GDPR Checklist for SMEs: 3 Parts, 13 Steps

How to use this checklist

This is a thirteen-step checklist that an SME owner or office manager can work through without legal training. The items are ordered by priority. The first five are the basics every regulator will look for. The next four are operational essentials. The last four keep your compliance posture alive over time.

You don’t have to do all thirteen at once. Most SMEs can finish the first five in two to four weeks at a few hours per week, then layer the rest in.

Part 1 - The basics (steps 1 to 5)

Step 1: Designate a Privacy Coordinator

The check: one named person inside your organisation owns GDPR.

This isn’t a formal Data Protection Officer (DPO) role - that’s reserved for organisations doing large-scale monitoring or processing special category data on a large scale. For most SMEs, “Privacy Coordinator” is the right title: same single point of contact, no formal DPO obligations, no independence requirements.

The coordinator’s job is to keep this checklist green, take incoming privacy questions and complaints, and own the relationship with your supervisory authority if anything goes wrong.

• A named Privacy Coordinator is designated and reachable on a dedicated email (e.g. privacy@yourcompany.com).
• Their role is documented and known to the rest of the team.

Do you actually need a DPO? Read DPO: what is a Data Protection Officer and do you need one?.

Step 2: Maintain a GDPR processing register (ROPA)

The check: a single document listing every activity in which you process personal data.

This is the first thing your supervisory authority will ask for if they come knocking. It’s also your own master inventory: if you don’t know what data you process, you can’t comply with anything else on this list.

For each processing activity, record:

• Purpose (why you’re processing the data)
• Legal basis (consent, contract, legal obligation, vital interests, public interest, or legitimate interests)
• Data categories (names, emails, financial, health, etc.)
• Data subjects (customers, employees, suppliers, prospects)
• Recipients / third parties (your accountant, CRM provider, hosting, etc.)
• Retention period
• Security measures

Keep separate sections for activities where you are the controller versus where you are a processor for someone else. Read Records of processing activities for the full structure.

• Processing register exists and lists every activity touching personal data.
• Controller and processor activities are recorded separately.
• Annual review date is in the calendar.

Step 3: Have a tailored customer privacy policy

The check: a privacy policy on your website, written for your business specifically.

The GDPR is explicit about this: vague boilerplate, copy-pasted policies, or legalese that doesn’t reflect what you actually do are non-compliant. The policy must describe your processes, your legal bases, your processors.

A compliant SME privacy policy covers:

1. Who you are (controller, contact email, address).
2. The processing activities you run (mirroring your register at a high level).
3. The legal basis for each.
4. Categories of data and recipients (including platforms like Mailchimp, Stripe, Google Workspace).
5. Retention periods.
6. International data transfers, if any.
7. Data subject rights and how to exercise them.
8. Complaint route to your supervisory authority.

Publish it as a top-level link in the footer of every page on your site. Don’t bury it inside terms and conditions.

Don’t copy a policy from another company’s site. Read Drafting a privacy policy for the full guide.

• Customer privacy policy is published.
• Linked from the footer of every page.
• Reflects what you actually do (no boilerplate).
• Includes data subject rights and complaint route.

Step 4: Sign data processing agreements (DPAs) with every processor

The check: a signed processing agreement with every external party that handles personal data on your behalf.

If you don’t have a DPA with a processor, you are not legally allowed to send them personal data. That’s true even if the processor is a household name like Google or Microsoft - the obligation is on you to have the agreement in place.

Typical SME processors:

• Email and marketing platform (Mailchimp, ActiveCampaign, Brevo, etc.)
• CRM (HubSpot, Pipedrive, Salesforce, etc.)
• Cloud storage and office (Google Workspace, Microsoft 365)
• Web hosting and CDN
• Payment processor (Stripe, Mollie, Adyen)
• Payroll and accounting
• Customer support tools

Most major SaaS vendors publish a standard DPA you can sign electronically. For smaller suppliers, send your own.

• Every processor in your register has a signed DPA on file.
• DPAs are stored centrally and findable.

Step 5: Implement cookie consent (if you set cookies)

The check: a cookie banner that asks for consent before any non-essential cookies are set, and gives a real reject option.

Cookies that can identify a visitor process personal data. Under GDPR plus the ePrivacy Directive, you need consent before setting them - and the consent must be informed, freely given, and as easy to reject as to accept.

