GDPR for SMEs: simplified compliance in 10 steps.

Eight years after the entry into force of the GDPR, many SMEs are still struggling with compliance. The complexity of the regulation, the lack of clear guidance and the fear of fines generate paralysis. This guide simplifies compliance into ten practical steps that any SME can apply.

Step 1: Inventory of processing activities

The first step is to know what personal data you process and why. Create a record of processing activities (mandatory under Article 30 of the GDPR) that includes: name of each processing activity (e.g. customer management, employee management, marketing), purpose, legal basis, types of data, categories of data subjects, recipients (internal and external), retention period, and security measures applied.

The AEPD has Facilita_RGPD, a free tool that helps SMEs create this record.

Step 2: Legal basis for each processing activity

Every processing activity needs one of the six legal bases of Article 6 of the GDPR: consent (informed, free, specific and unambiguous), execution of a contract (necessary for the contract), legal obligation (the law requires the processing), vital interests (life-or-death of the person), public interest (public sector functions), legitimate interest (only if it does not override the rights of the data subject).

Consent and legitimate interest are the most misused. Consent must be obtained by clear affirmative action (no pre-ticked boxes). Legitimate interest requires a documented balancing test.

Step 3: Information to data subjects

You must inform people about the processing of their data (Articles 13 and 14 of the GDPR): identity and contact details of the controller, contact details of the DPO if any, purposes and legal basis, recipients, intent to transfer data internationally, retention period, rights of the data subject and how to exercise them, right to complain to the supervisory authority. Information must be provided in clear, simple and accessible language.

Step 4: Rights of data subjects

The GDPR grants rights to data subjects: access, rectification, erasure ('right to be forgotten'), opposition, restriction of processing, portability, and not to be subject to fully automated decisions. The organisation must facilitate these rights without obstacles, generally with a response within one month. Have procedures in place to address them quickly.

Step 5: Contracts with processors

If you have suppliers that process personal data on your behalf (cloud, marketing, payroll, IT support), you need a data processing agreement under Article 28 of the GDPR. The contract must specify: object, duration, nature and purpose of the processing, type of personal data and categories of data subjects, obligations and rights of the controller, the obligation of confidentiality of the processor, the technical and organisational measures, conditions for using sub-processors, and the assistance to the controller. Many SMEs sign generic contracts that do not comply with the GDPR.

Step 6: Technical and organisational measures

You must protect data with appropriate measures (Article 32 of the GDPR): pseudonymisation and encryption where appropriate, confidentiality, integrity, availability and resilience of systems, ability to restore availability and access to data after an incident, and a process for regularly testing the effectiveness of measures. Measures must be proportionate to the risk and the volume of data.

Step 7: Personal data breach notification

If you suffer a personal data breach, you must: notify the AEPD within 72 hours of becoming aware of the breach (Article 33 of the GDPR) and, if there is a high risk to the rights and freedoms of data subjects, notify the affected individuals (Article 34). Document all breaches even if they do not require notification.

Step 8: Data Protection Officer (DPO)

The DPO is mandatory when: the controller or processor is a public authority, the core activity requires regular and systematic monitoring on a large scale, or the core activity involves large-scale processing of special categories of data. Many SMEs are not obliged to have a DPO but engage one voluntarily as a sign of commitment. The DPO can be internal or external.

Step 9: International data transfers

Data transfers outside the European Economic Area require specific safeguards: adequacy decision (the country has been declared as having an adequate level of protection by the European Commission), Standard Contractual Clauses approved by the Commission, Binding Corporate Rules (BCR), or specific exceptions (consent of the data subject, execution of a contract). Schrems II requires additional assessment of recipient-country laws (e.g. transfers to the US).

Step 10: Continuous review and culture of protection

Compliance is not a one-off project but a continuous process. Establish: annual review of processing activities, periodic training of staff, supplier audits, simulations of personal data breaches, and active monitoring of regulatory updates (AEPD, EDPB).

Common mistakes that lead to fines

The most-sanctioned mistakes in Spain are: pre-ticked consent boxes on websites, lack of an updated record of processing activities, contracts with processors that don't comply with Article 28, lack of basic security measures (no encryption, weak passwords, no backups), CCTV without proper signage, sending commercial communications without consent or legitimate interest, and lack of response to data subject rights.

---

Authorship: Ángel Ortega Castro · independent consultant on strategy, quality and digitalisation for SMEs.

Frequently asked questions

Do SMEs have to comply with the GDPR?

Yes. The GDPR applies to all organisations that process personal data of EU residents regardless of size. There is no exemption for SMEs, although some obligations (such as the DPO) only apply to organisations meeting certain criteria.

What sanctions does non-compliance entail?

GDPR fines can reach up to €20 million or 4% of global annual turnover, whichever is higher, for the most serious breaches.

What are the rights of data subjects?

Access, rectification, erasure ('right to be forgotten'), opposition, restriction of processing, portability and the right not to be subject to fully automated decisions.

When is a DPO mandatory?

When the organisation is a public authority, when the core activity involves regular and systematic monitoring of data subjects on a large scale, or when the core activity involves large-scale processing of special categories of data.