GDPR Practical Guide: Why is It Relevant for SMBs?
The General Data Protection Regulation (GDPR) has been applicable since 25 May 2018 to every organisation processing personal data of EU residents — regardless of the organisation's size, sector or location. A sole trader with a customer database, a manufacturing company with an HR system, an online shop with a newsletter or a consulting firm with a CRM: they all fall under the GDPR.
Yet a significant part of the Dutch SME sector still believes that GDPR is "for large businesses." This misunderstanding carries real risks: the Data Protection Authority has significantly increased its enforcement capacity in recent years and explicitly targets small and medium-sized organizations. In 2024, the authority imposed fines for various violations, ranging from unlawful camera surveillance to untimely breach notifications.
The ten most common GDPR pitfalls for SMEs
1. No current processing register (RoPA)
Article 30 of the GDPR requires controllers with more than 250 employees to maintain a formal Record of Processing Activities (RoPA). However, smaller organisations must also be able to demonstrate which personal data they process, on what legal basis, for what purpose, for how long and with what security measures. In practice, this register is often completely missing or is years outdated and no longer representative of the actual situation.
Solution: Make an inventory of all processing activities—HR data, customer data, vendor data, website analytics, marketing lists—and keep it current. An annual review is the minimum.
2. Missing or incomplete data processor agreements
As soon as a third party processes personal data on your behalf, a Data Processing Agreement (DPA) is legally required. This applies to cloud hosting providers, payroll software, CRM systems, email marketing platforms, HR systems and countless SaaS services. Many SMEs accept standard processor agreements without reading them, or forget them entirely when signing up for new services.
Solution: Create an overview of all external service providers that process personal data on your behalf and verify that valid DPAs are in place. Many vendors offer standard DPAs on their websites or customer portals.
3. No privacy statement or an incomplete one
Your website almost certainly processes personal data: through contact forms, cookies, analytics or newsletter subscriptions. The privacy statement must contain information about: the identity of the controller, the purposes and legal bases of processing, recipients of the data, retention periods, rights of data subjects and the right to lodge a complaint with the authority. A privacy statement that consists of only one paragraph almost never meets these requirements.
4. Unrealistic or missing retention periods
The GDPR requires that personal data are not retained longer than necessary for the purpose for which they were collected. In practice, many companies retain data "to be safe" indefinitely, or have never thought about retention periods. This is a direct violation of the data minimisation principle.
Solution: Set a retention period for each category of personal data and implement automatic or periodic deletion. Take into account legal retention obligations (tax retention requirement: 7 years for financial data) that may differ from GDPR principles.
5. No documented data breach notification process
In the event of a data breach — unintended or unauthorised access to, destruction of or loss of personal data — an organisation must assess within 72 hours whether notification to the authority is required and if so, actually make the notification. Notification to affected individuals may also be required if a high risk to them exists. Without a pre-established process, valuable time is lost in the chaos of an incident.
Solution: Document a simple data breach notification process: who assesses the breach, who makes the notification decision, who notifies the authority, who communicates with affected individuals? Practice this process annually with a tabletop exercise.
6. Unsecured email communication with personal data
Exchange of sensitive personal data — medical data, HR information, financial data — via ordinary unencrypted email poses a security risk. A forgotten CC, a typo in the email address or a phishing attack that grants email account access, can lead to a reportable data breach.
Solution: For sensitive data sharing, prefer a secure method: an encrypted email solution, a secure customer portal, or a sharing platform with access controls.
7. Invalid marketing consent
To send commercial email, the Telecommunications Act (and implicitly the GDPR) requires unambiguous opt-in consent. Pre-ticked checkboxes, consent hidden in terms and conditions or undocumented verbal consent: these are not valid legal bases. A CRM full of email addresses for which no valid consent exists is a time bomb.
8. No procedure for data subject requests
Data subjects have the right to access, rectification, erasure, restriction of processing, portability and objection. Organisations must respond to such requests within one month. Many companies have no procedure for receiving, recording and responding to such requests, with deadlines exceeded or requests simply ignored.
9. Third-country transfers without adequate safeguards
The use of American or other non-EU cloud services (Google Workspace, Microsoft 365, Salesforce, HubSpot, etc.) may constitute a transfer of personal data to third countries. Such transfers are only permitted if there is an adequacy decision, Standard Contractual Clauses (SCCs) have been agreed or other appropriate safeguards are in place. The EU-US Data Privacy Framework (2023) provides some clarity, but the situation requires attention.
10. Insufficient privacy awareness among employees
Most data breaches do not result from advanced cyberattacks but from human action: a wrongly sent email, responding to a phishing email, losing a laptop or USB stick. Without basic training and periodic awareness campaigns, your privacy policy is just a paper tiger.
Sanctions: how real is the risk for SMEs?
The authority has significantly increased enforcement in 2024, with growing attention to SMEs. Fines for SMEs typically range from €10,000 to €150,000, but can increase to the legal maximums in case of repeated violations or serious breaches: €20 million or 4% of worldwide annual revenue. The reputational damage that comes with a publicly announced GDPR violation can in practice outweigh the fine itself.
Quick wins: Four steps to eliminate the greatest risks
Start with: (1) a processing register—inventory all processing activities and document them; (2) current processor agreements—verify each vendor that processes data; (3) a clear, complete privacy statement on your website; (4) a documented data breach notification process that your team knows and practices annually. With these four steps, you eliminate the greatest risks and establish a solid foundation for further GDPR compliance.