GDPR for sign makers: What you need to know before the letter arrives.

GDPR sounds like a big-company problem. It isn't. The General Data Protection Regulation applies to every business that processes personal data — and you do. Customer names, addresses, emails, phone numbers, photos of facades (sometimes with people visible), invoice data. All personal data.

What GDPR requires

1. Record of processing activities

You must document what data you process, why, how long, and who has access. A simple table is sufficient: "Customer data — Order fulfillment — 10 years (retention obligation) — Owner + Office".

2. Data processing agreement (DPA)

With every cloud provider that processes your data, you need a DPA. Your accounting software, email tool, website hosting, and industry software. PlotonIQ provides a DPA — ask your other providers.

3. Server location

This is where it gets critical. If you use shopVOX (US servers), Trello (US servers), or Google Drive (globally distributed), your customer data sits in the US. Since the Schrems II ruling, data transfers to the US are legally problematic.

Safest solution: European servers. PlotonIQ runs on Hetzner in Falkenstein, Germany. ISO 27001 certified. No data transfer to third countries.

4. Encryption

Data must be encrypted in transit (TLS) and at rest (AES-256). Passwords must be hashed (bcrypt, not MD5). PlotonIQ: TLS 1.3, AES-256, bcrypt, JWT with refresh token rotation.

5. Retention periods

You may not store data forever. Tax law: 10 years for invoices, 6 years for business correspondence. After that: delete. Site photos: delete after project completion unless the client consents to longer storage.

6. Data subject rights

Your customer has the right to access, rectification, deletion, and data portability. You must respond within 30 days.

Common mistakes in sign shops

WhatsApp for business: WhatsApp shares metadata with Meta. Customer phone numbers are transferred to US servers. Not GDPR-compliant without Business API and DPA. Alternative: PlotonIQ customer portal with digital approval and timestamp.

Photos on personal phones: If your installer takes site photos on their private phone, customer data sits on an unmanaged device. Solution: take photos directly in the PlotonIQ app — encrypted upload, never stored on device.

No tracking documentation: Google Analytics, Facebook Pixel — every tracking tool needs consent and documentation. PlotonIQ: no Google Analytics, no tracking pixels, no non-essential cookies.

10-point checklist

1. Create record of processing activities. 2. Sign DPAs with all cloud providers. 3. Privacy policy on website. 4. EU servers. 5. Define retention periods. 6. Check encryption. 7. Access controls (who sees what). 8. Photos only in managed apps. 9. Replace WhatsApp with professional tools. 10. Impact assessment for GPS tracking/geofencing.

Conclusion

GDPR isn't rocket science. With the right software, most of it is automatic: encryption, server location, retention periods, access controls. The biggest lever: away from US tools and WhatsApp, towards a European industry solution where GDPR isn't a feature — it's the standard.