Skip to content
How GDPRWise Works calendar_today Updated: 3 May 2026 schedule 6 min read

5 Steps to Get the Most Out of GDPRWise

verified Last reviewed 3 May 2026 ยท GDPRWise legal team

A step-by-step guide for SME owners on how to use GDPRWise effectively, from the AI website scan to a published privacy policy. Five focused steps, plus a note on security and data subject rights.

summarize Key Takeaways
  • check_circle The AI website scan does most of the heavy lifting before you answer a single question
  • check_circle Refining the customer, staff, and third-party dossiers turns the scan results into your actual processing register
  • check_circle Generating and publishing your privacy policy is the visible output, but the dossier underneath is what makes you compliant
  • check_circle GDPR also requires documented security and data subject rights handling, so the work does not end at the privacy policy

Why a structured approach helps

GDPR can feel overwhelming when you read the regulation cold: 99 articles, dense legal language, no obvious starting point. GDPRWise removes most of that friction by doing the structural work for you, but you still get the most value when you walk through the platform with a plan.

This is that plan. Five focused steps, plus a sixth note on security and data subject rights. You do not have to do everything in one sitting; pause, reflect, and refine where it makes sense before you press the Generate Privacy Policy button.

If you are an accountant, lawyer, or IT professional offering GDPRWise to clients, we have a separate Reseller Runbook for you.

Step 1 - Run the AI website scan

Start with the scan. This is the entry point that did not exist in earlier versions of GDPRWise and it changes how the rest of your work feels.

The scan visits your website and detects:

  • Cookies and trackers
  • Third-party scripts and embedded services
  • Forms that collect personal data
  • Signals that match your business to a sector foundation

Combined with the sector foundation, the scan pre-populates your dossier so it starts roughly 60 to 70 percent complete. Tools like Google Analytics, Stripe, Mailchimp, or your booking system are recognised automatically and added as processing activities with sensible default purposes, legal bases, and retention periods.

What you should do at this step:

  • Run the scan on your main domain
  • Read through what was detected and added
  • Note anything that looks unfamiliar or unexpected, you will confirm or correct it in the next steps

The scan is not the end of the work; it is the head start.

Step 2 - Refine your customer dossier

Open My Customer Dossier. This is where you list the processes (the interactions with your customers) that involve personal data. The scan and sector foundation have already added the obvious ones; your job is to confirm them and add anything specific to your business.

Why this matters: the customer dossier is what lets you tell your customers, in your privacy policy, exactly what data you use and why. It is also what supervisory authorities ask for first if they ever come knocking.

What we recommend:

  • Open the software you use day to day to serve customers (CRM, invoicing, mailing, booking, support tooling) so you do not overlook anything
  • Confirm the suggested processes apply to you, and remove what does not
  • Use the Consider adding section at the bottom: it lists processes that are common in your sector and that the scan might not have detected
  • Add the legal basis and retention period if not already filled in by the foundation

You are not trying to write a perfect document. You are trying to capture the reality of how your business handles customer data.

Step 3 - Complete your staff dossier

Open My Staff Dossier. This works the same way as the customer dossier, but for the personal data of people working in or for your business: employees, freelancers, contractors, and company officers.

Even if you have no employees on payroll, do not skip this step. The dossier suggests processes around independent contractors, accountants, board members, and other people whose data you handle. It is easy to forget that paying a freelancer also means processing their personal data.

What you should cover here:

  • Payroll and HR systems
  • Recruitment and applications
  • Access control and IT usage (logins, monitoring, devices)
  • CCTV if you use it
  • Contractor and supplier contacts when they involve personal data

The staff dossier produces a separate Staff Privacy Policy that you give to your team, alongside the customer privacy policy that you publish on your website.

Step 4 - Document your third-party data sharing

Open My Third-Party Dossier. Most SME owners share more personal data than they realise: with accountants, lawyers, suppliers, payment providers, hosting companies, email marketing platforms, booking tools, helpdesk software, and so on. Whenever those tools store data on their servers, you are sharing personal data with that third party.

