GDPR checklist for SMEs
A practical GDPR checklist for SMEs covering processing records, lawful basis, privacy notices, processors, DPIAs, DPO checks, DSARs and breach response.
Direct answer
A GDPR checklist for SMEs should cover processing records, lawful basis, privacy notices, processor contracts, international transfers, retention, data subject rights, breach response, DPIA triggers, DPO triggers, and staff training. The checklist should produce evidence a customer or authority can inspect.
What should be on a GDPR checklist for SMEs?
A GDPR checklist for SMEs should cover processing records, lawful basis, privacy notices, processor contracts, international transfers, retention, data subject rights, breach response, DPIA triggers, DPO triggers, and staff training. The checklist should produce evidence a customer or authority can inspect.
- Processing register
- Privacy notices
- Processor controls
- Retention and deletion
| Core file | ROPA, notices, processor list, DSAR and breach procedures |
| Risk checks | DPIA and DPO triggers |
| Review cadence | Quarterly or when processing changes |
A GDPR checklist for SMEs should cover processing records, lawful basis, privacy notices, processor contracts, international transfers, retention, data subject rights, breach response, DPIA triggers, DPO triggers, and staff training. The checklist should produce evidence a customer or authority can inspect.
Most data subject requests should be answered within one month, subject to GDPR conditions.
GDPR checklist for SMEs checklist
Action checklistDocument each processing activity and whether Article 30 applies.
Article 30
Keep website, customer, employee and applicant notices current.
Articles 13-14
Verify Article 28 contracts and subprocessors for core vendors.
Article 28
Define retention periods and deletion owners by dataset.
Article 5
Key deadlines
| Date | Requirement | Source |
|---|---|---|
| One month | Data subject requestsMost data subject requests should be answered within one month, subject to GDPR conditions. | European Commission GDPR SME guidance |
30/60/90-day action plan
First 30 days
Confirm scope and assign an owner
Evidence needed: Applicability note, business owner, systems or product list, and source links.
GDPR checklist
Days 31-60
Close the evidence gaps
Evidence needed: Policies, supplier records, data maps, technical notes, training records, or process owners.
GDPR checklist
Days 61-90
Prepare for audit or customer review
Evidence needed: Versioned compliance file, action log, exception register, and next review date.
GDPR checklist
Evidence to retain
Applicability decision
Shows whether a GDPR checklist applies and why the SME made that decision.
Retain: Scope memo, trigger criteria, country notes, owner approval, and review date.
Action owner list
Regulators and enterprise customers expect named accountability, not generic intent.
Retain: Owner, backup owner, due date, status, and unresolved blocker notes.
Evidence folder
The fastest way to answer customer due diligence is a single audit-ready evidence file.
Retain: Policies, screenshots, registers, exports, supplier responses, and training records.
SME questions answered
What is the fastest GDPR task for an SME to start?
Start with a processing register and vendor list because they expose missing notices, contracts, retention periods and DPIA triggers.
Is a GDPR checklist enough without documents?
No. The checklist should point to evidence such as notices, contracts, ROPA entries, DPIAs, DSAR logs and breach procedures.
Turn this guide into a tracked action plan
Start with the Regulation Checker, save the result, and import the action plan into your EuroComply dashboard when you are ready to assign owners.
Informational only. This page is not legal advice and does not replace a qualified legal review of your business, systems, products or employment practices.