AGIDAT – Datenschutz | Informationssicherheit
SMEs

GDPR for SMEs: The Pragmatic Starting Point

Many small and medium-sized businesses don’t know where to start with GDPR. This article gives a structured overview of the most important first steps.

AGIDAT ·

Why GDPR Also Applies to Small Businesses

The General Data Protection Regulation applies to any organization that processes the personal data of EU residents — regardless of its size. That means even a five-person trade business has to operate in a GDPR-compliant way if it processes customer or employee data.

The good news: GDPR is scalable. What amounts to 50 documents for a large corporation can be implemented by an SME in a few well-thought-out steps.

The 5 Most Important First Steps

1. Take stock: what are you actually processing?

Before implementing any measures, you should know what data flows through your organization. Ask yourself the following questions:

  • What customer data do you collect and store?
  • What employee data do you process?
  • Which external service providers have access to your data?
  • What software and SaaS tools do you use?

2. Records of Processing Activities (RoPA)

The RoPA is the core obligation under Art. 30 GDPR. It documents which data you process, for what purpose, how long you retain it, and who has access to it.

For an SME, a well-structured table is often enough. What matters most is that the record is complete and kept up to date.

3. Data Processing Agreements (DPAs) with service providers

If you use external service providers who have access to personal data — such as an email provider, accounting software, or a cloud storage service — you need a DPA. This also applies to many common SaaS tools.

4. Technical and Organizational Measures (TOMs)

Art. 32 GDPR requires "appropriate technical and organizational measures" to protect data. In practice, for SMEs this means:

  • Up-to-date software and security patches
  • Password policies
  • Encryption of sensitive data
  • Access rights based on the need-to-know principle
  • Regular backups

5. Privacy policy and website check

Your website needs an up-to-date privacy policy. Also check whether you use cookies or tracking technologies — these generally require active, informed consent.

When Do You Need a Data Protection Officer?

In Germany, organizations must appoint a Data Protection Officer once at least 20 people are regularly engaged in the automated processing of personal data. For certain categories of data (e.g. health data), the obligation can apply regardless of headcount.

But even without a legal obligation, an external DPO can be worthwhile — it signals credibility to customers and partners and gives you peace of mind.

Conclusion

GDPR compliance isn't a sprint — it's a process. The most important step is the first one: an honest stock-take. After that, everything can be tackled systematically.

Have questions about your specific situation? We offer a free initial consultation.