Most small businesses added cookie consent banners in 2018 when GDPR came into force and considered the matter largely resolved. The compliance market has since produced dozens of tools that install in minutes, cost between €0 and €30 per month, and promise to make GDPR manageable. The software adoption happened. The workflows didn't change.
That's phase one of any compliance technology cycle. Companies buy the tool, bolt it onto what they're already doing, and move on. The harder question — what a well-designed compliance workflow actually looks like — gets deferred until something goes wrong.
The interesting question isn't which GDPR tool to buy. It's what the AI parts actually do.
Most compliance tools that market themselves as "AI-powered" are doing one of two things: using machine learning to scan and categorise cookies automatically, or using language models to generate policy documents from a structured questionnaire. Both are useful. Neither is as transformative as the marketing implies. But there are specific tasks where AI genuinely reduces the compliance burden for a small team — and specific tasks where it doesn't, regardless of what the sales deck says.
This guide covers both.
What GDPR Actually Requires a Small Business to Do
GDPR compliance is a data privacy framework, not a software purchase. It requires:
- A lawful basis for processing every category of personal data you hold
- A privacy policy that accurately describes what you collect, why, how long you keep it, and who you share it with
- Cookie consent (for websites using non-essential cookies) that is informed, specific, and revocable
- A process for Data Subject Access Requests — individuals have the right to request, correct, or delete their data within one month (extendable to three months for complex or numerous requests)
- Data breach notification procedures
- Vendor agreements (Data Processing Agreements) with any third-party processors
For a 5-person software company or online retailer, this is manageable. Most of it is documentation and process, not technology. The compliance tools automate the most repetitive parts — the cookie banner, the policy drafts, the DSAR routing — but the underlying decisions remain human.
Where AI Specifically Adds Value
1. Drafting Privacy Policies and Legal Documents
This is where large language models are genuinely useful for small businesses without in-house legal counsel. Using AI for policy writing has become a standard first step for founders who can't afford a lawyer for every document.
A practical Claude workflow for a first-draft privacy policy:
Prompt template:
I run a [type of business]. We collect the following personal data:
- [list data types: email, name, IP address, payment info, etc.]
We use: [list tools: Stripe, Mailchimp, Google Analytics, etc.]
We are based in [country] and primarily serve customers in [regions].
Generate a GDPR-compliant privacy policy that covers:
- Categories of data collected and lawful basis for each
- Data retention periods
- Third-party processors
- Data subject rights (access, erasure, portability, objection)
- Contact information for data requests
- Cookie usage
The output will be structurally correct and cover the required GDPR disclosures. It will not be customised to your specific legal risk profile. Have a lawyer or privacy consultant review it before publishing. Market rates for a basic GDPR document review from a specialist privacy firm typically run £200–£500 — considerably less than generating compliance documents from scratch.
ChatGPT produces comparable output. Neither Claude nor ChatGPT tracks regulatory updates automatically, so you'll need to review the policy when EU guidance changes.
2. DSAR Response Drafting
A Data Subject Access Request requires you to compile all personal data you hold on an individual and send it within one month. For complex or numerous requests, Art. 12(3) GDPR allows a two-month extension — but you must notify the individual within the first month. For a small business, the data gathering is manual — pull from your CRM, email platform, payment processor, and database — but the response letter follows a predictable format.
Claude can draft the response letter once you have the data:
I need to respond to a DSAR. The individual requested access to all personal
data we hold on them. I have gathered the following data from our systems:
[paste data summary]. Draft a compliant GDPR DSAR response letter that
covers the data we hold, explains our retention policy, confirms their
rights, and our contact details for follow-up.
This saves 30–60 minutes per DSAR in document preparation. The data retrieval remains a manual process. Full DSAR automation — where the system queries connected databases and generates the package automatically — requires a purpose-built platform. That level of automation is priced for mid-market companies, not small businesses.
3. Cookie Scanning and Classification
Modern cookie consent tools use machine learning to automatically scan pages, identify trackers, and classify them by purpose (strictly necessary, functional, analytics, marketing). This was previously a manual audit every time a developer added a new script. Automated scanning removes that bottleneck.
Cookiebot and Termly both do this out of the box. It is the most practically useful "AI" feature in consumer-grade compliance tools.
