Many small companies treat GDPR as a formality they once dealt with using a single template regulation from the internet. Others go to the opposite extreme and are afraid of every email. The truth lies in between. GDPR is common sense in handling people’s data, dressed up in a few specific obligations. I show where to start so you do it properly and without going overboard.

Start with what data you hold

You cannot protect something you have forgotten about. The first step is a simple inventory.

  • Write down whose data you process: customers, employees, contractors, job candidates.
  • Note where that data sits: in the accounting system, in email, in the CRM, in files on a drive.
  • Check who has access to it and whether they really need it.

This exercise alone usually reveals a few places worth tidying up.

Record of processing activities

This is a document that sounds intimidating but is simply a list: what data, for what purpose, on what basis and how long you keep it.

  • For a small company a simple table is usually enough.
  • Update it when a new system or a new purpose of processing appears.
  • It is the first document the authority will ask for during an inspection.

Every processing of data must have a basis. It is not always consent.

  • Performing a contract with a customer is the most common and natural basis.
  • A legal obligation, for example with HR and accounting records.
  • Consent where there is no other basis, for example with a marketing newsletter.

The most common mistake in small companies is collecting consent for everything, even where the basis is a contract. This creates an artificial problem and paperwork that protects nothing.

Data security, the technical side of GDPR

This is what people forget most often, and it is exactly where the leaks happen that end in a fine and a report to the authority.

  1. Enable MFA and sensible passwords on accounts with access to data.
  2. Take care of backups, because losing data is also a breach.
  3. Encrypt the drives in laptops, so a lost device is not a leak.
  4. Revoke access from people who have left the company.

GDPR explicitly requires adequate technical measures. Good IT security fundamentals are at the same time a way to meet that obligation.

Handling rights and breaches

People have the right to ask about their data, and the company has an obligation to respond.

  • Be prepared for requests for access, rectification or erasure of data.
  • Decide who in the company answers such requests.
  • Remember the rule: a serious breach is reported to the authority within 72 hours.

Do you need a Data Protection Officer

Not every small company has to appoint a DPO. The obligation mainly applies to entities whose core activity involves processing data on a large scale or processing special categories of data. If you are unsure, it is worth verifying, because an error either way is costly.

Summary

GDPR in a small company is a few sensible steps: know what data you have, write down the record, establish the bases, take care of security and prepare for questions. You do not need a binder full of documents, you need order.

If you want to check where you really stand, a good start is a GDPR audit, and if it turns out you need day-to-day support, take a look at DPO outsourcing. It is better to sort this out calmly now than to explain yourself after a breach.