GDPR for SMEs: Navigating the Regulations

It is important for your company to comply with GDPR as now everyone will be held liable when collecting and using personal data. Of course, the steps for GDPR for SMEs (small and medium-sized enterprises) can be a little bit different than what is done by larger company.


Step by Step to Comply with GDPR for SMEs

Understand GDPR even if the company is medium or small size

GDPR is created by council and parliament as regulation that is similar to national law. So, it is important for you to know the method that you can use to comply with GDPR. Even if the company is medium or small size, this regulation still applies to you.

You need to perform assessment that will allow your company to identify the process that has high risk. Then you need to analyze it further so you can prepare all of the resources needed to implement GDPR in your company. 

Create documentation for all personal data your company collect

GDPR stated that you need to create record of all the processing activities that your company collect. This regulation includes SMEs so you have to create the record.

To do it first you need to create documentation for all of the data that your company collect. It should show the source of where the data comes from, how your company uses the data when the data refers to identifiable person.

Do not forget that you also need to submit RPA report with the newest data to authorized supervisor any time it is requested. Thus, it is important to create this document as the steps needed to create it also help your company to evaluate all process as well as help to know the point where correction need to be implemented.

Send privacy notice to inform all concerned parties

Sending notification to inform the individuals who data are collected by your company is important to comply with GDPR for small and medium-sized enterprises. You need to tell them the types of data that you collect, the method to collect the data, the reason why you collect the data and if the data is transferred to other countries. 

Check whether data processing done follows to individual rights

Once you have all of your data documented, then you need to review the procedures that you use on the personal data legally. You need to find out if the procedures comply with GDPR. 

If it is too complex then you need to hire a lawyer to review it for you. Especially since the processing activities that is done using personal data may affect individual rights. So, the processing activities should always be justified according to the laws and regulation.

Getting consent

The proceeding can be justified by getting consent which is also considered as important data protection. That is why you need to review the method that you use to manage, record and seek consent. 

You also need to make sure that everything should comply with GDPR for small and medium-sized enterprises standard. That is why, it is important to do periodic review and refreshing all of the consents. You should also use easy to understand grammar and content for the consent. So everyone can understand the language that you use to define the consents as requested by GDPR.

Plan how to handle subject access request

It is important for the company to update all of the procedures for request regarding subject access. You should also create plan that will be use to handle the request as stated in GDPR rule. 

Most of the time, you won’t be able change the request. But now you still have one-month time to comply with the request. You are allowed to charge or refuse excessive request. 

However, you need to give them their data that is created using machine-readable format. When you refuse their request then you need to give the individual the reason why you refuse it. 

You also need to tell them that they can file a complain directly to supervisory authority as well as judicial remedy. Remember that all of these need to be done without delay within a month period.

Review outsourcing processing contracts

If the company does not process the data themselves and instead using outsource company as data processor then you need to review your contracts. You need to make sure that the data processing procedure that the outsource company also comply with GDPR for small and medium-sized enterprises. 

The first thing that you need to do is to actually own the contract as it is sometimes not provided to you if you use cloud services that are free. So, you need to find a way to get your hands on the contract.

Especially since you need to provide the contract to supervisory authority when they request it. Then you need to review if the contact also complies with GDPR for small and medium-sized enterprises. It is very possible that the contract needs some adjustment to comply with GDPR.

Appoint DPO to take care the GDPR compliance

Most company need to appoint DPO that will be responsible to take care of the GDPR compliance. Although there are specific requirements for a company to have mandatory DPO but it is still good idea for SMEs to have someone with this role. 

So, even if your company does not directly have these requirements then you still need to have the officer. Especially if your company process data on special category for example, health data then it would be better to have external officer or internal DPO even if they work part time.

The officer will give their report only to highest position on your company. They should also work to make sure that the company will follow all of the measures needed so the information and process is done following GDPR for small and medium-sized enterprises regulation.  

Virtual DPO is another option that the company can use to comply with GDPR. Some company choose this option since it cost less and it can help the company to reduce the working hours by 75%.

Evaluating data processing activities

It is important for the company to analyze all of the risk that might affect the data subject. And to do it you need to evaluate all types of the data processing activities deeply to understand every detail.

This include analyzing all software used by the company, all activities performed as well as all of the measures taken which all must be protected by design. This is necessary since it can help to make sure there is no vulnerabilities and breaches on the security of the data. It also helps to make sure that there is no harm done to the data subject rights.

When the data and the processing activities are vulnerable and have high risk then you need to perform impact assessment. This assessment is done so you can evaluate the measures that can be take to minimize the risk and fight the right one. 

To add more security the personal data you can implement minimization of the personal data collected, pseudonymization, as well as data erasure according to the deadline stated in the consent. You should also provide data subject with access to their data.

Dealing with data breaches as well as sending necessary notification

The company must have internal procedure that can be used to deal with data breaches to comply with GDPR for small and medium-sized enterprises. You should also make sure that the outsource company that you use also adopt the same procedure.

The procedure taken must include the identification of the actual breaches of the data, investigating the breach circumstances as well as assessing the implication that might happened to both the company as well as the privacy of data subject.

Besides doing all of those procedure, your company also required to send notification about the breaches to supervisory authority. The notification should be sent within 72hours without delay after the breaches is identified. 

If there is any delay outside the required timeframe, then on the notification send to the supervisory authority, you must also include the reason for the delay. On beaches which may expose data subject to privacy risk, then you are also required to notify the data subject. 

How to Know If the Rules also Apply to Your Company?

The GDPR regulation actually does not depends on the size of your company as this regulation is created to be applied to all companies with varied size. If there are any activities which give high risk to the data subject’s freedom and rights then even Stricker rules can be applied regardless if your company is large corporation or SMEs. 

However, if your company have less than 250 employees then you do not need to keep processing activities record unless the personal data process is regular activities that give high risk to the data subject’s freedom and rights or if it involved criminal record and sensitive data. 


Even though GDPR for small and medium-sized enterprises might not required for your company, it is still important to comply with the regulation. Especially since GDPR is designed to help you protect personal data which is something that expected by your customers. Thus, you can try to follow the steps we provide here to help you navigate with the GDPR regulation. 

Description: This guide is designed to help small and medium-sized enterprises navigate the complex regulations of GDPR and protect their customers’ data.

Tags: GDPR for small and medium-sized enterprises, GDPR for small and medium-sized enterprises regulation, GDPR for small and medium-sized enterprises best practice, GDPR for small and medium-sized enterprises tips, navigate GDPR for small and medium-sized enterprises,