Legal & Insurance
Understanding GDPR: A Plain-Language Guide for Online Business Owners
GDPR compliance is required for any business with EU customers - regardless of where your company is based. This guide explains what it actually means in practical terms.
By Wisdom Snake Editorial Team
| Published
Who GDPR applies to - including US businesses with EU visitors or customers The seven GDPR principles that govern all personal data processing The six legal bases for processing data and which applies to your business How to use cookie consent that actually meets the GDPR standard Individual rights under GDPR - and how to respond to requests within 30 days What Is GDPR? The General Data Protection Regulation (GDPR) is European Union privacy law that came into effect in May 2018. It establishes full rules for how organizations collect, store, and process personal data of EU/EEA residents. Essentially, it applies to any business anywhere in the world that processes data of people in the EU - not just European companies. Trust me on this - if you've got a single EU customer, subscriber, or website visitor whose data you collect, GDPR applies to you. The key point: GDPR isn't just a European problem. Any business selling internationally, running analytics, or collecting email addresses from EU visitors must comply - regardless of where the business is incorporated. Who Does GDPR Apply To? GDPR applies to any organization that processes personal data of individuals in the EU or EEA, regardless of where the organization is based. This includes: US-based e-commerce stores shipping to European customers SaaS companies with European users Bloggers with European newsletter subscribers Any website that collects data from EU visitors via analytics, advertising cookies, or contact forms "Personal data" is broadly defined - it includes names, email addresses, IP addresses, cookie identifiers, location data, and anything that can pinpoint a person directly or indirectly. Key GDPR Principles GDPR is built on seven principles that govern all personal data processing. Data quality principles Lawfulness, fairness, and transparency - you must have a valid legal basis and be transparent about how you use data Purpose limitation - collect data for specific, explicit purposes and don't use it for something else Data minimization - collect only what you actually need Accuracy - keep data correct and up to date Data protection principles Storage limitation - don't keep data longer than necessary Integrity and confidentiality - protect data with appropriate security measures Accountability - be able to demonstrate compliance with all the above The accountability principle is where most small businesses fall short. GDPR doesn't just require compliance - it requires that you can demonstrate compliance. Keep a simple Record of Processing Activities (RoPA) documenting what data you collect, why, and on what legal basis. Legal Bases for Processing The honest truth: you must have a lawful basis for every type of personal data processing your business performs. The six legal bases under GDPR fall into two groups. Common bases for online businesses Consent - freely given, specific, informed, unambiguous; used for marketing emails, advertising cookies, and analytics Contract - processing necessary to fulfill an order or service agreement Legal obligation - required by law, such as tax record retention Less common bases Vital interests - emergency health situations; rarely applicable for online businesses Public task - for public authorities Legitimate interests - your business interest outweighs the privacy impact; often used for fraud prevention and security logging Document your legal basis for each processing activity in a Record of Processing Activities (RoPA). For most small e-commerce businesses, you'll use Consent for marketing emails and analytics, Contract for order processing, and Legal Obligation for tax record keeping. Get those three right first. Cookies and Consent Here's the thing: under GDPR and the ePrivacy Directive, you need explicit, freely given consent before setting non-essential cookies - meaning analytics cookies (Google Analytics), advertising cookies (Facebook Pixel, Google AdSense), and marketing cookies (Klaviyo tracking). A cookie…
Frequently Asked Questions
Do I need a Data Protection Officer (DPO)?
A DPO is required only for public authorities, organizations that process data on a large scale as a core activity, or those that systematically monitor individuals. Most small e-commerce businesses and bloggers do not need one.
Does CCPA (California) overlap with GDPR?
Both laws protect consumer privacy rights but differ in scope and mechanics. CCPA applies to California residents and focuses on the right to know and opt out of data sale. GDPR is broader and requires opt-in consent for data processing in many cases. Many businesses implement both together since there is significant overlap.