Skip to content
GDPR Obligations calendar_today Updated: 7 April 2026 schedule 6 min read

GDPR Checklist for SMEs: Everything You Need to Know

Not sure where to start with GDPR? This checklist gives you a step-by-step overview of everything you need to arrange as an SME, without legal jargon.

summarize Key Takeaways
  • check_circle You don't have to do everything at once - start with the basics and build from there
  • check_circle The five key steps: processing register, privacy policy, data processing agreements, breach procedure, and data subject rights
  • check_circle Most SMEs can get the basics in order within 2-4 weeks
  • check_circle Compliance is not a one-time project but an ongoing process

The basics in 5 steps

You don’t need to hire a privacy lawyer to become GDPR-compliant. Most SMEs can handle the basics themselves once they know what’s needed. Below are the five steps, in order of priority.

Step 1: Processing register

What: an overview of all activities in which you process personal data.

Why: the supervisory authority can request this at any time. It’s also your own reference - if you don’t know what data you process, you can’t properly manage the rest.

What it should include per activity:

  • The purpose of the processing
  • The categories of personal data
  • The categories of data subjects
  • The recipients of the data
  • The retention period
  • The security measures

Read our article on the processing register for more details.

Step 2: Privacy policy

What: a document explaining to customers, website visitors, and employees how you process their personal data.

Why: it’s your legal obligation to inform. Everyone whose data you process has the right to this information.

What you need:

  • A website privacy policy (linked in the footer of every page)
  • An internal privacy policy for employees

Never copy a privacy policy from the internet. Read our article on drafting a privacy policy.

Step 3: Data processing agreements

What: a contract with every external party that processes personal data on your behalf.

Why: without a data processing agreement, you are not allowed to have personal data processed by a third party.

Who do you need one with?

  • Your accountant
  • Your email tool (Mailchimp, ActiveCampaign)
  • Your cloud storage (Google Workspace, Microsoft 365)
  • Your web host
  • Your payroll processor
  • Your CRM system
description

Template: Data Processing Agreement (DPA)

A ready-to-use data processing agreement you can send directly to your processors.

View template arrow_forward

Step 4: Breach procedure

What: a documented procedure for what to do when a data breach occurs.

Why: a data breach must be reported to the supervisory authority within 72 hours. If you still need to figure out what to do at that point, you won’t meet the deadline.

What you need:

  • A procedure describing who does what during a breach
  • A breach register to document incidents
  • Templates for notifying the supervisory authority and data subjects

Read our article on data breaches.

description

Template: Breach Notification

Notification form for the supervisory authority and a template for notifying data subjects.

View template arrow_forward

Step 5: Data subject rights

What: a procedure for handling requests from individuals whose data you process.

Why: data subjects can ask for access, rectification, or erasure of their data. You must respond within one month.

What you need:

  • A procedure: who receives requests, who handles them, how you document it
  • Templates for standard responses
  • A request register

Read our article on data subject rights.

description

Template: Response to Access Request

Standard responses for access requests, rectification requests, and erasure requests.

View template arrow_forward

Extended checklist

Documentation

  • Processing register completed
  • Website privacy policy published
  • Internal privacy policy for employees drafted
  • Data processing agreements signed with all processors
  • Cookie policy drafted (if your website uses cookies)

Procedures

  • Breach procedure documented
  • Breach register set up
  • Procedure for data subject requests documented
  • Request register set up
  • Retention periods defined per processing activity

Website

  • Privacy policy accessible via footer link
  • Cookie banner with real choice (accept AND reject)
  • Cookie audit completed
  • Contact forms reference the privacy policy
  • Analytics configured in a GDPR-compliant way

Security

  • Password policy implemented (strong passwords, 2FA)
  • Laptops and mobile devices encrypted
  • Access to personal data restricted on a need-to-know basis
  • Departing employees’ accounts immediately deactivated
  • Backup procedure in place

Organisation

  • Responsible person designated for GDPR within the organisation
  • Employees trained on basics (what is a breach, what is a request)
  • Annual review of processing register and privacy policy scheduled

What you DON’T need (as an SME)

Many businesses think GDPR is more complex than it actually is. As an SME, you probably don’t need:

  • A DPO (Data Protection Officer), unless you process special category data on a large scale
  • A DPIA (Data Protection Impact Assessment), unless you start new high-risk processing
  • An expensive consultant - you can handle the basics yourself with the right tools and information
  • A privacy officer - simply designate someone internally as the contact point
auto_awesome Complete the checklist in 15 minutes?

GDPRWise scans your website and automatically fills in most of this checklist: processing register, privacy policy, cookie audit, and a tailored action list.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.