Privacy Tech EU
GDPR 15 April 2026 9 min read

GDPR for Small Business: Compliance Checklist — Privacy Tech EU

The General Data Protection Regulation applies to virtually every business that processes personal data about EU residents — regardless of company size. For small and medium-sized enterprises, navigating the regulation’s requirements can appear daunting, but a structured approach makes compliance achievable without specialist legal teams.

This checklist covers the core obligations most SMEs face.

1. Understand What Personal Data You Process

The first step is identifying what personal data your business collects, stores or uses. Personal data is any information that can identify a living individual — names, email addresses, IP addresses, phone numbers, location data and even cookie identifiers all qualify.

Create a data inventory (sometimes called a Record of Processing Activities, or ROPA). GDPR Article 30 requires organisations with 250 or more employees to maintain this formally, but smaller businesses benefit from the exercise regardless. Document:

  • What data you collect
  • Why you collect it (the purpose)
  • Where you store it
  • Who has access
  • How long you keep it

Every time you process personal data, you need a lawful basis under Article 6 GDPR. The six available bases are:

  1. Consent — the individual has given clear, freely given, specific, informed consent
  2. Contract — processing is necessary to fulfil or enter into a contract with the individual
  3. Legal obligation — you must process data to comply with a legal requirement
  4. Vital interests — necessary to protect someone’s life
  5. Public task — applicable to public authorities
  6. Legitimate interests — your business interest overrides the individual’s privacy interest, after a balancing test

Most SMEs rely on a mix of contract, consent and legitimate interests. Each processing activity needs its legal basis documented in your ROPA.

3. Update Your Privacy Notice

Every website and service collecting personal data needs a privacy notice (sometimes called a privacy policy). Under GDPR, this document must be:

  • Written in clear, plain language
  • Easily accessible (not buried in terms and conditions)
  • Provided at the point of data collection

It must include: who you are, what data you collect, why, your legal basis, how long you retain it, whether you share it with third parties, and what rights individuals have.

If you rely on consent as your legal basis, that consent must meet GDPR standards:

  • Freely given — no bundling with terms of service, no consent as a condition of service
  • Specific — one purpose per consent request
  • Informed — the individual knows what they are consenting to
  • Unambiguous — a positive opt-in action is required; pre-ticked boxes are invalid

Keep records of when and how consent was obtained. Individuals must be able to withdraw consent as easily as they gave it.

See also: our guide to cookie consent requirements for website-specific rules.

5. Implement a Data Retention Policy

Keeping personal data longer than necessary is a GDPR violation. Define retention periods for each data category:

  • Customer records: typically the duration of the contract plus a period for legal claims (often 6 years in the UK and EU)
  • Marketing contacts: until consent is withdrawn or a reasonable inactivity period
  • Employee records: varies by country and data type

Build deletion schedules into your systems so data is removed automatically when retention periods expire.

6. Secure the Data You Hold

GDPR Article 32 requires “appropriate technical and organisational measures” to protect personal data. For most SMEs, this means:

  • Strong passwords and multi-factor authentication on all systems
  • Encryption of stored personal data where feasible
  • Access controls — only staff who need data should have it
  • Regular software updates and patching
  • A process for identifying and responding to security incidents

You do not need to achieve perfect security, but you must demonstrate that you took reasonable steps proportionate to the risk.

7. Know Your Data Subject Rights Obligations

Under GDPR, individuals have eight data subject rights you must be ready to honour:

  • Access — provide a copy of the data you hold within 30 days
  • Rectification — correct inaccurate data promptly
  • Erasure — delete data when there is no longer a lawful basis to keep it
  • Restriction — pause processing while a dispute is resolved
  • Data portability — provide data in a machine-readable format
  • Objection — allow opt-out from direct marketing and legitimate-interest processing
  • Automated decisions — rights relating to profiling
  • Withdrawal of consent — honour withdrawal promptly

Train staff on how to recognise and handle rights requests. Most must be fulfilled within 30 days.

8. Prepare a Data Breach Response Plan

A personal data breach must be reported to your national supervisory authority within 72 hours of discovery if it poses a risk to individuals. High-risk breaches also require notification to the affected individuals.

Have a written plan covering:

  • Who to notify internally (usually a named data protection contact)
  • How to contain and assess the breach
  • When and how to notify the supervisory authority
  • Record-keeping requirements

Even breaches you decide not to report must be documented internally. See our full data breach notification guide.

9. Assess Whether You Need a DPO

A Data Protection Officer is mandatory if your organisation:

  • Is a public authority
  • Carries out large-scale systematic monitoring of individuals
  • Processes special categories of data (health, biometric, criminal records) at large scale

Most small businesses do not need a DPO, but designating a point of contact for data protection internally is good practice regardless.

10. Review Third-Party Processors

If you share personal data with any third party — a payroll provider, email marketing platform, cloud storage service — you need a Data Processing Agreement (DPA) in place. This contract sets out what the processor can do with the data and their security obligations.

Check that every vendor you share data with has signed a DPA and that they are based in the EU or covered by an approved transfer mechanism if outside the EU.

FAQ

Frequently Asked Questions

Does GDPR apply to my small business if I only have EU customers? +

Yes. GDPR applies to any organisation — regardless of location — that processes personal data of EU residents in connection with offering goods or services to them.

What is the maximum fine for GDPR non-compliance? +

Fines can reach up to €20 million or 4% of global annual turnover (whichever is higher) for the most serious violations. For smaller breaches, fines are capped at €10 million or 2% of turnover.

Do I need a written privacy policy? +

Yes. Every organisation processing personal data must provide individuals with a privacy notice at the point of collection. It must contain all required information under Articles 13 and 14 GDPR.

How long do I have to respond to a Subject Access Request? +

One calendar month from receipt of the request. In complex or multiple-request situations, this can be extended by a further two months, but you must notify the individual of the extension within the first month.

Can I charge a fee for a Subject Access Request? +

Only in limited circumstances — where requests are manifestly unfounded or excessive. In most cases, the response must be free of charge.

What counts as a personal data breach? +

Any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes lost laptops, hacked systems, accidentally emailing data to the wrong person, and ransomware attacks.

Is consent always required under GDPR? +

No. Consent is just one of six lawful bases. Many businesses can rely on contract or legitimate interests for common processing activities without needing explicit consent from every individual.

Do I need to register with my national data protection authority? +

In some EU member states, registration or notification requirements still apply. In the UK, registration with the Information Commissioner's Office (ICO) is required for most organisations that process personal data.

← Back to Blog