GDPR Compliance Checklist for Small Businesses in 2026

GDPR enforcement has matured. Supervisory authorities are no longer only going after big tech — they're auditing SMEs, fining HR departments for improper consent, and scrutinizing vendor contracts. Here's a practical checklist of what your small business actually needs to have in place.

Why This Checklist Exists

Most GDPR guides online are either written for multinationals (irrelevant) or for websites collecting cookie consent (incomplete). If you're running a 10–150 person EU business, you're in a different risk profile: you have employees, customers, vendors, and probably a CRM, payroll system, and marketing tool — each of which touches personal data.

The GDPR has been in force since May 2018. Eight years in, ignorance is no longer a mitigating factor. The Hellenic DPA (HDPA), Germany's BfDI, France's CNIL, and their equivalents across the EU have all issued enforcement decisions against SMEs in the past two years. The fines are smaller than the headline €20 million cases, but €25,000–€100,000 for a 50-person company is material.

This checklist covers the minimum viable compliance posture for an EU SME in 2026. It is not exhaustive — some businesses in healthcare, finance, or high-volume B2C will need more — but it covers what's most commonly audited and most commonly missing.

Section 1: Data Inventory and Mapping

You cannot protect data you don't know you have. Data mapping is the foundation of GDPR compliance and the first thing any supervisory authority will request in an audit.

• Identify all personal data categories you process: employee data, customer data, prospect data, vendor contacts, website visitor data.
• Document where each category is stored: CRM, HR system, payroll, email platform, accounting software, cloud storage.
• Map data flows: where does data come from, where does it go, who has access, and is it transferred outside the EU/EEA?
• Record retention periods for each data category (how long do you keep it and why).
• Identify all third-party vendors that process personal data on your behalf (your processors).

The GDPR (Article 30) requires a Record of Processing Activities (ROPA) for businesses with 250 or more employees, but supervisory authorities expect smaller businesses to maintain something equivalent when an incident occurs. Build it now, before you need it.

Section 2: Legal Basis for Processing

Every processing activity needs a lawful basis under GDPR Article 6. "We've always done it this way" is not a lawful basis. Neither is "it's in our privacy policy."

• For each processing activity in your inventory, identify the legal basis: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests.
• For consent-based processing: ensure consent is specific, informed, freely given, and recorded. Bundled or pre-ticked consent is invalid.
• For legitimate interests: conduct and document a Legitimate Interests Assessment (LIA) — balancing your interests against the individual's rights.
• For employee data: most employment-related processing relies on legal obligation (e.g., payroll tax reporting) or contract performance. Relying on employee "consent" is problematic due to the power imbalance; this is a common error in SME HR practice.
• Review your marketing database: anyone added before May 2018 without a documented lawful basis needs to either be re-consented or removed.

Section 3: Privacy Notices and Transparency

GDPR Articles 13–14 require you to provide individuals with specific information about how you process their data — at the time of collection, in plain language, without hiding it in a 40-page document.

• Website privacy notice: covers website visitors, contact form submissions, and cookie data. Must identify the controller, legal basis, retention periods, and data subject rights.
• Employee privacy notice: given to all employees at the start of employment. Must cover all employee data processing — HR records, payroll, performance management, IT monitoring if applicable.
• Customer privacy notice: provided at or before the point of collecting customer data. Must be specific to your actual processing, not a generic template.
• Cookie banner: compliant with the ePrivacy Directive and national implementations. A compliant banner allows users to reject non-essential cookies (analytics, marketing) before they're set. A banner that only has "Accept All" is not compliant.

Section 4: Data Subject Rights

Individuals have rights under GDPR Articles 15–22 that you must be able to fulfill. Having a privacy policy that lists these rights is not sufficient — you need processes to actually respond to them.

• Designate who in your organisation handles data subject requests (DSRs). This should be a named person or role, not "whoever gets the email."
• Create an intake process: a dedicated email address (e.g., privacy@yourcompany.com) or web form for requests. Document all requests received and your responses.
• Establish response timelines: you have 30 days to respond to most requests (extendable to 90 days for complex cases, with notification within 30 days).
• Test your access request process: can you actually compile all data held about a specific individual across all your systems in 30 days? If not, fix the systems problem now.
• Erasure/right to be forgotten: define which requests you must honor vs. which you can legitimately refuse (e.g., legal retention obligations for financial records).

