GDPR sounds like a large corporation problem. It isn't. The General Data Protection Regulation applies to every business that processes personal data — and you do. Customer names, addresses, emails, phone numbers, photos of facades (sometimes with people visible), invoice data. All personal data under the GDPR. I had to work through exactly this question for my own business, K-Werbetechnik in Homburg, Germany. Not what a consultant billing 200 euros per hour tells you — what a sign shop with 5 employees actually needs to do, what the most common traps are, and how to get properly compliant with minimal effort. All features: Feature overview →

A fine of 20,000 euros for a three-person business? Rare — but the wave of cease-and-desist letters comes through law firms scanning websites for violations. And if a dissatisfied customer complains to the data protection authority, you need to demonstrate compliance. The documentation is the real challenge: not the compliance itself, but proving it.

What GDPR requires from you

1. Record of processing activities

You must document what data you process, why, for how long, and who has access. Sounds complex — it isn't. A simple table is sufficient: "Customer data — Order fulfilment — 10 years (retention obligation) — Owner + Office". Legally mandatory above 250 employees, but data protection authorities recommend it from day one — because in a complaint you must demonstrate what you process. PlotonIQ generates this overview automatically from your settings.

2. Data processing agreement (DPA)

With every cloud provider that processes your data, you need a DPA. That applies to your accounting software, email tool, website hosting, and industry software. PlotonIQ provides a DPA — ask your other providers. Particularly critical: many small tools — Calendly, Notion, Trello — have no GDPR-compliant DPAs or sit on US servers without adequate protection.

3. Privacy policy

Your website and terms of service must state what data you collect and what you do with it. Not "we take data protection seriously" — concretely: which cookies, which analytics, which third parties. A Google Fonts embed without a privacy policy was the subject of cease-and-desist waves in 2022 — the mere fact that the user's IP is transferred to Google was sufficient.

4. Server location

This is where it gets critical for many sign makers. If you use shopVOX (US servers), Trello (US servers), Google Drive (globally distributed), or Dropbox (US servers), your customer data sits in the US. Since the Schrems II ruling of the EU Court of Justice, data transfers to the US are legally problematic — even under the new EU-US Data Privacy Framework, uncertainties remain because US intelligence agencies can demand access to data of American companies under US law, regardless of where the servers are located.

Safest solution: European servers. PlotonIQ runs on Hetzner in Falkenstein, Germany. ISO 27001 certified, TUV audited. No data transfer to third countries.

5. Encryption

Data must be encrypted in transit (TLS) and at rest (AES-256). Passwords must be hashed (bcrypt, not MD5). PlotonIQ: TLS 1.3 for all connections, AES-256 for stored data, bcrypt for passwords, JWT with refresh token rotation for authentication. That's the technical minimum standard the GDPR calls "appropriate security measures".

6. Retention periods

You may not store data indefinitely. Tax law: 10 years for invoices, 6 years for business correspondence. After that: delete. Site photos: delete after project completion unless the client consents to longer storage (e.g. for your portfolio — obtain separate consent).

7. Data subject rights

Your customer has the right to access (what data do you hold?), rectification (update address), deletion (erase everything), and data portability (export data). You must respond within 30 days. In PlotonIQ: Customer profile → Export all data or Customer profile → Delete. The system logs the action automatically as evidence.

The most common mistakes in sign shops

WhatsApp for business communication: WhatsApp shares metadata with Meta. Customer phone numbers are transferred to US servers. For business communication, WhatsApp is not GDPR-compliant without a Business API and DPA. This isn't theoretical — in 2023 the Irish Data Protection Commission fined WhatsApp 225 million euros. As a small business you won't face that scale, but the legal exposure remains. Alternative: PlotonIQ customer portal with digital approval and timestamp. The client approves online, you see it instantly — no WhatsApp, no data transfer to the US.

Photos on personal phones: If your installer takes site photos on their private phone, customer data sits on an unmanaged device. If lost or stolen, you have a data breach that you must report to the data protection authority within 72 hours. Solution: take photos directly in the PlotonIQ app — encrypted upload, never stored on the device.

No tracking documentation: Google Analytics, Facebook Pixel, HubSpot — every tool that tracks visitor behaviour requires consent (cookie banner) and documentation. PlotonIQ: no Google Analytics, no tracking pixels, no non-essential cookies.

No access controls: If all employees can see all customer data, that violates the principle of data minimisation. Your apprentice doesn't need access to invoice data. PlotonIQ has role management: installer sees job details, no CRM, no financial data.

Real scenario: a data breach and what you do

Scenario: your installer loses their smartphone on site. On the phone are 23 site photos of customer facades, plus their WhatsApp history with you — containing customer names and addresses.

What now? Within 72 hours you must report the breach to the relevant data protection authority if there is a risk to those affected. You must state: what was involved (names, photos), how many people (23 project customers), what measures you've taken (remote wipe if MDM is in place, inform customers), and how you'll prevent similar incidents in future.

With PlotonIQ: photos are never stored on the device, immediately encrypted and uploaded. No data loss from a lost smartphone. The breach doesn't happen in the first place.

10-point compliance checklist

  • 1. Create a record of processing activities — a table is sufficient, PlotonIQ generates it automatically.
  • 2. Sign DPAs with all cloud providers — accounting, email, website hosting, industry software.
  • 3. Privacy policy on your website — specific, not generic. Have a lawyer review it.
  • 4. EU servers — Hetzner, IONOS, Strato: all in Germany. No US tools for customer data.
  • 5. Define retention periods — 10 years for invoices, then delete. PlotonIQ automates this.
  • 6. Check encryption — TLS for transit, AES-256 for stored data.
  • 7. Set up access controls — who sees what? Role management instead of "everything for everyone".
  • 8. Photos only in managed apps — no personal phones for site photos.
  • 9. Replace WhatsApp with professional tools — customer portal with digital approval.
  • 10. Impact assessment for GPS tracking/geofencing — staff location tracking requires informed consent or a works agreement.

Frequently asked questions

Do I need a Data Protection Officer?

As a business under 20 employees regularly handling personal data: not legally required, but recommended if you process sensitive data. For a typical sign shop, an external consultant for a one-off review and a 2-4 hour per year update retainer is sufficient.

Can I use photos of facades with people in them?

For internal job processing: yes. For your portfolio or social media: only if individuals are not identifiable, or you have explicit consent. Distant shots where people are under 5 pixels: generally unproblematic.

What about time tracking and GPS tracking for my installers?

Time tracking is permissible under employment law and unproblematic under data protection law if employees are informed. GPS tracking (continuous location logging during working hours) is permissible with informed consent or a works agreement. PlotonIQ uses geofencing (entering/leaving an area) rather than continuous GPS tracking — less invasive under data protection law.

Do I have to ban WhatsApp entirely?

For business communication with customers: yes, without a Business API and DPA. Personal use on company devices: a policy is recommended. The pragmatic solution: PlotonIQ customer portal for approvals, email for documents, WhatsApp only for informal internal team chat.

Conclusion

GDPR isn't rocket science. With the right software, most of it is handled automatically: encryption, server location, retention periods, access controls. The biggest lever: move away from US tools and WhatsApp, towards a European industry solution where GDPR isn't a feature — it's the architecture. In PlotonIQ, data protection is a design decision, not a feature flag. Start with the 10 points on the checklist — most can be completed in an afternoon. Start for free →