GDPR Compliance Tools: Comparison Table
| Tool | Price | Best For | Limitation |
|---|---|---|---|
| Claude / ChatGPT | Free | Policy drafts, DSAR response letters | No automation, requires human data gathering |
| Termly | Free – $14/mo | Policy generation + cookie consent for 1–2 sites | Limited to one policy free; consent analytics on paid |
| Cookiebot | €7 – €90/mo | Cookie consent management at scale | Per-domain pricing adds up across multiple sites |
| Osano | $119/mo (Basic) | Consent + vendor monitoring in one platform | Minimum plan price; overkill for very small teams |
| DataGrail | Custom (enterprise) | Full DSAR automation across SaaS stack | Not SMB-priced; built for companies with 500+ employees |
| OneTrust | Custom (enterprise) | Comprehensive privacy programme management | Enterprise complexity and cost; not relevant for SMBs |
Tool Breakdown
Claude and ChatGPT (Free)
The case for using AI writing tools for GDPR documents is simple: the documents are long, templated, and follow a predictable structure. LLMs are good at exactly that category of work.
What they produce: privacy policies, cookie policies, data processing agreements, internal data handling procedures, DSAR response letters, data breach notification drafts.
What they don't produce: legal advice, jurisdiction-specific compliance assessments, or automatic updates when regulation changes. The AI for compliance tools landscape has moved quickly, but AI writing tools remain drafting assistants, not compliance programmes.
Practical use: start with a Claude draft, send it to a privacy lawyer for a one-hour review, publish. Revisit annually or when you add new data processing activities.
Termly (Free – $14/month)
Termly's free plan generates one legal policy (privacy policy, terms of service, cookie policy, or refund policy) and provides consent management for one website. For a solo founder or micro-business with a single site, that covers the basics.
The paid Starter plan at $14/month removes the one-policy limit and adds consent analytics. It uses AI assist to pre-fill policy fields based on your website URL and business type, then lets you edit before publishing. The scan detects cookies and trackers automatically.
Where it fits: very small businesses and freelancers who need a compliant policy and basic cookie consent banner, and don't want to manage multiple tools. The AI generation is pragmatic — it's a structured form with LLM-assisted completion, which is accurate as a description of what the category provides.
Limitation: Termly's compliance coverage is primarily US-focused in structure. GDPR is supported, but verify specific EU requirements against your local DPA guidance.
Cookiebot (€7 – €90/month per domain)
Cookiebot is specifically a Consent Management Platform — it handles cookie consent, not broader GDPR compliance. It automatically scans pages for trackers, classifies them, and manages consent state in line with GDPR and CCPA requirements. It integrates with Google Consent Mode v2, which is relevant for Google Analytics and Google Ads users.
Pricing scales by domain and page count:
- Essential: €7/month (1 domain, up to 100 pages)
- Plus: €15/month (1 domain, up to 500 pages)
- Pro: €30/month (1 domain, unlimited pages)
- Business: €90/month (5 domains, unlimited pages)
The automatic scanning is its strongest feature — it runs on every page crawl and updates the consent banner as new cookies are detected. Manual cookie audits are a maintenance burden that Cookiebot largely eliminates.
For e-commerce sites with Google Analytics, Cookiebot is close to a default recommendation. The cookie consent management is solid and the Google Consent Mode integration is necessary if you run Google Ads. It doesn't cover DSAR management, privacy policies, or vendor agreements — it's a single-purpose tool that does one thing well.
Osano ($119/month, Basic plan)
Osano combines cookie consent management with vendor privacy monitoring — it maintains a database of third-party vendor privacy assessments, so you can check whether a tool you're considering has known privacy issues before adding it to your stack.
For a small business, the $119/month minimum is the relevant constraint. That price point makes Osano better suited to companies with 20+ employees and a meaningful SaaS stack to monitor, where the vendor assessment feature earns its cost. For a 5-person team using 10 tools, you can perform vendor due diligence manually using GDPR-specific questions and published DPAs without a subscription.
The consent management is comparable to Cookiebot in functionality. The differentiator is the vendor intelligence layer, which is genuinely useful if you regularly evaluate new software and want a shortcut to privacy assessments.
DataGrail (Custom pricing, enterprise)
DataGrail automates the data retrieval part of DSAR processing — the step that, for larger organisations, requires querying 30–50 connected systems (Salesforce, HubSpot, Workday, data warehouses) to compile what data exists per individual. It generates a live data map across connected systems and uses that map to fulfil access, deletion, and portability requests automatically.
