GDPR has been in force since 2018. Enforcement in 2025 hit record levels — over EUR 2.3 billion in fines, with a growing share directed at SMBs. Regulators have built out their capacity. Complaints from individuals trigger investigations regardless of company size.
The good news: most GDPR enforcement against smaller businesses follows predictable patterns. Missed data subject requests, non-compliant cookie banners, missing data processing agreements, no breach response plan. These are not technical failures. They are process failures — and they are fixable.
Here is what you need to do.
1. Map every piece of personal data you collect, process, and store
This is your Record of Processing Activities (ROPA). It documents what data you hold, where it lives, who has access to it, and why you're processing it. Under GDPR Article 30, most businesses are required to maintain this record.
If you don't know where the data is, you can't protect it — and you can't demonstrate compliance. Start here.
2. Identify your legal basis for each processing activity
GDPR requires a lawful basis for every processing activity. The main options are consent, contract, legitimate interest, legal obligation, vital interests, and public task. Each has different implications.
Consent requires freely given, specific, informed, and unambiguous agreement. It must be as easy to withdraw as to give. Legitimate interest requires a documented balancing test. Document your basis for each activity in your ROPA — and revisit it when processing changes.
3. Sign a Data Processing Agreement with every SaaS tool that touches personal data
If a third-party tool processes personal data on your behalf, that tool is a data processor and you need a signed Data Processing Agreement (DPA) with them. This applies to Slack, HubSpot, Google Workspace, your CRM, your analytics platform, your email marketing tool — all of them.
Many providers offer a DPA as a self-service document in their settings or legal pages. The process usually takes minutes. The risk of not doing it is an enforcement finding.
For processors outside the EU and EEA, check that adequate data transfer mechanisms are in place — Standard Contractual Clauses, an adequacy decision covering their country, or Binding Corporate Rules.
4. Audit your cookie banner
Open your website in an incognito browser window. Watch the network tab as the page loads. If tracking, analytics, or marketing scripts load before you interact with the cookie banner, you are in violation.
Pre-checked consent boxes, cookie walls that deny access to users who decline, and "accept all or leave" designs are also non-compliant. The French data protection authority (CNIL) publishes clear guidance on what constitutes valid cookie consent. It is one of the first things regulators check during an investigation.
5. Update your privacy policy to reflect what you actually do
Most GDPR enforcement actions include a review of the company's privacy policy. The most common finding: the policy is a generic template that doesn't accurately describe the company's actual data processing.
Your privacy policy must cover what personal data you collect, why you collect it, the legal basis for processing, how long you retain it, whether you transfer it outside the EU, what rights data subjects have, and how to exercise those rights. Update it when your processing changes.
6. Build a data subject request process
GDPR gives individuals the right to access their data, have it corrected, have it erased, have it transferred, and object to certain processing. You have 30 days to respond to each request (extendable to three months for complex cases, with notice given).
If nobody on your team knows who handles these requests, you don't have a process. Assign a named individual. Create a simple tracking mechanism. Test it by submitting a test request yourself.
7. Document your data retention periods
Keeping personal data longer than necessary is a GDPR violation. You must define how long you keep each category of data — customer data, employee data, prospect data, supplier data — and implement the deletion or anonymisation at the end of that period.
Write it down in your ROPA. Then build the process to actually execute the deletion. A retention policy that exists on paper but isn't enforced is a compliance gap waiting to be found.
8. Conduct a Data Protection Impact Assessment for high-risk processing
A DPIA is required before you start any processing that is "likely to result in a high risk" to individuals. This includes new technologies, large-scale profiling, systematic monitoring, and processing of special category data.
The DPIA documents what you're doing, why the risk is acceptable, and what mitigations are in place. It's not a one-time document — it should be reviewed when the processing changes.
If your DPIA identifies a high residual risk that you can't mitigate, you must consult your data protection authority before proceeding.
9. Train every staff member who handles personal data
Your compliance documentation means nothing if your team doesn't know what to do. Every person who handles personal data — which, in most businesses, is most staff — needs training covering what personal data is, what GDPR requires, how to handle data subject requests, and how to recognise and report a data breach.
Once at onboarding is not enough. Document the training. Date it. Repeat it annually. In an investigation, regulators will ask for evidence of training completion.
10. Build a breach response plan before you need one
The 72-hour breach notification clock starts the moment you become "aware" of a breach — not when forensics is complete, not when legal has reviewed it. If a breach could have been detected earlier with reasonable monitoring, regulators will hold you to when it should have been detected.
Your breach response plan needs to define: who declares that a breach has occurred, who notifies the relevant supervisory authority, who notifies affected individuals if required, and who documents the incident and the response. Run a tabletop exercise before you need it.
Knowing the 10 steps and having them documented, monitored, and auditable are two different things.
A checklist tells you what to do. ComplyOne helps you prove you've done it — with AI-powered monitoring across your obligations, automated gap detection, and audit-ready documentation.
Check your GDPR compliance
Take the free compliance health check and find out where your gaps are — before a regulator does.
Free Compliance CheckThis article is for informational purposes only and does not constitute legal advice. For legal advice specific to your situation, consult a qualified attorney licensed in your jurisdiction.