This is another area where the AI scan does work for you. Every cookie, tracker, third-party script, and embedded service the scan detected on your website points to a third party that already receives data from you: Google (Analytics, Maps, reCAPTCHA), Meta (Pixel), Stripe, Mailchimp, Hotjar, your chat widget, your CDN, and so on. GDPRWise pre-fills the third-party dossier with these findings so you do not have to remember every script your developer added to your site.

GDPR requires that:

  • Each instance of sharing personal data is documented
  • Both parties agree to handle the data in a GDPR-compliant way (usually via a data processing agreement, also called a DPA)

What to do here:

  • Review the third parties the scan added from your website (cookies, trackers, embeds, hosted scripts) and confirm they apply
  • Add the off-website third parties the scan cannot see: your accountant, your bank, payroll provider, suppliers, freelancers, and any offline data flows
  • Cross-check against your customer and staff dossiers to make sure every process that involves an external party has its third party listed
  • Where applicable, let GDPRWise send a request to the third party asking them to agree to a standard data sharing agreement; this satisfies the documentation requirement without you having to draft contracts manually

We have a dedicated knowledge base article on managing the third-party dossier; see Managing your Third-Party Dossier.

Step 5 - Generate and publish your privacy policy

Once your three dossiers reflect the reality of what your business actually does, go to the GDPR Documents section and generate your privacy policy. This is the moment the work pays off: a tailored, audit-ready document that mirrors your dossiers exactly.

A few things to know:

  • When you change something in a dossier later, the Generate Privacy Policy button turns orange to remind you that a new version is due. Previous versions are kept for you, one click away.
  • If we update the underlying template because of a regulatory change, we tell you. You decide when to regenerate.
  • We also recommend generating your processing register and walking through it with a colleague to validate accuracy and completeness. If a supervisory authority ever contacts you, this is most likely the first document they will ask for.

Then publish:

  • Place the privacy policy on your website at a stable URL
  • Link to it from your footer, your contact form, your checkout, and your account-creation flow
  • Reference it in your communications so prospective customers can read it before they decide to share data with you

The preview of the document includes guidance on where and how to publish, and a separate article on publishing your privacy policy walks through the practical placement.

A nice optional step: send a short note to your existing customers letting them know you have a new and improved privacy policy. They will appreciate the transparency, and you can always give GDPRWise a small mention.

Step 6 (bonus) - Security and data subject rights

We promised five steps, and steps 1 to 5 cover the documentation side of GDPR. But the regulation also requires two things that documents alone do not solve:

  • Security - your business must actually handle personal data securely. Encryption, access control, secure backups, password hygiene, vendor due diligence. Your generated privacy policy states that your business does these things; make sure that is true.
  • Data subject rights - GDPR gives individuals rights to access, correct, delete, and port their personal data, and to object to certain processing. You need a procedure for handling these requests within the legal time limits.

The GDPRWise dossier and policy capture the commitments. Carrying them out in practice is your responsibility. Our knowledge base covers both areas in depth, and if you would like external help, we are happy to point you to qualified partners.

A quick recap

StepWhat you doWhere in GDPRWise
1Run the AI website scanFree Scan / discovery
2Refine customer processesMy Customer Dossier
3Add staff processesMy Staff Dossier
4Document third-party sharingMy Third-Party Dossier
5Generate and publish privacy policyGDPR Documents
6Implement security and rights handlingKnowledge base, your operations

You do not have to be perfect on the first pass. Most SME owners come back to their dossiers two or three times in the first month, and that is exactly how the platform is designed to be used. The goal is a dossier that reflects the reality of your business; everything else flows from that.

auto_awesome Start with the scan, the rest follows

Run the free GDPRWise scan in 2 minutes and let the platform pre-populate your dossier. Then walk through the five steps at your own pace.

Share share LinkedIn mail Email
GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.