BG Beter Geregeld ICT
AVG & privacy · 2 min leestijd · 21 September 2025 · ★ Pillar-gids

GDPR Compliance for SMBs: The Practical Minimum

GDPR doesn't require a €10,000 project or a DPO for most small businesses. Here's what every SMB actually needs — based on what the Dutch DPA really checks for.

The GDPR applies to every business that processes personal data. For an SMB, that means: everyone. But it doesn't have to turn into a €10k consultancy engagement.

The eight things you need

  1. Records of Processing Activities — what you process, why, and on what legal basis.
  2. Data Processing Agreements (DPAs) with every supplier that handles data on your behalf.
  3. Privacy statement on your website.
  4. A procedure for handling data subject rights (access, rectification, erasure).
  5. Cookie consent on your website.
  6. A procedure for data breach notification (72-hour deadline).
  7. Retention periods documented per data category.
  8. Basic staff training covering phishing, passwords, and data sharing.

When do you need a DPO (Data Protection Officer)?

  • Public authorities — always.
  • Core activity is large-scale monitoring (CCTV operators, marketing trackers).
  • Core activity involves processing "special category" data (healthcare, criminal records).

Most SMBs don't fall into any of these categories. If you do have an obligation, you can bring in an external DPO on an hourly basis.

DPIA: when is one required?

A DPIA is required for high-risk processing activities. For a typical SMB this is rarely the case, unless you work with health data, biometrics, or large-scale profiling.

Enforcement risk

Fines can reach 4% of global turnover. In practice: the Dutch DPA has become stricter with smaller SMBs since 2023. The most common findings are: no records of processing activities, missing DPAs, and overly broad cookie consent.

Overlap with ISO 27001

Already working on ISO 27001? Then 40% of your GDPR work is already done — and the reverse is equally true.

Onderwerpen

#mkb #compliance #avg #privacy

Volledige gids: Cumplimiento GDPR para pymes: el mínimo práctico

Dit artikel is onderdeel van onze uitgebreide AVG & privacy-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

AVG & privacy

Logging IP addresses under GDPR: pseudonymous, personal data, and what's allowed?

An IP address is personal data under GDPR. Security logs often need to retain them for weeks or months. How do you reconcile that with data minimisation principles?

2 min
AVG & privacy

Data Retention Periods by Category for SMBs

How long should you keep customer data, job applicants, invoices, or CCTV footage? Here are the key categories in a clear overview table, with the source for each retention period.

2 min
AVG & privacy

Marketing consent: email, WhatsApp, retargeting — what are you still allowed to do?

Your newsletter, promotional emails, retargeting pixels — they all need a valid consent basis. Here are the concrete rules per channel.

2 min
AVG & privacy

Data subject rights: access, rectification, erasure — a workable procedure

A customer wants to see their data — or have it deleted. You have 30 days. Here's the procedure that gets it done without each request eating up half a week.

2 min
AVG & privacy

Sub-processors outside the EU: what Schrems II still requires

Using AWS, Google, or Microsoft? Then some of your data flows through the US. Since Schrems II, that's no longer a given. Here's what actually works today.

2 min
AVG & privacy

DPIA — Data Protection Impact Assessment: when is it required, and when can you skip it?

A DPIA sounds like something only large enterprises need to worry about. For SMBs it's rarely required — but there are a handful of specific situations where it is. Here's the decision tree.

2 min
← Alle artikelen in "AVG & privacy"