Work Smarter – Not Harder

Data Privacy and GDPR for small businesses and freelancers outside the EU

Many are talking about it – and no-one seems to know exactly what it is all about: the EU General Data Protection Regulation (GDPR) is causing uncertainty inside and outside the European Union. Read on and learn how the GDPR affect you as a small business, start-up or self-employed person – and what you need to do about it.

The good news first: in terms of its content, the new law is not that new. What is new are, above all, the sanctions for not taking it seriously. The bad news? **If you’re like the majority of small businesses, you probably need to take action. Now. **But let’s start from the beginning.

Data privacy taken seriously

“The protection of natural persons in relation to the processing of personal data is a fundamental right.”

Thus begins the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which entered into force in 2016 and (after two corrections) has been applicable since 25 May 2018. A good thing from the consumer’s point of view – because we all regain control of our data. For entrepreneurs, however, personal data provides access to valuable marketing insights and effective personalized promotions; they might even be part of your company’s success. Do you have to do without it altogether? The answer is very clear: Yes and No.

Personal data and their use in accordance with the GDPR

Entrepreneur retainer agreement

GDPR is a good thing from the consumer’s point of view: we all regain control of our data.  (Photo by gpointstudio |

Of course, it is not prohibited to collect personal data in the future - but only if your EU customers (and in this case this includes every single visitor to your website) are fully informed about what you are doing with this data. What is stored, where and for how long? If you use this information for marketing purposes, you must obtain active consent from your users. And if you want to send out a marketing newsletter, the addressees must have verifiably consented to this use. How to do that? Read on.

How to become GDPR compliant

Basically, the GDPR affects all companies outside the EU, such as Switzerland, offering services or goods to private individuals in the EU – and thus a very large part of the digital economy. From individual businesses to large corporations, commercial or non-profit, whether a visitor to your website buys something or not: as soon as someone visits your website from the European Union, the GDPR takes effect.

Step 1: Data Privacy Check

Corporate Language

As soon as someone visits your website from the European Union, the GDPR takes effect. (Photo by Redpixel |

“First, I recommend conducting a data privacy check: Which data processing takes place in the company, how and by whom data is stored”, advises Paul-Lukas Good, expert for data protection at Good & Partner Rechtsanwälte in Switzerland. Do you store address data locally on your computer in an Excel file, do you use a Rolodex for your customer addresses or do you work from the cloud? Go through your company’s processes step by step and note which data is collected and where it is stored.

Step 2. Inform your “data subject”

“Then it is important to disclose the data processing – in the privacy policy on a website or in an app, or by adding relevant clauses to contracts on paper”, Paul-Lukas Good continues. According to Article 13 of the GDPR, it is your duty to provide information “where personal data are collected from the data subject”. Among other things, you need to state the following points:

  • The identity and the contact details of the controller and, where applicable, of the controller’s representative
  • Purposes and legal basis of the processing of personal data
  • Where appropriate, the recipients or categories of recipients of personal data
  • The period for which you will store the personal data; if this is not possible, the criteria for determining this period

In addition, you must inform the data subjects of their rights and guarantee information, correction, deletion and restriction of the processing of personal data at all times. Not an easy task – especially if you work with third-party plug-ins.

Step 3. Check your cookies, plugins & tools

“Even with Facebook’s Like button, you have to ask yourself whether data processing will still be permitted,” warns Good, “because this is in fact a direct line from your website to Facebook.” According to said Article 13, you would have to explain exactly what Facebook does with the data of its linking users – and as long as you do not receive this information from Facebook, you cannot fully comply with the new regulations. Tools such as Google Analytics offer the possibility of adjusting and anonymizing data usage as required - “although it remains questionable how anonymized these data actually are,” says Good.

GDPR and Data Privacy for Freelancers and Small Business

As long as you do not receive enough information from third party providers, you cannot fully comply with the regulations. (Photo by Matthew Henry | Unsplash)

In most cases, data traces are recorded in the form of cookies – and then a cookie consent banner is required. A tool like Cookie Bot shows how its ideally done: A detailed explanation that allows the user to deselect data collection for preferences and statistics – and to actively select usage for marketing purposes. Because when it comes to marketing, only the opt-in principle applies. Whether someone will tick this last checkbox, and what this means for the future of personalized marketing, remains to be seen.

GDPR Cookie Consent Banner

Step 4: Create a Double-Opt-In Newsletter

The collection of data is one thing; their use for marketing purposes another. Whether you may use an e-mail address from your database for sending a marketing newsletter depends on whether you have verifiably obtained the user’s consent. In most cases, “Double-Opt-In” means that a user confirms his e-mail address via a registration link that he receives after registering for the newsletter. This applies not only to new registrations, but to your entire existing mailing list – and, unfortunately, there’s no getting around it.

GDPR outside the EU

With digital businesses working all over the globe, the GDPR will have worldwide consequences. As a zistemo user, for example, you store your customers’ billing information on your zistemo account in our cloud – which in fact is located on secure servers in Switzerland. The best way to find out what this means for you is to visit our very own privacy center. “The exciting thing about GDPR is the interface between law and technology: it is not enough to create legally perfect general terms and conditions – technical implementation must be guaranteed,” concludes Good.

We at zistemo believe in protecting our users’ data, and have done so from the beginning. That’s why you’ll always be in control of your data – and benefit from the advantages of a comprehensive cloud application.

Wait, what? You’re not a zistemo user yet? Try us out! Free of charge and without any obligations. And yes: we are fully GDPR-compliant.


Freelancer Privacy & Security Small Business

Also Interesting

What is the Cloud? Should you trust your small business with it?

Cloud computing, cloud accounting and cloud storage: the cloud has become home to most of our data. But what is it, exactly? And is it really suitable for freelancers and small businesses?

Business Management Freelancer Small Business The Future of Work

Stepping into Scrum: Key Strategies for Effective Scrumming Project Management

Introduction Welcome to our comprehensive guide designed specifically for beginners venturing into the world of Scrum projects. Scrum, a subset of Agile, is a powerful framework that’s predominantly used in software development but has also found its place in various other industries.


Will Flexible Hours Really Make Your Team More Productive? 5 Myths around Alternative Work Arrangements

Are you running a remote team? Do your employees work from home? Or are you a firm believer in the 9-to-5 office day? No matter what arrangement you use: If you are running a business, team productivity is of major concern.

Business Management Tax The Future of Work Time Tracking

How to Improve Engagement of Your Team During Uncertain Times

No one in this world loves being uncertain. Whether it’s a reorganization at your business or political turmoil your employees will be concerned about their careers and future. What should you do as a manager?


Pro Forma Invoice: Definition & Examples

Pro forma or proforma: whichever way you spell it, the questions remain the same: what exactly is a pro forma invoice? When and why is it needed? And how should it look?

Features Invoice & Estimate Invoices

How Project Management Tools Bring End to Chaos at Work

How do you know you are working in barely managed chaos? Maybe you find yourself frazzled because of the number of projects on the go or your inbox being overflowed with client files or maybe you have to chase clients for replies.


One tool, everything under control

No credit card required. Cancel anytime.