In brief: Implementing the GDPR in an SME is not a year-long project — it can be done in a few structured steps, provided you work with the reality of the business rather than against it. This roadmap draws on around 30 implementation projects since 2018, from medical practices to education providers.
Step 1: Take stock — what happens to which data?
Half a day with the right questions: which personal data enters the company (customers, employees, suppliers), where is it stored, who has access, which tools are in use? The result is the map for everything that follows.
Step 2: Create the records of processing activities
The records of processing activities (Art. 30 GDPR) are mandatory — and at the same time the most useful document of the entire project: for each processing operation, purpose, legal basis, categories, recipients and deletion periods sit in one place. Done well, it answers 80% of all questions that come up later.
Step 3: Clarify the legal bases
Most SME processing operations rest on contract (Art. 6(1)(b)), legal obligation (point (c)) or legitimate interest (point (f)). Consent is needed less often than many believe — and where it is, it must be documented and revocable.
Step 4: Put your processors under contract
Hosting, email, accounting software, cloud storage: anyone processing personal data on your behalf needs a data processing agreement (Art. 28). For providers outside the EU, check in addition: adequacy decision or standard contractual clauses.
Step 5: A privacy policy that matches the website
The most common weak point: boilerplate text describing services that don't (or no longer) exist on the website — or the other way round. The policy must reflect the actual state of affairs: services in use, purposes, legal bases, data subject rights, and the complaint route to the data protection authority.
Step 6: Technical and organisational measures (TOMs)
Encryption, access controls, backups, password rules, handling of mobile devices — documented and appropriate to the risk. For an SME, what counts is traceability, not perfection.
Step 7: Train your staff — short, specific, repeated
Most data breaches are everyday mistakes. A compact training session built around cases from your own business achieves more than any policy sitting in a binder. Since 2025/26, AI topics belong here too: what employees may enter into AI tools and what they may not — think AI Act and transparency obligations.
Conclusion
GDPR for an SME means: set it up properly once, document it leanly, update it annually. The effort is manageable — the alternative (a complaint, a data breach without processes in place, lost trust) is not.