Skip to Content

The GDPR for Craft Businesses

Affiliate Disclosure: As an Amazon Associate I earn from qualifying purchases. Additionally, I may get commissions for purchases made through other affiliate links in this post.

The GDPR. The internet has been buzzing about it for months now, and it’s been general panic in the last few weeks as more details have emerged. So, let’s look at it today from the perspective of an at home craft business owner.

What is the GDPR?

The GDPR stands for the General Data Protection Regulation, abbreviated GDPR. It’s a new set of laws that take effect May 25th, 2018. This new set of regulations is being enacted in the EU (European Union). However, it is a worldwide measure that all companies that have website visitors, customers, or mailing list subscribers in any country in the EU must abide by. To refresh your memory, the countries in the EU include: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.

What is the purpose of the GDPR?

The GDPR sets standards for the way personal data is handled by businesses. It’s the first major update to EU privacy laws since the 1990’s. Take a minute and think about life in the 1990’s. Technology has advanced substantially since then, so it’s time that these laws be rewritten.

What is the gist of the GDPR?

Let’s break down some of the important aspects of the GDPR that relate to craft business owners.

  • Yep, it applies to you: If you have any website visitors, track website data, have comments or reviews on your website, offer freebies, run a subscription service, embed content from other websites, have mailing list subscribers, show ads, or collect data of any resident of any of the countries in the EU, the GDPR applies to you. This means that most small business owners across the world fall into this category.
  • Controllers versus Processors: The GDPR sets out two different requirements. The first is for Controllers. A Controller is the person who decides what to do with the data. In contrast, the Processor is a third party company that collects the data and gives it to the Controller. From a craft business perspective, you, as the owner, are the Controller. You might use a Processor like a mailing list provider to get you data.
  • Personal Data: You must keep personal data of others up-to-date and secured.
  • Personal Data Transparency and Consent: You must tell people how you will use the data and what you will do with it. You cannot do things outside of the scope of what you tell people. For example, if you collect personal data (like an email address) to send periodic marketing emails, you must clearly disclose this. You would not be able to then sell your email list to another company, because that is not what purpose you informed individuals of.
  • Proof of Consent: If asked, you must be able to prove you got consent before using the data. For example, I cannot add someone to my mailing list without getting recorded consent. Oh, and no one under the age of 16 can legally provide consent.
  • Don’t collect sensitive data: Sensitive data is considered race, political views, sexual views, criminal data, and so on. For the average craft business owner, there is no reason to collect any of this anyway.
  • Make sure people can understand you: You must use easy to understand, clear language when obtaining consent and being transparent. Hooray for this one! Talk to people in a way that they can understand. If you don’t know what this means, pretend that your 102 year old grandma is reading it. She should be able to quickly understand it. Honestly, most craft business owners do this anyway and don’t hide their policies in complicated legal language.
  • Be able to tell people what data you have collected about them: If someone asks you for the information that you have on hand about them, give it to them in a reasonable time frame. Also, if they want the information deleted, you’d have to delete it and prove it was deleted.
  • Provide clear links to your policies: For example, if you are collecting an email address of an EU resident for the purpose of emailing them a free cut file, also provide them with a link to your privacy policy written in clear language.
  • Ability to opt out: If you use data to shape what users see, they should have the ability to opt out. For the most part, I don’t see this happening as craft business owners.
  • Keep a record of the steps that you’ve taken to address the GDPR: For a craft business owner, this is as simple as a spreadsheet log. On 5/10/18 I updated my website’s privacy policy, on 5/11/18 I updated links in my mailing list, and so on.
  • Data sharing: If you share data with another business, you’ll both need to be clear on what you each do with the data and be sure that your policies are both up-to-date.
  • Use GDPR compliant Processors: If you use 3rd party data collection tools, be sure that you work with ones that are GDPR compliant. I don’t think this is something to worry much about if you are using a large corporation. The fines for GDPR non compliance are hefty, so it’s likely that you’ll see all the corporations comply.
  • Data breaches must be reported: If your small business is hacked, you must report it within 72 hours to GDPR authorities. You also must report the data breach to the people. This is as easy as an email to them.
  • A new board was formed: A board was created within the EU to make sure that companies are following GDPR rules. Each country in the EU has a representative.
  • Fees and Fines: There’s hefty fees and fines up to millions of dollars for not abiding by GDPR rules.

What steps should I take to become GDPR compliant?

Now, this is where the online information gets fuzzy. There is tons of information about what the GDPR rules are, but there is not a lot of information that gives actionable steps. However, you must be compliant by May 25, 2018 with the GDPR. From all the information that I’ve been able to collect, these are the steps I think you should take:

  1. Do more research: In order to get your head wrapped around the GDPR laws, I suggest you do more research on how it applies to your specific craft business situation.
  2. Document as you go: As you research, document what you’ve learned and from where. Document the steps you take along the way and the steps you will need to continue to take.
  3. Audit your business: Do an audit of your craft business and see the different ways that you are collecting personal data about EU members. Actually, I’m pretty sure that other countries are working on their own GDPR-like laws. Best to do an audit of all the ways that you collect, store, and use personal data.
  4. Write a Privacy Policy: Make sure your website has a clear, easy to understand Privacy Policy. Within the Privacy Policy you should lay out why you have it, what you do with it, who has accessed the data, how you store the data, how long you store the data, how they can see the data you’ve stored, how they can delete the data, and how they can contact you.
  5. Use GDPR compliant services: From your website theme to your mailing list, from your stat collector to your marketplace provider use companies and providers that are GDPR compliant.
  6. Double opt in for mailing lists: If you have a mailing list, make sure it is double opt in and that you have a link to your clear privacy policy located at sign up.

What should you not do related to the GDPR?

  1. First, don’t panic. Overall, these laws are a good thing.
  2. Next, don’t do nothing. These laws are serious. While it isn’t fun, it is a part of being a business owner.
  3. Don’t block all the EU countries from your website or mailing list. That’s pretty extreme and a way of hiding from the laws. Instead, get compliant. Like I mentioned above, I’m sure GDPR-like laws are being written for other countries.
  4. Don’t spend a bunch of money. I’m angry at some of the lawyers out there selling huge packages to small business owners – and some bloggers perpetrating these packages. Don’t go out there and spend a few thousand dollars on a compliance kit. Do your own research and work to get compliant before May 25th, 2018. If your business has particular situations that you can’t figure out, consult an attorney before spending thousands of dollars on a ‘compliance kit’.

Remember, I’m not a lawyer or attorney and this isn’t legal information. It’s always best to consult your legal team for help in implementing the GDPR.

Where can I read more about the GDPR?

You can read the full text of the GDPR for more information. I’ll warn you, it is heavily written in legal language. I’d recommend multiple cups of coffee before diving into it! The best translation into plain English I have found online is at this link. Also, this UK based government site has great self directed quizzes and infographics to help you in your research.

As more information becomes available, I’ll continue to add to this post.

Get the information out there – save this post to Pinterest.

The GDPR for Craft Businesses - A good read for Silhouette and Cricut crafters with websites, Shopify stores, and Etsy shops. By


Sunday 13th of May 2018

Thank you for this. I put a simple privacy and use statement on my website a couple of months ago. It looks a little like I may need to add a couple of additional things.


Tuesday 22nd of May 2018

Happy to share!