GDPR compliance for SMBs: the core obligations

By ComplyBricks · Last reviewed Jul 12, 2026

The GDPR applies to almost every organisation that handles the personal data of people in the EU/EEA — with no size threshold. This guide covers the core obligations for a small or mid-sized team.

Who it applies to

The GDPR (Regulation (EU) 2016/679) applies to controllers (who decide why and how data is processed) and processors (who process on a controller's behalf) handling the personal data of individuals in the EU/EEA — regardless of where the organisation itself is based. Unlike NIS2, there is no size cut-off: a small company processing personal data is in scope.

The core principles (Art. 5)

All processing must respect: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability — you must be able to demonstrate compliance, not just claim it.

Lawful basis (Art. 6)

You need a lawful basis for each processing activity — typically consent, contract, a legal obligation, vital interests, a public task, or legitimate interests. Pick the right one up front; you can't swap it later to suit yourself.

Key obligations for SMBs

  • Records of processing (ROPA, Art. 30): document your processing activities. Start with our free ROPA template.
  • Data subject rights (Art. 12–23): access, rectification, erasure, portability, objection and more — generally answered within one month.
  • Security of processing (Art. 32): appropriate technical and organisational measures, proportionate to risk.
  • Breach notification (Art. 33/34): notify the supervisory authority within 72 hours where required, and inform affected individuals when the risk to them is high.
  • DPIA (Art. 35): assess high-risk processing before you begin it.
  • Data protection officer (Art. 37): required in specific cases, such as large-scale regular monitoring or large-scale processing of special-category data.
  • International transfers (Chapter V): put safeguards in place for transfers outside the EU/EEA.

The "under 250 employees" myth

Article 30 has a narrow carve-out for organisations with fewer than 250 employees — but it does not apply if the processing is likely to result in a risk to individuals, is not occasional, or includes special-category or criminal-offence data. In practice, most organisations should keep a ROPA anyway.

Start with a ROPA

A record of processing activities is the foundation everything else builds on — it forces you to map what data you hold, why, and where it goes. Use the free ROPA template to begin.

How GDPR relates to ISO 27001 and NIS2

GDPR's Art. 32 security requirement overlaps with ISO 27001's controls and NIS2's Art. 21 measures. Do the security work once and reuse the evidence across all three frameworks.

References

  • GDPR — Regulation (EU) 2016/679: Art. 5, 6, 12–23, 30, 32, 33–34, 35, 37; Chapter V (transfers)

This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.

See how one control satisfies ISO 27001, NIS2 and GDPR at once.

Explore the live demo →