Skip to main content

Complying with GDPR as a small to medium-sized business

If your company sells to, provides services to, or employs citizens of the European Union, then you must comply with the GDPR. To begin with, let’s briefly consider what the GDPR is, its key requirements and principles for small businesses, and what can make it easier to comply. Of course, requirements will vary based on the nature of your business and other factors. Indeed, the recommendations in this GDPR compliance guide can help you manage and protect your data. However, they are not a guarantee of GDPR compliance.

Introduction to the GDPR for small businesses

The GDPR is an EU regulation intended to protect the privacy of people’s data. GDPR rights and protections cover anyone who lives in the EU, as well as every EU citizen, wherever they live in the world. The GDPR contains principles and specific requirements for how companies collect and use data. It also outlines when and how data can be shared, and sets standards for when it should be deleted. 

Principles of the GDPR

GDPR article 5 lists a string of principles for data processing. You and your employees must have a solid grasp of these principles. If you do, it will then be much easier to apply the GDPR and know what to do —and what not to do— in any situation where you handle personal data. So, here is a summary of GDPR principles and what they mean for your company:

Lawfulness, fairness and transparency
First, only collect personal data if you have a legal basis for doing so. Then, don’t do anything with personal data that might harm or embarrass the person. Finally, don’t deceive people about what you do with their data.

Purpose limitation
Don’t use data for any other purposes besides the ones listed in your policies and consent forms. Further, you should always delete personal data you no longer need.

Data minimisation
Don’t collect more data than you need. Don’t collect or keep personal and sensitive data if you don’t need to. Then, clean up your data storage regularly.

Make sure the personal data you collect is accurate, and keep the personal data you store up to date. It is a good idea to ask people from time to time if their information has changed.

Storage limitation
Begin by setting a retention period for data and stick to it. Then, inventory your data regularly. Don’t let personal data linger in your systems endlessly. Delete it.

Integrity and confidentiality
Keep people’s personal data safe. Protect data privacy with technical measures, for instance, with passwords, ID verification, and encryption. Decide which of your people and departments should have access to personal and sensitive data, then put policies in place to make sure unauthorised persons will not see it.

You are responsible for the data you and your employees store. Keep documentation of your data processing, storage practices, and staff training to demonstrate compliance and be ready to give people information about their data when they ask for it.

Types of data that get protection

You and your employees should know how to quickly recognise the types of data that are protected under the GDPR:

Personal data
Personal data is defined as data that can be linked to a certain person and used to identify them. This includes, for example, a person’s name, address, date of birth, IP address. Most information and images belonging to employees and customers will count as personal data. 

Sensitive personal data
Since revealing very personal data could cause a person harm or violate their privacy, such data is considered special category and gets extra protection. This includes, for instance, a person’s religion, trade union membership, ethnic origin, biometric data, DNA, and more. All data related to children and images of children should also be considered as special categories/sensitive data and treated with special care. 

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

Step-by-step GDPR compliance guide

This section describes some basic steps SMBs can take to get ready for GDPR. The steps listed are based on information provided through the Publications Office of the European Union here, along with our own tips to make compliance easier. 

Step 1: Find out what data your company has collected and why
Above all, map your data. To begin with, make an inventory of the personal data your company has collected and where it is and why it’s needed.  

Then, check if you have a legitimate reason for collecting the data. 

Our tip: A data discovery tool can help you discover, classify, and later, continuously monitor the sensitive information your company has collected.  

Step 2: Inform people when you collect their personal data
Let people know when you process their personal data and tell them why.  

If you ask people for an email address on your sign-up forms, make sure you link your privacy policy and state specifically what you intend to do with their information. For example, tell them if you intend to send them promotions and news about your products. 

You can skip this in some cases, for instance, if someone orders something from you and provides you with a home address for delivery. 

You must also inform individuals about the personal data you hold about them, on request, and give them access to their data. Of course, being organised with your data makes it easier to provide this information on time. 

