A founder in our program spent three months paralyzed by GDPR. She was afraid to collect email addresses, afraid to send newsletters, afraid to use analytics. Her website had no signup form, no contact form, and no way to track whether anyone was visiting. She was GDPR-compliant in the same way that an empty house is burglary-proof.
GDPR is real and important. But the version of GDPR that lives in most founders’ heads — the version where any misstep leads to millions in fines — is dramatically more terrifying than the practical reality.
The Austrian Data Protection Authority (Datenschutzbehorde) has never fined a small startup into oblivion for having a newsletter signup form. They have fined large corporations for systematic, egregious violations. The distinction matters.
Here is what you actually need to do as a startup. Not the theoretical maximum. The practical minimum that keeps you compliant without killing your business.
The Five Things You Actually Need
1. A privacy policy on your website.
This is a legal page that explains what data you collect, why you collect it, how you use it, and how people can request deletion. Every website needs one.
You do not need a lawyer to write it. Tools like Datenschutz-Generator or iubenda generate GDPR-compliant privacy policies based on your specific situation. Cost: EUR 0-100/year.
The privacy policy should be linked in your website footer and accessible from any page. Update it when your data practices change.
2. Cookie consent for non-essential cookies.
If your website uses Google Analytics, Facebook Pixel, or any tracking beyond strictly necessary cookies, you need a cookie consent banner. The banner must allow visitors to accept or reject non-essential cookies before they are set.
Use a tool like Cookiebot, CookieYes, or a similar consent management platform. Cost: EUR 0-15/month.
If you only use strictly necessary cookies (session management, security), you do not need a consent banner. Many startups using simple, self-hosted analytics (like Plausible or Umami) can operate without a banner entirely.
3. Consent for email marketing.
To send marketing emails legally in the EU, you need explicit consent. This means: a clear description of what the person is signing up for, an active opt-in (no pre-checked boxes), and a confirmation email (double opt-in is best practice).
Every email you send must include an unsubscribe link. When someone unsubscribes, remove them immediately.
Your email marketing system handles most of this automatically. ConvertKit, Mailchimp, and ActiveCampaign all include double opt-in, unsubscribe management, and consent records.
4. Data processing agreements with your tools.
Every tool that processes personal data on your behalf needs a Data Processing Agreement (Auftragsverarbeitervertrag). This includes your email platform, your analytics tool, your CRM, and your cloud storage.
Good news: most SaaS tools have standard DPAs available on their websites. You click “accept” and the agreement is active. This takes 30 minutes to do across all your tools.
5. The ability to respond to data requests.
GDPR gives individuals the right to request their data, request deletion, and request correction. You need to be able to respond to these requests within 30 days.
For a startup, this is simple: if someone emails you asking for their data or asking you to delete it, you look them up in your systems, export or delete their data, and confirm. You do not need a complex system for this until you are handling thousands of records.
What You Can Safely Ignore (For Now)
A Data Protection Officer (DPO). Required for organizations whose core activity involves large-scale processing of personal data. A startup with a newsletter of 500 people does not need a DPO.
A Data Protection Impact Assessment (DPIA). Required for high-risk processing activities like biometric data or large-scale profiling. Not relevant for most startups.
Complex consent management. If you are not running targeted advertising or sharing data with third parties beyond basic analytics and email, your consent needs are straightforward.
Panic about fines. The EUR 20 million fine cap applies to the most egregious violations by the largest companies. Small businesses that make good-faith efforts at compliance and respond promptly to issues are treated proportionally.
The 2-Hour GDPR Setup
Here is the fastest path to basic compliance:
Hour 1:
- Generate a privacy policy using Datenschutz-Generator (30 min)
- Add it to your website footer (5 min)
- Set up a cookie consent banner if needed (15 min)
- Ensure your email signup has clear consent language and double opt-in (10 min)
Hour 2:
- Locate and accept DPAs for your major tools: email platform, analytics, cloud storage, CRM (30 min)
- Create a simple document listing what personal data you collect and where it is stored (15 min)
- Test your unsubscribe link and data deletion process (15 min)
Two hours. Basic GDPR compliance. Now go back to building your business.
Review and update quarterly. As your data practices evolve — new tools, new data types, new markets — your compliance needs to evolve with them.
GDPR is not an obstacle to building a business in the EU. It is a framework for treating customer data with respect. The Austrian startup ecosystem operates within GDPR, and thousands of startups manage compliance without it consuming their operations.
Do the five things. Spend the two hours. Then focus on what actually grows your business: finding customers and serving them well.
