Getting GDPR-compliant
GDPR applies to solos too
Many entrepreneurs believe GDPR only targets large companies. False: the moment you collect an email, a name, an IP address, or a phone number — so from the very first contact form or newsletter — you process personal data and the regulation applies. The good news is that for a small activity, compliance comes down to a few simple moves, set up once. The bad news is that they're almost always postponed, and a visible breach (cookies without consent, missing legal notices) is the easiest thing to be checked on.
GDPR doesn't require you to become a lawyer: it requires you to know what data you hold, why, and how someone can retrieve it or have it erased.
The four pillars of compliance
For a small structure, aiming for these four points covers the essentials:
- Cookie consent: a banner that genuinely asks for agreement before dropping marketing trackers, with refusal as easy as acceptance.
- Legal notices and privacy policy: who you are, what data you collect, why, for how long, and how to exercise one's rights.
- Register of processing activities: a maintained list of what you collect and why (mandatory, even simplified for small structures).
- Data subject rights: being able to respond to a request for access, rectification, or deletion.
Compliance tools
Each pillar has its tools, often affordable or free for a small volume:
| Need | Tools | Indicative price | For whom |
|---|---|---|---|
| Cookie consent banner | Axeptio, Didomi, Tarteaucitron (open source) | free to ~€10-50/month | Any site with analytics/ads |
| Legal notices & privacy policy | generators (Captain Contrat, Legalstart), CNIL templates | free to ~€30 | Websites and apps |
| Register of processing | official CNIL template, spreadsheet, Dastra, Leto | free to paid | Solo to SME |
| Guided compliance | Dastra, Leto, outsourced DPO | ~€30-100/month | Activity handling lots of data |
Practical rule: start with the free CNIL register template and a cookie banner (Axeptio or Tarteaucitron). That's 80% of visible compliance for near-zero cost. Dedicated tools (Dastra, Leto) become useful once you handle lots of sensitive data or several subprocessors.
The CNIL is a resource, not just an enforcer
In France, the CNIL publishes clear guides, register templates, and checklists designed for small businesses. It's the free reference source to consult before buying a tool. Its site also explains when a DPO (data protection officer) becomes mandatory — still rare for a solo, but useful to know so you neither panic needlessly nor wrongly assume you're in the clear.
The "decorative cookie banner" trap
The most common mistake: a banner that informs but blocks nothing — trackers drop before any consent. A compliant banner must genuinely prevent marketing cookies from dropping until the user accepts, and make refusal as easy as acceptance. A decorative banner gives a false impression of compliance while staying exposed: it's worse than no banner, because it signals you knew the rule.
AI to understand, rigor to apply
An AI assistant helps demystify GDPR: explaining what a legal basis is, drafting a first privacy policy from your answers, listing the processing activities to record. But compliance is a matter of facts, not text: it's the real use of your tools (analytics, emailing, ad pixel) that determines what you must declare. Use AI to understand and draft, then verify the technical reality of your site.
Key takeaways
GDPR applies from the first email collected, including for a solo, and is easily checked on the visible (cookies, legal notices). Four pillars are enough: real cookie consent, legal notices and privacy policy, register of processing, and the ability to respond to requests. Equip yourself with the free CNIL templates, a compliant banner (Axeptio, Tarteaucitron) and, if volume requires it, a dedicated tool (Dastra, Leto). One asset remains to protect, intangible but central: your name and your trademark.