GDPR compliance for SMEs
Plain-English GDPR compliance for SMEs: lawful basis, ROPA, DPIA, DPO triggers, data subject rights, breach response, and evidence to retain.
Direct answer
GDPR compliance for SMEs requires knowing what personal data is processed, the lawful basis for each activity, whether ROPA, DPIA or DPO duties apply, how data subject requests are handled, and how breaches are reported. Some duties scale by risk and activity, not only by company size.
What does GDPR compliance for SMEs require?
GDPR compliance for SMEs requires knowing what personal data is processed, the lawful basis for each activity, whether ROPA, DPIA or DPO duties apply, how data subject requests are handled, and how breaches are reported. Some duties scale by risk and activity, not only by company size.
- Map processing
- Confirm lawful basis
- Test DPIA and DPO triggers
- Prepare DSAR and breach workflows
| In force | 2018-05-25 |
| Maximum fine | EUR 20M or 4% of global turnover |
| Key SME point | Risk and activity can trigger stricter duties even for small companies |
GDPR compliance for SMEs requires knowing what personal data is processed, the lawful basis for each activity, whether ROPA, DPIA or DPO duties apply, how data subject requests are handled, and how breaches are reported. Some duties scale by risk and activity, not only by company size.
Notify the supervisory authority within 72 hours where notification is required.
GDPR compliance for SMEs checklist
Action checklistList purposes, categories of data, recipients, retention and processors.
Article 30
Record the lawful basis for each processing purpose and keep it reviewable.
Article 6
Check high-risk processing, large-scale monitoring and sensitive data use.
Articles 35, 37
Document request handling, identity checks, deadlines and escalation.
Articles 12-23, 33
Key deadlines
| Date | Requirement | Source |
|---|---|---|
| 72 hours | Personal data breach notificationNotify the supervisory authority within 72 hours where notification is required. | European Commission GDPR SME guidance |
30/60/90-day action plan
First 30 days
Confirm scope and assign an owner
Evidence needed: Applicability note, business owner, systems or product list, and source links.
GDPR
Days 31-60
Close the evidence gaps
Evidence needed: Policies, supplier records, data maps, technical notes, training records, or process owners.
GDPR
Days 61-90
Prepare for audit or customer review
Evidence needed: Versioned compliance file, action log, exception register, and next review date.
GDPR
Evidence to retain
Applicability decision
Shows whether GDPR compliance for SMEs applies and why the SME made that decision.
Retain: Scope memo, trigger criteria, country notes, owner approval, and review date.
Action owner list
Regulators and enterprise customers expect named accountability, not generic intent.
Retain: Owner, backup owner, due date, status, and unresolved blocker notes.
Evidence folder
The fastest way to answer customer due diligence is a single audit-ready evidence file.
Retain: Policies, screenshots, registers, exports, supplier responses, and training records.
SME questions answered
Does GDPR apply to SMEs?
Yes. GDPR applies based on personal data processing. Some obligations may not apply to every SME, but risky or regular processing can trigger stricter duties.
Do SMEs need a ROPA under GDPR?
SMEs under 250 employees may be exempt unless processing is regular, risky, or involves special categories or criminal data.
Turn this guide into a tracked action plan
Start with the Regulation Checker, save the result, and import the action plan into your EuroComply dashboard when you are ready to assign owners.
Informational only. This page is not legal advice and does not replace a qualified legal review of your business, systems, products or employment practices.