GDPR applies across the EU and, importantly, extraterritorially — a business based outside the EU that offers goods or services to EU residents, or monitors their behaviour, can still be covered. It's the strictest of the major privacy regimes and the one most businesses selling internationally should design their practices around first.
This is one of the regions we cover in CRM and Website Compliance by Region. This is a practical overview from a CRM and website consulting perspective, not legal advice — confirm specifics with a qualified privacy lawyer for your situation.
The checklist that actually matters
A documented lawful basis for every category of data you hold. Consent, contract necessity, and legitimate interest are the common bases for a small business — pick the right one for each use case and be able to explain it if asked.
Genuine, specific consent for marketing. Pre-ticked boxes and bundled consent ("by using our site you agree to marketing emails") don't meet GDPR's standard. Consent needs to be a clear, separate, opt-in action.
A Data Processing Agreement with your CRM provider. If your CRM vendor processes personal data on your behalf, GDPR requires a DPA governing that relationship. Most established providers offer a standard one — request it if you don't have one on file, and check it before signing with any new vendor.
A working process for data subject requests. Access, correction, deletion, and objection requests need an actual process behind them, with a realistic response timeline your team can meet.
Attention to cross-border data transfers. If your CRM or other tools store EU customer data outside the EU, that transfer needs an appropriate legal mechanism (standard contractual clauses are the common route for smaller businesses). This is easy to overlook when adopting a US-based SaaS tool without checking where the data actually lives.
The most common mistake
Assuming GDPR compliance is primarily about the privacy policy on your website. The policy is the visible part; the substance is in your actual data-handling practices, your vendor agreements, and whether your team can act on a real subject request within the required timeframe. A well-written policy describing practices you don't actually follow is a liability, not a shield.
The honest recommendation
Work through the checklist above once, properly, with the specific tools and vendors you actually use — not a generic template. It's more effort up front than copying a privacy policy, but it's the difference between genuine compliance and a document that looks right until someone tests it.
Frequently asked questions
Does GDPR apply to my business if I'm not based in the EU?
Yes, potentially — GDPR applies extraterritorially to any business that offers goods or services to EU residents or monitors their behaviour, regardless of where the business itself is located.
Do I need a Data Processing Agreement (DPA) with my CRM provider?
Yes — if your CRM vendor processes personal data on your behalf, you need a DPA with them covering how they handle that data. Most established CRM providers offer a standard DPA; request it if you don't already have one on file.
Is this legal advice?
This is a practical overview from a CRM and website consulting perspective, not legal advice — confirm specifics with a qualified privacy lawyer for your situation.
Yash
Founder & Principal Consultant, Ynexgen
Yash leads Ynexgen, helping small and mid-sized businesses turn technology into a stronger foundation for growth — 7+ years across Salesforce CRM, websites, and AI adoption.