Section 5: Data Processor Agreements

If a third party processes personal data on your behalf — a payroll provider, a marketing email platform, a cloud storage provider, an analytics tool — you are the controller and they are the processor. GDPR Article 28 requires a written contract between you.

• Identify all your data processors (see your data inventory from Section 1).
• Confirm you have signed Data Processing Agreements (DPAs) with each processor. Most major SaaS providers have standard DPAs — check their legal/compliance pages if you haven't signed one yet.
• Check that each DPA includes: subject matter and duration, nature and purpose of processing, data categories, controller's instructions, processor obligations (confidentiality, security, deletion), audit rights, sub-processor notification requirements.
• International transfers: if any processor stores or processes data outside the EU/EEA (US cloud providers, for example), check what transfer mechanism applies: Standard Contractual Clauses (SCCs), adequacy decision, or other. The Schrems II ruling and subsequent enforcement means this is actively audited.
• Sub-processors: your processor's DPA should list or notify you of sub-processors. If your email platform uses a US sub-processor for email delivery, that transfer needs to be covered.

Section 6: Security Measures

GDPR Article 32 requires "appropriate technical and organisational measures" — not perfection, but documented risk-proportionate security.

• Encrypt personal data at rest and in transit. This is table stakes. Unencrypted personal data stored in a shared folder is a reportable breach risk.
• Access controls: restrict access to personal data on a need-to-know basis. Former employees' access should be revoked immediately on termination.
• Password policy and multi-factor authentication: especially for accounts with access to customer or HR data.
• Data minimisation: are you collecting data you don't need? Stop. Less data = less risk.
• Regular backups: with tested restoration capability. A backup you've never restored is not a backup.
• Security awareness: at minimum, staff who handle personal data should know what GDPR requires and how to recognise a potential breach.

Section 7: Data Breach Response

GDPR Articles 33–34 require you to report certain breaches to your supervisory authority within 72 hours of becoming aware, and to notify affected individuals "without undue delay" when there's high risk to their rights.

• Define what constitutes a personal data breach in your context. It's not only hacking — a misdirected email containing customer data, an unlocked laptop, or a misconfigured cloud storage bucket all qualify.
• Create an internal breach reporting procedure: how staff report suspected breaches, to whom, and what happens next.
• Know your supervisory authority and their reporting portal. For Greece, it's the HDPA (dpa.gr). For Germany, it's the relevant Landesbehörde. Set the bookmark now.
• Maintain a breach register: even breaches you decide don't meet the reporting threshold must be documented internally (Article 33(5)).
• Prepare a breach notification template: not to use verbatim, but so you're not drafting from scratch under time pressure.

Section 8: Do You Need a Data Protection Officer?

Under GDPR Article 37, a DPO is mandatory if you are a public authority, or if your core activities involve large-scale systematic monitoring or large-scale processing of special categories of data (health, biometric, criminal records, etc.).

Most standard EU SMEs do not meet this threshold. However, even if a DPO is not mandatory, many SMEs find it useful to designate an internal "privacy lead" — a named person responsible for GDPR compliance — rather than leaving it undefined.

If you do process special category data regularly (e.g., health information as an employer, or religious/political data), get a qualified legal opinion on whether a DPO is required for your specific situation.

Putting It Together: A Practical Approach

Don't try to achieve perfect GDPR compliance in a week. It doesn't work and the attempt usually produces paper compliance — documents that exist but don't reflect reality — which is arguably worse than nothing when an audit happens.

A practical approach for an SME:

1. Month 1: Data inventory and mapping. Know what you have. This is the hardest part and everything else depends on it.
2. Month 2: Legal basis documentation and privacy notices. Fix the foundation so you have a clear record of why you process what you process.
3. Month 3: Processor agreements and data subject rights process. The operational layer that regulators check first when a complaint comes in.
4. Ongoing: Security review, breach procedure testing, annual review of your processing activities as your business changes.

The businesses that get into trouble with GDPR enforcement are usually those that take no action until after an incident. The businesses that navigate audits reasonably well are those with documented processes — even imperfect ones — that show genuine good-faith effort to comply.

Start with the data map. Everything else follows from knowing what you have.