What does GDPR actually stand for?
GDPR is the General Data Protection Regulation — an EU law that came into force on 25 May 2018. It replaced a 1995 data protection directive and dramatically raised the legal stakes for any business that handles personal data of EU residents.
The UK has its own near-identical version (UK GDPR + the Data Protection Act 2018) after Brexit. For most websites, complying with EU GDPR effectively covers UK GDPR too.
Does GDPR apply to my website?
If any of your visitors are physically located in the EU or UK when they visit your site, GDPR applies. It does not matter:
- Where your business is registered
- Where your servers are hosted
- Whether you charge EU users any money
- Whether you ship products to the EU
The test is geographic: if a user in Munich, Dublin, or Manchester can load your site and have their data processed (including via Google Analytics or a Facebook Pixel), you fall under GDPR.
What does GDPR actually require?
GDPR is long — 99 articles plus 173 recitals — but for a typical website owner it boils down to four practical requirements:
1. Lawful basis for processing
Before you collect any personal data, you need a legal reason. The six lawful bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For most websites the relevant ones are consent (for marketing cookies, newsletter sign-ups) and legitimate interests (for basic site security, fraud prevention).
2. A cookie consent banner
If your site uses any cookies that are not strictly necessary — and Google Analytics, Meta Pixel, YouTube embeds, and HubSpot all count as non-essential — you must ask the user before those cookies fire. A banner that says "we use cookies" with an OK button is not enough; it must let users reject non-essential cookies with one click.
CookieYes covers the banner requirement
Free for sites under 25k monthly visits. Native Google Consent Mode v2 means your Google Analytics keeps working when users opt out.
3. A privacy policy
Your privacy policy must explain — in language an average person can understand — what data you collect, why, how long you keep it, who you share it with, and how users can exercise their rights. Template policies copy-pasted from another site do not survive a regulator inquiry. Use a generator that bases the policy on your actual tech stack.
iubenda builds the policy from your tech stack
Tell iubenda which third-party services your site uses (Google Analytics, Stripe, Mailchimp) and it assembles a lawyer-vetted privacy policy in your language.
4. Honour data subject rights
EU residents have eight rights under GDPR. The ones a small site needs a process for are:
- Right of access — "send me a copy of all the data you have on me"
- Right to erasure — "delete all data you have on me" (the "right to be forgotten")
- Right to rectification — "correct inaccurate data about me"
- Right to object — "stop processing my data for marketing"
You don't need a fancy portal. A monitored email like privacy@yourdomain.com with a documented response process that meets the 30-day deadline is enough for a small business.
What are the GDPR fines?
The headline maximum is €20 million or 4% of global annual turnover, whichever is higher. That number gets thrown around to scare people, and yes, Meta, Amazon, and Google have all been fined hundreds of millions of euros.
For a small business, the realistic risk is different. Data Protection Authorities have shown a pattern of issuing €10,000–€500,000 fines for the kind of mistakes a small site makes:
- No cookie banner or a non-compliant banner (€10k–€200k typical)
- Ignoring a data subject access request (€20k–€100k typical)
- Failing to report a data breach within 72 hours (€50k–€500k typical)
- Sending marketing email without proof of consent (€5k–€50k typical)
The smaller fines are far more common than the headline ones, and they're large enough to end a small business.
What about GDPR for remote teams?
One area site owners often miss: the moment your support team or contractor accesses customer data over public Wi-Fi or unmanaged home networks, you've moved that data outside the controlled environment your privacy policy describes. Regulators have started asking for technical controls — VPN, ZTNA, device-level encryption — as part of compliance audits.
NordLayer is the data-path layer your banner can't cover
Business VPN with ISO 27001, SOC 2 Type II, and HIPAA-ready controls. Demonstrably secures the route customer data takes after consent is given.
The simplest path to GDPR compliance
For a small or mid-sized website, the realistic compliance path is:
- Install a cookie consent tool (CookieYes or iubenda) — solves requirements #1 and #2
- Generate a privacy policy (iubenda or Termly) — solves requirement #3
- Set up a privacy@ email with a documented 30-day SLA — solves requirement #4
- If you have a distributed team, add a business VPN like NordLayer to demonstrate technical safeguards
This stack takes a couple of hours to set up and costs $10–$50/month total. It will not turn you into Meta-level compliance, but it will keep a small business out of regulator crosshairs.