GDPR Compliance Checklist for Small Service Businesses (2026)

Map every processing purpose to lawful basis

Start with a data inventory: customers, prospects, subcontractors, employees. For each, list the lawful basis (contract, legitimate interest, consent) and link the Toolfy object storing proof. Example: SMS reminders rely on legitimate interest; consent for marketing sits in the customer record. Use tags so exports group neatly.

Keep contracts + privacy notices in Toolfy Documents with version history—the BLOG_ENHANCEMENT_SUMMARY.md emphasis on metadata applies to compliance as well.

DSR (data subject request) workflow in Toolfy

When the ICO or a customer requests data deletion/export, create a job named “DSR – <Customer>” and assign tasks: identify records, export CSV, redact, confirm completion. Attach all evidence so you have a single audit trail.

1. Day 0: acknowledge request, log due date (30 days) in the job.
2. Day 1-5: export customer data via Toolfy exports → Customers, Jobs, Payments.
3. Day 6-10: remove marketing tags, update automations, confirm Twilio STOP status (see docs/CHATGPT_APPS.md for header guardrails if you automate).

Retention rules + deletion tasks

Most trade businesses keep invoices for 6 years (HMRC). Marketing consent logs should stick around for at least 2 years after last send. Build Toolfy automations that tag contacts “Archive” when they’re inactive and set a quarterly reminder to delete attachments older than your retention period.