider/do:
π‘ TIP: Whenever you consider/check/decide on something, document it. If you decide you don’t need a DPO, the authorities might disagree, but you can significantly reduce the risk of a fine if you can prove you actually made a conscious decision
This is not a complete list of everything you need to take into consideration, but it’ll get you pretty far.
π‘ Key take-away: View your GDPR compliance as a journey. It might not be the most thrilling journey you’ve ever been on, but it makes the work less overwhelming. Document everything.
To be added later: A SaaS/tech GDPR resources list (privacy and security).
Good news: We’re almost there! π This is the last phase of your GDPR compliance journey.
Bad news: It never ends. π
Sorry to have to break it to you, but GDPR compliance is no different from any other business compliance. It’s ongoing, just like bookkeeping and taxes.
The law itself doesn’t say exactly when you need to perform certain tasks. It just outlines the requirements, and then it’s your responsibility to ensure you comply.
The GDPR is a fairly new law and there are still grey areas. Some are in the legal system already and the enthusiasts among us are eagerly waiting for judgements – that will set precedence going forward.
For example, GDPR Article 5(1)(e) states a storage limitation.
You can’t keep personal data for longer than you “need” it, but this “need” has to specified (purpose) and legally valid (legal grounds for processing).
Recital 39 elaborates: “In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.”
π In order to stay GDPR compliant, plan and conduct regular GDPR audits/reviews.
If you’ve built a solid GDPR foundation, keeping up GDPR compliance won’t be too demanding. It also depends on how much you’re going to do yourself vs. delegating or outsourcing.
My recommendation for a small, uncomplicated business such as in the example above, is to do an annual review/audit, or every 18 months.
Anything less will likely raise eyebrows at the authorities.
The number of GDPR reviews every year depends on the same factors that impact the number of hours required to work with your privacy compliance.
It depends on how complex your business and personal data inventory are, how much data you process, and how sensitive it is.
Any SaaS company with a few employees should at least do an annual audit, and perhaps more if you’re also a data processor.
Newly founded businesses can see my comment in the next section.
π‘ Key take-away: GDPR is ongoing. Plan for regular audits (add them to your calendar) and document each one.
Let me start by saying this: You can't outsource GDPR 100%.
You, as the business owner, have to understand a minimum of what the GDPR is and means for your business. Ultimately, it's you who's held accountable if you're not GDPR compliant.
Not the GDPR lawyer or consultant you hired. Not the GDPR tool, system or plugin you purchased, or the vendor providing it.
The GDPR fine is issued to the controller, that is, you. πΈ
The question you need to ask yourself, is What will an investment in GDPR compliance give me?
If an investment isn’t making you more money in your business, you need to consider what it’s preventing.
In the case of the GDPR, we’re doing our compliance to:
π Think of investing in GDPR like an insurance policy, that could save you both money and embarrassment.
A SaaS or tech startup (or any fledgling business) shouldn’t spend money on GDPR requirements in the starting phase of their business. Especially if your turnover is zilch (!).
For the first year or two it’s pretty much about building your business case, pitching at demo days, competing in angel challenges and writing investor presentations…
Or, perhaps the better way, just working your b*tt off (and validating your product/idea before pouring more money into devops), bootstrapping your way to profit.
π However, as soon as you start approaching hockey stick growth, making a profit, attracting the attention of investors, the GDPR traffic light switches from green to amber.
Regardless, you should do something with privacy when you launch your business. There are free resources (like this site and the ICO’s) to get you started.
You can spend a few hours learning the basics and writing up a privacy notice for your website. IMHO.
And when you’ve proved your business case, then make a plan for how you’re going to deal with the GDPR. Come back to this article and read it again, thoroughly.
GDPR consulting is big business. π€ Make sure you know that the person helping you, knows their stuff, and doesn’t sell you more than you need right now.
First, if someone hasn't even read the (entire) legal text, they shouldn't be giving advice on the GDPR. Including lawyers.
There are thousands different laws and regulations and being a lawyer doesn't mean they know anything about the GDPR.
If you get audited, it won't help saying that you "didn't know". It’s 100% your responsibility to ensure compliance, as the business owner and controller.
Second, as shown in this article, several factors impact the level of your GDPR efforts. Plan your GDPR work in phases and get help where it makes sense for your business, where it’s at right now.
A decent GDPR consultant or lawyer will discuss this with you and advise on how compliant you should be.
Ultimately, however, it’s a risk assessment, and one you have to do yourself.
When deciding how much to spend on getting help, and what kind of help you should look for, there are some things to be aware of.
π© Red flags you should look for when considering GDPR helpers:
π‘ Key take-away: Get help, but from the right kind of expert and for the business stage you’re at right now.
First, congratulation on making it all the way to the end! π
One of my goals is to curate GDPR information for the smallest businesses, with the smallest budgets, and I’ve spent days trying to make sure this article would be as useful as possible for you.
When you now get ready to put down the work, here are some final tips for you:
And there you have it.
I truly wish you the best of luck with the GDPR, and, not the least, with your awesome business!
50% there!
GDPR explained so you actually understand it - tailored for professional online business owners! Submit the form to get notified as soon as we release our professional website checklist (including the GDPR stuff!).
π
You won't be added to our general marketing list and your personal data is processed only for sending you the checklist when it's ready, as well as one follow-up email to ask if you found it useful. Opt out at any time. Privacy notice