GDPR for SMEs: the practical guide to data protection
Get on top of GDPR as a small business: what the law requires, who it applies to, and concrete steps you can take starting today.
GDPR is not just for large corporations with a legal department -- the rules apply to every business that processes personal data about EU citizens, regardless of size. This guide gives you, as a small business owner, a clear and practical overview of what you need to do to comply with the law.
What is GDPR, and does it apply to your business?
The General Data Protection Regulation (GDPR) came into force in May 2018 and sets out requirements for how businesses collect, store, and use personal data. Personal data is any information that can identify a natural person -- for example a name, email address, IP address, or national identification number.
GDPR applies to your business if you process personal data about customers, employees, suppliers, or visitors to your website. There is no revenue threshold or employee headcount that exempts you. Even a sole trader with a customer database is covered.
The relevant national supervisory authority oversees compliance with the rules and can impose fines for violations. In serious cases, fines can reach up to 4 percent of the company's global annual turnover or 20 million euros, whichever is higher.
The six core principles you need to know
GDPR is built on six principles that all processing of personal data must meet:
- Lawfulness, fairness, and transparency -- you must have a valid legal basis for processing the data, and the individual concerned must know what is happening with their data.
- Purpose limitation -- data may only be used for the purpose for which it was collected.
- Data minimisation -- collect only the data you actually need.
- Accuracy -- keep data up to date and correct.
- Storage limitation -- delete data when it is no longer necessary.
- Integrity and confidentiality -- protect data against unauthorised access and accidental loss.
As a business owner, you are responsible for being able to demonstrate that you comply with all six principles -- this is known as the accountability principle.
Concrete steps to get started
It can feel overwhelming, but you can make significant progress with these five steps:
1. Map your data flows Create a list of what personal data you collect, where it comes from, what it is used for, and who has access to it. This is the foundation for all other GDPR work.
2. Identify your legal basis for processing For each category of data, you need a valid legal basis. The most commonly used are consent, performance of a contract, and legitimate interests. Consent must be freely given, specific, and documented -- a pre-ticked box does not meet the standard.
3. Update your privacy policy Your website must have a clear and easy-to-understand privacy policy that explains what data you collect, why you collect it, who you share it with, and how long you retain it. Write it in language your customers can actually understand.
4. Put data processing agreements in place If you use third-party providers -- for example for email marketing, accounting, or CRM -- that process personal data on your behalf, you must have a written data processing agreement in place with each of them.
5. Establish a procedure for data breaches If a personal data breach occurs, you generally have 72 hours to report it to the supervisory authority. Make sure you know who needs to be contacted internally, and that you have a template ready to go.
What does non-compliance cost?
Beyond the risk of fines, failing to comply with GDPR can seriously damage your business's reputation and customer trust. Supervisory authorities carry out ongoing inspections and respond to complaints from individuals. In 2024 and 2025, record numbers of complaints were filed by private individuals, and the number of guidance decisions directed at small businesses is rising.
It is not only fines that are at stake, either. Customers and business partners are increasingly requiring documented GDPR compliance -- particularly if you supply larger companies or public sector organisations.
Frequently asked questions
Do I need to appoint a Data Protection Officer (DPO)? The vast majority of small businesses are not required to appoint a DPO. The requirement applies primarily to public authorities and private companies that process sensitive data -- such as health data -- on a large scale, or that carry out systematic monitoring. You should, however, always have someone internally responsible for data protection.
Does GDPR also cover my employee data? Yes. Data about employees -- from payslips and sick days to HR records -- constitutes personal data and is fully covered by GDPR. You must have a legal basis for processing it, and employees have the right to access the data you hold about them.
What is the difference between a data controller and a data processor? You are the data controller when you determine the purposes and means of processing personal data. If you use an external provider to carry out the actual processing -- such as an IT system or an accounting platform -- that provider is the data processor. The processor acts only on your instructions, and the relationship must be governed by a data processing agreement.
Let Legiant keep track of it for you
GDPR requirements evolve continuously, and it can be hard to keep up as a busy small business owner. Legiant automatically monitors your compliance status, notifies you when there is something you need to act on, and helps you document that you are meeting the rules -- without requiring you to be a legal expert. Try Legiant for free and get a clear picture of your GDPR status today.