According to DataGrail's published research, manual DSAR processing costs approximately $1,524 per request in staff time. At the volume mid-market companies receive (50–200 DSARs per month), the automation has obvious ROI.
For small businesses receiving fewer than five DSARs per month, the economics don't work. DataGrail's pricing is custom and primarily targets companies with 500+ employees and a complex SaaS stack. Handling DSARs manually with Claude-drafted response letters is the appropriate approach at SMB scale.
OneTrust (Enterprise — reference only)
OneTrust is the market-leading privacy programme management platform. It handles consent, DSAR, data mapping, vendor assessments, and policy management in an integrated suite. It is priced accordingly. For a small business, it is irrelevant as a purchase decision, but relevant to understand: if a large enterprise you work with sends you a data processing agreement or requests a privacy programme assessment, they are likely using OneTrust or a similar enterprise platform.
The AI regulatory compliance monitoring space that OneTrust occupies is genuinely complex — tracking regulatory changes across jurisdictions, maintaining audit trails, managing hundreds of vendor agreements. That complexity is appropriate at scale. At SMB scale, it's overhead.
What AI Still Can't Do
Two categories of GDPR work remain outside what current AI tools handle well:
Legal judgment on edge cases. GDPR is a principles-based regulation, which means many compliance decisions involve judgment calls — whether a specific processing activity has a legitimate interest basis, whether consent is specific enough, whether a data transfer mechanism is adequate. AI tools can describe the regulation. They cannot apply legal judgment to your specific facts. When the stakes are meaningful (a client contract involving EU data, a complaint from a data subject, a DPA investigation), a lawyer matters.
Accountability and liability. GDPR makes organisations — and in some cases individual executives — personally accountable for compliance failures. An AI tool that generates a policy doesn't share that accountability. This is not a limitation of AI specifically; it's a feature of how legal accountability works. The tool is a shortcut for document generation, not a transfer of legal responsibility.
A Practical Framework for Small Business GDPR
The decision path isn't which tool to buy. It's sequencing the work correctly:
Step 1 — Map your data processing. Before any tool, list what personal data you collect, why, where you store it, and who has access. This can be done in a spreadsheet. Claude can help structure it given a description of your business.
Step 2 — Generate and review your policy documents. Use Claude or Termly for drafts. Spend £200–£500 on a one-hour legal review before publishing. This is cheaper than the cost of a complaint.
Step 3 — Install cookie consent. Cookiebot (€7–€15/month) is appropriate for most single-site businesses. Termly's free tier covers the basics if budget is the constraint.
Step 4 — Build a DSAR process. Document the steps, designate who handles requests, and create a Claude prompt template for response drafting. You don't need software for this at SMB scale.
Step 5 — Vendor agreements. Ensure you have a Data Processing Agreement with any third-party processor that handles EU personal data (cloud storage, email platform, analytics tools). Most major vendors publish standard DPAs. AI for contract management tools can help extract key terms for review.
Step 6 — Annual review. Set a calendar reminder. Regulations change, your stack changes, your data processing changes. The policy document you generated in year one will be wrong by year three if you don't update it.
The Honest Assessment
GDPR compliance for small businesses is more tractable than the compliance software market implies. The tools that exist are useful for specific, narrow tasks: cookie banners, policy drafts, consent management. The AI features in consumer-grade tools are mostly auto-classification and pre-filled forms — useful, but not transformative.
The genuine AI opportunity is in document generation: privacy policies, DSAR response letters, DPA summaries, internal data handling procedures. A well-structured Claude prompt produces a useful first draft in minutes. The gap remains human review — which can be minimised but not eliminated.
For a 5-person company: Termly free or Cookiebot Essential plus a one-off legal review gets you to a defensible position. For a 20-person company starting to handle significant customer data: Cookiebot or Osano for consent management, plus a privacy consultant for an annual review, covers the risk.
What AI tools will not do is make the judgment calls, bear the accountability, or keep your policy current without prompting. That part remains yours.
For a broader view of how AI tools handle regulatory compliance beyond GDPR, see our guide to AI regulatory compliance monitoring.
Originally published on Superdots.
Top comments (0)