Common failure modes regulators fine:

• Cookies set on page load, before any banner is shown.
• “Accept” button styled prominently while “Reject” is hidden or harder to find.
• Pre-ticked boxes.
• “By using this site you accept cookies” - that’s not consent, it’s a notice.

Test your own site: open it in a private window, decline cookies, and check the developer-tools cookie list. If anything non-essential is there, your consent flow is broken.

A quieter option: don’t use non-essential cookies at all. Plenty of SMEs run perfectly well without third-party tracking.

Read Cookies and consent: what you need to know for the full picture.

• No non-essential cookie is set before consent.
• Reject is as prominent as accept.
• Cookie inventory exists, with purpose and retention per cookie.

Part 2 - Operations (steps 6 to 9)

Step 6: Operationalise data subject rights

The check: a documented procedure for handling rights requests, with templates and a register.

People whose data you process can ask for access, rectification, erasure, restriction, portability, or to object to processing. You have one month to respond (extendable to three months for complex cases). Missing the deadline is a regulator favourite for fines.

What you need in place:

• A monitored inbox where requests land (often the privacy@ address from step 1).
• A documented internal process: who triages, who fulfils, who signs off.
• Templates for the standard responses.
• A register so you can prove you handled past requests within the deadline.

Read GDPR data subject rights for the full nine rights.

• Privacy inbox is monitored.
• DSAR procedure is documented.
• Response templates and register are ready.

Step 7: Breach procedure and 72-hour reporting

The check: a documented procedure that gets you from “something went wrong” to a regulator notification inside 72 hours.

A breach isn’t only a hacker. It includes a colleague emailing client data to the wrong recipient, a lost USB stick, a stolen laptop, accidental deletion, or a misconfigured backup that leaked records.

You need:

• An internal breach log (every incident, regardless of whether it’s reportable).
• A clear test for what is reportable to the regulator (likely to result in a risk to the rights and freedoms of the affected individuals) and what is reportable to the data subjects themselves (high risk).
• Contact details for your supervisory authority pre-filled in the procedure - no scrambling at hour zero.
• Notification templates ready to go.

Read Personal data breach: what to do.

• Breach procedure is documented and known to the team.
• Internal breach log exists.
• Notification templates are pre-filled with your supervisory authority’s details.

Step 8: Direct marketing - source disclosure and opt-out

The check: every direct marketing email or SMS includes a working opt-out, and you can prove where the recipient’s data came from.

GDPR plus ePrivacy add two requirements that catch SMEs out:

1. Source disclosure. You must be able to tell a recipient where their personal data came from (signed up on your site, scraped from a public list, bought from a partner, etc.). That implies a process for capturing source on every list import and signup.
2. Opt-out in every message. A working “unsubscribe” link in every direct marketing email. Most marketing platforms (Mailchimp, Brevo, etc.) handle this by default, but check.

Once someone unsubscribes, they must stop receiving similar messages - permanently. Re-subscribing them later because they re-entered another funnel is a fine.

Read Direct marketing under GDPR.

• Every marketing email has a one-click unsubscribe.
• Source-of-data is captured for every list entry.
• Suppression list is honoured across tools (CRM, marketing platform, ad audiences).

Step 9: Have a separate staff privacy policy

The check: a dedicated privacy policy for employees and contractors, separate from the customer one.

The data you process about staff (payroll, performance, sickness, evaluations, time tracking) is very different from customer data. It also tends to be the source of most GDPR complaints when an employment relationship breaks down. A dedicated staff policy gives you cover.

What to include:

• HR systems and what they hold.
• Performance, sickness, and evaluation records.
• Monitoring (email, internet, building access, cameras) and on what legal basis.
• Retention - how long after someone leaves you keep their record.
• Their rights and how to exercise them.

Read Employee privacy policy: what to tell your staff.

• Staff privacy policy exists and is given to every new joiner.
• Linked or attached to the employment contract.
• Reviewed annually.

Part 3 - Higher care (steps 10 to 13)

Step 10: Special category data check

The check: you have explicitly identified whether you process any special category data, and if so, on which lawful basis.

GDPR Article 9 prohibits processing the following unless one of nine specific exceptions applies:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic or biometric data
• Health data
• Data about sex life or sexual orientation

Most SMEs don’t process any of this on purpose. But you might be touching it without realising: a sickness absence record (health), a dietary preference for an event (potentially religion), a uniform-fit measurement (potentially health), a CV with a photo (potentially racial origin).

Walk through your processing register and flag anything that touches the list above. For each, document the lawful exception (most often: explicit consent, employment-law obligation, or vital interests). If you can’t identify one, stop the processing.

