GDPR is a serious law that applies to any company processing EU citizen data, regardless of the company's location. Small companies must adapt their Privacy Policy to explicitly indicate what data they collect about users, how it's used, and who has access to it. They also need to obtain explicit consent from customers before collecting personal information. Companies can use Data Processing Addendums (DPAs) and Model Clauses to ensure compliance with GDPR requirements, but these addenda can be expensive and time-consuming to implement. Small companies like the author's must make tough decisions about how to comply, such as not signing other companies' DPAs or making individual changes to their own DPA. The law also gives users the right to access, export, and delete their data, which companies must respond to within 30 days of receiving a request. Overall, GDPR is a significant change for most companies, requiring careful consideration and planning to ensure compliance.