Last updated: April 2026

GDPR and Datatilsynet: Checklist for Norwegian Businesses

Legal document with GDPR text and a privacy declaration on a desk

Need a GDPR checklist for your business? GDPR applies to everyone who processes personal data – regardless of size. If you have customers, employees or a website with a contact form, GDPR applies to you. It sounds complex, but for a small business it comes down to a handful of concrete steps. Here is the checklist with everything you actually need to do.

What is personal data?

Personal data is any information that can be linked to an individual. Names, email addresses, phone numbers, IP addresses, customer numbers and photos are all examples. Information that can indirectly identify someone also counts.

Think through what personal data your business collects. Most small businesses process: customer information, employee information, newsletter lists, contact form submissions and website visitor statistics.

The six lawful bases

You may only process personal data if you have a lawful basis. For small businesses the most important ones are:

Consent: The person has said yes. Must be active, informed and withdrawable.
Contract: You need the data to fulfil a contract with the customer (deliver a product, send an invoice).
Legal obligation: The law requires you to store the data (accounting law, tax law).
Legitimate interest: You have a valid reason that outweighs the person's privacy (marketing to existing customers, security).

Datatilsynet explains your obligations in detail and provides templates you can use.

Privacy policy

All businesses with a website need a privacy policy. It must tell visitors:

Who is responsible for the processing (the business's name and contact details).
What data you collect and why.
Which lawful basis you rely on.
Who you share data with (e.g. your accountant, newsletter service).
How long you retain the data.
What rights the data subject has (access, erasure, rectification).

Write it in plain language that people actually understand. Avoid legal jargon. Datatilsynet has templates you can use as a starting point.

Data processing agreement

If you use services that process personal data on your behalf, you need a data processing agreement. Typical data processors for a small business:

Email marketing provider (Mailchimp, Brevo).
Accounting software (Tripletex, Fiken, Visma).
Cloud-based CRM (HubSpot, Salesforce).
Cloud storage (Google Workspace, Microsoft 365).
Web hosting and website provider.

Most major providers have ready-made data processing agreements you can accept in their settings. Make sure the agreement is in place. Without one you are in breach of GDPR.

Rights individuals have

Under GDPR, individuals have clear rights over their own data:

Access: They can request to see what data you hold about them.
Rectification: They can ask for incorrect information to be corrected.
Erasure: They can request that their data be deleted, with some exceptions.
Data portability: They can request their data in a machine-readable format.
Objection: They can object to processing based on legitimate interest.

As a general rule you have 30 days to respond. Have procedures in place to handle such requests, even if they are rare.

Person reading through a rights declaration and data processing agreement in an office

What do you do in the event of a data breach?

A data breach occurs when personal data is accidentally exposed. Someone hacks your email account, an employee sends a customer list to the wrong recipient, or a laptop containing customer data is stolen.

If the breach poses a risk to the affected individuals, you must notify Datatilsynet within 72 hours. If the risk is high, you must also notify the affected individuals directly. The European Commission's GDPR pages provide an overview of the rules that apply throughout the EEA.

Draw up a simple contingency plan: who contacts whom? What is logged? Who is responsible for reporting? This plan does not need to be long. A single A4 page is enough.

Practical steps you can take today

Here is a simple checklist for small businesses:

Map what personal data you process and why.
Write or update your privacy policy on your website.
Check that you have data processing agreements with all providers who handle personal data.
Delete personal data you no longer need.
Ensure consents are documented (newsletters, marketing).
Secure your data with strong passwords, two-factor authentication and encrypted storage.
Set up a simple procedure for handling access requests and data breaches.

You do not need to do everything at once. Start with the most important: privacy policy, data processing agreements and data security. An IT advisor like Datafolka can help you with the technical security measures, so you are better prepared.

What happens if you breach GDPR?

Fines can in theory reach up to 20 million euros. In practice, fines in Norway are much lower, especially for small businesses. Datatilsynet often provides guidance and warnings before issuing fines. But that does not mean you can ignore the rules. Reputational damage and loss of customer trust can be worse than a fine.

The good news: for a small business that gets the basics right, the risk is low. Show that you take privacy seriously. Document what you do. And ask for help when you are unsure.