• Each entry in the processing register is checked for special category data.
• Where present, the Article 9 exception is documented.

Step 11: Review security practices

The check: the security measures behind each system in your processing register are documented and adequate.

There is no privacy without security. The supervisory authority and a fined company will assess “appropriate” relative to the data sensitivity, the state of the art, and the cost - so an SME does not need bank-grade security, but does need defensible basics.

Walk through your register, system by system. For each, check:

Physical security

• For cloud-hosted SaaS: rely on the provider’s certifications (ISO 27001, SOC 2). Save evidence in your DPA file.
• For self-hosted equipment: lock the server room, the filing cabinet, the office. Read Paper document security for documents that aren’t on a screen.

System and software security

• Latest security patches applied.
• Strong passwords enforced; two-factor authentication where the system supports it.
• Access on a need-to-know basis; review who has access twice a year.
• Read Periodic access review.

Data security

• Encryption at rest and in transit on every system holding personal data.
• Backups exist, are encrypted, and have been tested with a real restore.
• Read Information security policy: what should it include.

Vendor security

• DPA on file (covered in step 4).

• For high-sensitivity processors, sub-processor list reviewed.

• Each system in the register has a documented security review.

• Backups are tested at least annually with a real restore.

• Access reviews are scheduled.

Step 12: Privacy awareness training and code of conduct

The check: every staff member who handles personal data has done basic privacy awareness training in the last twelve months.

The human factor is the most consistent source of breaches: phishing, BCC-vs-CC mistakes, attachments to the wrong recipient, weak passwords, sharing accounts, taking unencrypted laptops home. None of those are technical failures. They’re training failures.

A defensible SME training programme:

• Annual privacy and security awareness session for all staff (online, 30-60 minutes).
• Onboarding session for new joiners before they touch personal data.
• A code of conduct that everyone signs, covering privacy, security, and ethical behaviour.

Read The human factor in data breaches and Privacy and ethics: code of conduct.

• Training is done annually and on onboarding.
• Attendance is tracked and stored.
• Code of conduct is signed by every staff member.

Step 13: International considerations and annual review

The check (if applicable): if you serve EU customers from outside the EU, or operate in multiple EU countries, you’ve sorted the cross-border specifics.

You’re outside the EU but sell into it: Article 27 requires an EU-based representative. The cheapest path is a commercial Article 27 representative service.

You operate in multiple EU countries: identify your lead supervisory authority - the one where your main establishment (or main decision-making about processing) is located. That authority leads on any cross-border issue under the one-stop-shop mechanism.

Cross-border data transfers: if you transfer personal data outside the EU/EEA, document the transfer mechanism (adequacy decision, Standard Contractual Clauses, Binding Corporate Rules) for each. Read Approved third countries for non-EU data transfer.

The annual review: once a year, walk back through every check in this article and confirm it is still up-to-date, accurate, and complete. New tools, new staff, new processes and new sub-processors creep in over the year - the annual review is what keeps the checklist truthful instead of aspirational.

Pay particular attention to these four items, where drift is most common:

• Processing register re-walked - every entry verified, new processing activities added, retired ones removed.
• Every linked policy is still accurate - customer privacy policy, staff privacy policy, cookie policy, internal procedures.
• Security review re-run per system - patches, access review, backup-restore test, encryption status.
• Staff training refreshed - everyone has done the annual session; new joiners onboarded; signed code of conduct on file.

And the cross-border specifics:

• Article 27 representative is in place if you sell into the EU from outside.
• Lead supervisory authority is identified for cross-border operations.
• International transfers are documented per system.
• Annual review date is in the calendar for next year.

Master checklist (compact version)

Print this page or copy the below into your tracker.

Documentation

• Privacy Coordinator designated, privacy@ mailbox active
• Processing register (ROPA) complete
• Customer privacy policy published, footer-linked
• Staff privacy policy issued to every joiner
• DPAs signed with every processor
• Cookie inventory and consent flow validated

Operations

• DSAR procedure and templates ready
• Breach procedure and 72-hour-ready notification templates
• Direct marketing: source captured, opt-out works, suppression honoured
• Special category data identified and lawfully justified

Security and people

• System-by-system security review documented
• Backups tested with real restore
• Annual privacy and security training done by every staff member
• Code of conduct signed
• Article 27 representative if outside-EU
• Annual review date in calendar

Common myths and what you don’t actually need