On May 25, the European Union’s new General Data Protection Regulation (GDPR) goes into effect, and organizations and businesses must aim for compliance as soon as possible. Steep fines await those who don’t meet governing regulations.

But the new regulations can be daunting, not to mention confusing. A recent New York Times article explained, “the law is staggeringly complex. After three years of intense lobbying and contentious negotiation, the European Parliament published a draft, which then received some 4,000 amendment proposals.” The problem is, the Times points out, “no one understands the GDPR.”

So where can a small business begin?


In a Privacy Impact Assessment, organizations can work with legal professionals to audit processes to see exactly what kind of data they are collecting. Lawyers meticulously review sites with clients, to make sure warnings and consent pop-ups appear on the correct and mandated pages.

Data Processing Agreements (DPA’s)

When sites track user information, it flows between two entities: “controllers” and “processors.” Controllers create the point of entry for internet users. Processors use data collected at that point of entry, personalizing the user experience and tracking behavior.

Until now, controllers were only liable for failure to protect the data. Now, they will be on the hook for the processor as well.

Data Transfer Agreements

Just as medical entities must protect data they exchange, under the GDPR, companies will also be held responsible for securing their clients’ data.

What Can Small Companies Do to Comply?

Large companies have been rolling out steps to comply with these new regulations before the May 25th deadline.

But what about smaller companies and entrepreneurs? What if they don’t have the time or the budget to take on compliance?

An important first step is simply updating a privacy agreement. An attorney can help you craft this document and show that your company is moving in good faith toward compliance with GDPR.

It’s important to focus on the big picture: This is about giving users control over their private information. You can do that, whatever your business, by making the rules—what’s going to happen to personal information online—clear. And empowering users with the option to change their mind gives them a sense of security.

Read our next blog to examine a case study of GDPR compliance.

Pete Salsich III has been General Counsel for Coolfire Studios, LLC (an entertainment content creation studio), Coolfire Solutions, Inc. (a mobile software development studio focused on the military and commercial enterprise), and MedAware Solutions, Inc. (a mobile software platform company focused on the healthcare industry). Since joining AEGIS, Pete continues to serve in this capacity.