You don't need to get any certifications to be compliant, it's not like PCI where you need to be certified by a third party. This site has a simple checklist of what you need to do to be compliant:
Most of the actions you need to take are just respecting the user's privacy and being explicit about how their data is shared. If you use your laptop in a coffee shop you wouldn't expect the barista to stand behind you and watch what you are doing, then share that data with their colleagues and suppliers.
I'd say for a small company it's actually easier than a large company, as you have fewer processes that need to be changed. In my case it was a lot simpler to become compliant for this than VAT MOSS.
I haven't had any requests for data, so I don't have an automated way to export it yet, but if anyone requests it I can build it quickly.
https://gdprchecklist.io/
Most of the actions you need to take are just respecting the user's privacy and being explicit about how their data is shared. If you use your laptop in a coffee shop you wouldn't expect the barista to stand behind you and watch what you are doing, then share that data with their colleagues and suppliers.
I'd say for a small company it's actually easier than a large company, as you have fewer processes that need to be changed. In my case it was a lot simpler to become compliant for this than VAT MOSS.
I haven't had any requests for data, so I don't have an automated way to export it yet, but if anyone requests it I can build it quickly.