Since 2018, GDPR has been worrying small businesses. Stories of fines of 20 million euros circulate and paralyze small business owners who say "I'm done for, I'm not compliant."
The reality is simpler. CNIL has never sanctioned a small business making a reasonable effort toward compliance. It goes after tech giants, companies that sell personal data, repeat offenders. Not the plumber with a customer Excel file.
This doesn't exempt you from doing your part. But the level of effort required is very manageable.
The 5 actions that cover 80% of your obligations
Action 1: the processing register (the foundation)
It's the central document of GDPR. It lists the personal data you collect, why, and how long you keep it.
For a typical small business, it fits on one page:
| Processing | Data collected | Purpose | Retention period |
|---|---|---|---|
| Customer file | Name, email, phone, address | Sales management | 3 years after last contact |
| Accounting | Name, address, invoice number | Legal obligation | 10 years |
| Payroll (if employees) | Personal details, SS number, bank details | Salary management | 5 years after departure |
| Website | Cookies, IP, contact form | Marketing, analytics | 13 months (cookies), 3 years (form) |
| Newsletter | Communication | Until unsubscribe |
CNIL offers a free template on its website. Fill it out in 30 minutes and update it once a year.
Action 2: informing individuals
You must inform people whose data you collect. In practice:
-
On your website: a "Privacy Policy" or "Data Protection" page accessible from the footer. Describe in plain language what data you collect, why, how long you keep it, and how to exercise rights.
-
On your forms: a sentence below each contact form: "The data collected is used to respond to your request. You can exercise your rights by contacting us at [email]. See our privacy policy."
-
For your employees: a document given at hiring listing data collected as part of the employment relationship.
Action 3: managing cookies
If your site uses audience measurement cookies (Google Analytics, Matomo) or advertising cookies, you must obtain explicit consent from the visitor BEFORE placing these cookies.
The action: install a compliant cookie banner. Free solutions like Tarteaucitron.js or Cookiebot (free up to 100 pages) do the job.
Exception: cookies strictly necessary for site functionality (authentication, shopping cart) do not require consent.
Alternative: use Matomo in "consent-exempt" configuration (CNIL declaration). You keep your analytics without a cookie banner.
Action 4: data security
GDPR requires protecting personal data with "appropriate technical and organizational measures." For a small business, this means:
- Strong and unique passwords (see the cybersecurity article)
- Applied security updates
- Regular backups
- Restricted data access (not everyone accesses everything)
- Encryption of laptops
It's nothing more or less than good cybersecurity practices you should apply anyway.
Action 5: managing individuals' rights
GDPR gives people rights over their data: access, correction, deletion, portability. In practice, small businesses receive very few such requests.
The action: designate a contact person (yourself or a colleague) and a contact email address (like data@yourcompany.fr). When a request arrives, respond within one month. That's it.
What can wait
The DPO (data protection officer) — mandatory only for companies processing data at large scale or sensitive data. A 5-person small business doesn't need a DPO.
Impact analysis (DPIA) — mandatory only for high-risk processing (large-scale video surveillance, systematic profiling, health data). Your carpentry business's customer file is not high-risk processing.
GDPR certification — no certification is mandatory. Companies selling you "GDPR certifications" exploit fear. Compliance is an ongoing process, not a label.
In case of data breach
If personal data leaks (hacking, lost USB key, email sent to wrong recipient), you have 72 hours to notify CNIL if the breach presents a risk to individuals.
The notification form is online on the CNIL website. Fill it out honestly: what happened, how many people are affected, what measures you've taken.
CNIL is more lenient with a company that notifies quickly than with one that hides the incident.
GDPR is not a bureaucratic monster for small businesses. It's a framework of common sense: protect your customers' data the way you'd want yours protected.