Our tip: Another benefit of a data discovery tool is that you can quickly pull up a specific person’s data in response to data subject accesss requests (DSARs). Add a DSR portal for easier request fulfilment.

Step 3: Set data retention limits and delete data you no longer need
It’s important to only keep employee data as long as the employment relationship and related legal obligations last. Likewise, you should only keep customer data as long as the customer relationship and related legal obligations last. Delete personal data when you no longer use it for the purposes for which you collected it. 

Our tip: A data discovery tool highlights old and high-risk files so you can review and delete them to minimise risk. 

Step 4: Protect personal data
Limit access to your high-risk files with encryption and strong passwords. Then, establish policies for employees to protect their emails, cloud accounts, devices and any physical documents that contain personal data. These measures will prevent unauthorised persons from gaining access to your files. 

Likewise, manage permissions to folders and centralised secure locations where you save your files (OneDrive or SharePoint document libraries). Further, always use data encryption when you share files with colleagues or share company files with others.

Our tip: A data discovery tool can tell you which of your team members stores the most sensitive data. Starting with these employees, make sure everyone follows your security policies. 

Step 5: Document your data processing activities
Prepare a short document explaining what types of personal data you hold as well as your reasons for collecting it. Since you may be required to make this documentation available to your national data protection authority at some point, make sure it is complete.

Such a document should include the information listed below. 

Information  Examples 
The purpose of data processing  Alerting customers about special offers such as providing home delivery; paying suppliers; salary and social security coverage for employees 
The types of personal data  Contact details of customers; contact details of suppliers; employee data 
The categories of data subjects concerned  Employees; customers; suppliers 
The categories of recipients  Labor authorities; tax authorities 
The storage periods  Employees’ personal data until the end of the employment contract (and related legal obligations); customers’ personal data until the end of the client/contractual relationship 
The technical and organisational security measures to protect the personal data  IT system solutions regularly updated; secured location; access control; data encryption; data backup 
Whether personal data is transferred to recipients outside the EU  Use of a processor outside the EU (for example, storage in the cloud); data location of the processor; contractual commitments 

 Our tip: The information you get from a data discovery tool can be used to demonstrate compliance in case of audit.  

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Step 6: Make sure your subcontractors respect the rules
If you sub-contract processing of personal data to another company, only use a service provider who guarantees the processing in compliance with the requirements of the GDPR (for instance, security measures). 

Our tip: During data inventory, note who your data processors are. Then, make sure they are listed in your privacy policy.

Step 7: Appoint a DPO or assign someone to oversee personal data protection
Appoint a Data Protection Officer (DPO): 

  • If processing personal data is a core part of your business. 
  • If you process data on a large scale.  

Note that small businesses may not be required to appoint a DPO. For example, if your business only collects data on your customers for home delivery, you should not need to appoint a DPO.  

If you need a DPO, an SMB can assign an existing employee to cover DPO duty in addition to his/her other tasks. On the other hand, you could also choose to hire an external consultant or service. 

Our tip: Using automated data discovery makes it easy for anyone to perform DPO tasks. 

Step 8: Consider performing Data Protection Impact Assessments (DPIAs)
Data Protection Impact Assessments are required for businesses that conduct activities that may pose special risks to personal data. For example, large-scale monitoring/video surveillance of a publicly accessible area where you would collect images of people, especially images of children. 

On the other hand, if you are a small business that just manages employee wages, lists of clients, etc., then you may not be required to perform Data Protection Impact Assessments.

Our tip: Whenever you begin new or risky activities that involve processing personal data, perform a basic DPIA. This can be a good exercise to evaluate your own practices and can also reduce the risk of data breaches and limit liability in case data is leaked. A data discovery tool makes it easy.

The easy way to comply with GDPR for SMBs

At Safe Online, we have developed the data discovery tool DataMapper. The tool is created to help companies to comply with GDPR’s data management requirements.

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit