The first question any SME manager asks when a data protection consultant calls is always the same: how much is this going to cost me? The honest answer is that it depends on several factors, but there are indicative market ranges that allow you to budget sensibly. This article details those ranges, explains what drives the price up or down, and clarifies what happens if you do not comply.
The General Data Protection Regulation (GDPR), applicable in Spain since May 2018, requires every organisation that processes personal data to have a documented, proportionate and reviewable system for managing that information. Non-compliance exposes the company to sanctions from the Spanish Data Protection Agency (AEPD) that in 2025 reached 20 million euros or 4% of global business turnover in the most serious cases, and fines of hundreds of thousands of euros for mid-range infringements.
What a full GDPR adaptation for an SME includes
Before talking about euros, it is worth understanding what the process actually involves. A rigorous GDPR adaptation has four main blocks:
- Initial gap analysis: audit of existing processing activities, data flows, supplier contracts and technical measures currently in place.
- Documentary and technical adaptation: preparation of the Record of Processing Activities (RPA), privacy policies, information clauses, data processing agreements with processors, consent management and review of security measures.
- Staff training: basic awareness sessions for employees who handle customer, patient, employee or other categories of data.
- Annual maintenance: updating the RPA when processing activities change, handling requests to exercise data subject rights (access, rectification, erasure…), reviewing contracts with cloud providers and notifying security breaches if they occur.
If the company falls within the cases set out in Article 37 of the GDPR or Article 34 of the Organic Law 3/2018 (LOPDGDD), it will also need to appoint a Data Protection Officer (DPO), who may be internal or external.
Market price ranges in 2026
The prices below are indicative market figures in Spain for 2026, based on the observable offering from specialised consultancies and law firms. They are not Summum's fees; they vary according to the provider, complexity and geographic location.
| Phase / Service | Small SME (1-10 employees) | Medium SME (11-50 employees) | Large SME (51-250 employees) |
|---|---|---|---|
| Initial gap analysis | €400 – €800 | €800 – €1,500 | €1,500 – €3,000 |
| Full adaptation (documentary + technical) | €800 – €1,500 | €1,500 – €4,000 | €4,000 – €10,000 |
| Basic staff training | €200 – €400 | €400 – €800 | €800 – €2,000 |
| Annual maintenance (without DPO) | €400 – €900/year | €900 – €2,500/year | €2,500 – €6,000/year |
| External DPO (when mandatory) | €600 – €1,200/year | €1,200 – €3,000/year | €3,000 – €8,000/year |
Reference sources for the ranges: publications of the General Council of Spanish Lawyers on data protection fees, market surveys by the Spanish Privacy Association (APEP) and observation of the public offering from specialised law firms and consultancies in 2025-2026.
Factors that move the price
1. Volume and type of processing activities
A dental clinic with health data (a special category under Article 9 of the GDPR) or a company that processes data relating to minors requires more robust technical measures and more detailed documentation than a mechanic's workshop with ten customers. The number of distinct processing activities — payroll, video surveillance, marketing, purchase history, commercial communications — multiplies the analysis and documentation workload.
2. Number of data processors
Every supplier that accesses the company's personal data (accountant, email marketing provider, training platform, cloud ERP…) requires a data processing agreement (Article 28 GDPR). SMEs that use many SaaS services or outsource functions have more contracts to review and negotiate. In medium-sized companies with 15-20 technology suppliers, this block alone can represent 30-40 hours of work.
3. Starting point
If the company already underwent an adaptation three years ago and all it needs is to update the RPA and review a couple of contracts, the cost drops dramatically. If it starts from zero — no privacy policy on the website, no clauses in customer contracts, no procedure for handling rights requests — the workload is at its maximum.
4. Industry sector
Healthcare, education, financial services, human resources and video surveillance have additional requirements under the LOPDGDD or sector-specific regulations. A care home or a recruitment firm requires a deeper adaptation than an industrial distributor.
5. Presence of special category data
The GDPR reserves an enhanced protection regime for health data, ethnic origin, political or religious ideology, sexual orientation, biometric data and genetic data. Processing any of these categories requires a Data Protection Impact Assessment (DPIA), which adds between €1,500 and €4,000 depending on the complexity of the processing.
6. Format: one-off project vs. annual subscription
Many providers offer the adaptation as a fixed-price project (one-off cost) plus an annual maintenance fee. Others work on a subscription model from the outset. The subscription has the advantage of including regulatory updates and breach response at no additional cost, reducing the risk of falling out of date after a legal reform or an AEPD ruling that changes the criteria for a particular processing activity.
When is a DPO mandatory?
The Data Protection Officer (DPO) is mandatory, under Article 37 of the GDPR and Article 34 of the LOPDGDD, for:
- Public authorities and bodies.
- Organisations that carry out, on a large scale, processing of special categories of data (health, genetic data, biometric data…).
- Organisations that carry out, on a large scale, systematic monitoring of individuals (for example, security services with mass video surveillance).
- Entities expressly added by the LOPDGDD: operators of electronic communications networks and services, financial and insurance entities, private security companies, gambling establishments, educational centres and private clinics that process health data, among others.
For an average SME that does not fall within the above categories, the DPO is not legally mandatory, although having one — in an external capacity — provides a layer of oversight that the AEPD views positively in the event of an inspection or complaint. If your company does fall into one of those categories, consult the GDPR compliance service at Summum Consultoría to determine the obligation and its exact scope.
What happens if you do not comply: the real cost of non-compliance
The AEPD published its 2025 annual report with data on sanctioning resolutions. The average fine imposed on SMEs for serious infringements (lack of a legal basis, absence of data processing agreements, absence of security measures) was around €15,000 – €80,000. Minor infringements (missing basic information in web forms, outdated privacy policy) are usually resolved with a warning if they are rectified, but serious and very serious infringements carry a financial penalty in the majority of cases.
Beyond the direct fine, you have to account for the reputational cost of a public AEPD resolution — which is published on its website and indexed by Google — and the possibility that customers or employees bring civil actions for damages arising from a poorly managed security breach.
That said, the cost of compliance is structurally lower than the cost of non-compliance in practically every scenario. The question is not whether to comply, but how to do so efficiently.
How to choose a GDPR consultancy provider
The data protection market has grown considerably since 2018 and the offering is very heterogeneous. Some practical criteria for evaluating providers:
- DPO accreditation: although there is no mandatory official certification, recognised schemes are those based on the UNE-EN ISO/IEC 17024 standard or the AEPD's certification programmes. Ask about the demonstrable training and experience of the consultant who will sign off on the file.
- Sector expertise: a consultant who knows healthcare or financial regulation adds more value than a generalist.
- Real maintenance: many projects close with the initial documentation and nobody updates the RPA when the company takes on a new cloud provider or launches a new email marketing campaign. Insist on a maintenance SLA with concrete deadlines.
- Breach management: the GDPR requires certain security breaches to be notified to the AEPD within a maximum of 72 hours. The provider must have a response procedure that includes that notification.
Summum Consultoría has been supporting SMEs across Spain since 2007, with a particular presence in Castile and León (Valladolid, Burgos, Palencia, Aranda de Duero) and the Canary Islands. The team has managed more than 2,000 projects of regulatory compliance for companies in various sectors, and has a thorough knowledge of the AEPD resolutions that most affect Spanish SMEs. If you want to know exactly what the GDPR means for your type of business, the starting point is the GDPR consultancy service for SMEs from Summum.
Frequently asked questions
Does a micro-business with two employees have to comply with the GDPR?
Yes. The GDPR does not set a minimum size threshold for its application. Any organisation that processes personal data — a self-employed person with a customer database, a shop with a CCTV camera, a sole-practitioner clinic with medical records — is subject to the regulation. What the GDPR does provide (Article 30.5) is an exemption from the Record of Processing Activities for companies with fewer than 250 employees, unless their processing is not occasional or includes special categories of data, but in practice this exemption is very narrow and does not exempt the company from its other obligations.
How long does the initial adaptation take?
For an SME with between 10 and 50 employees with typical processing activities (customer data, payroll, video surveillance), a full adaptation usually takes between 4 and 10 weeks from the initial gap analysis to the signing of all documents. The timeline depends on how quickly the company provides the required information and on whether contracts with data processors need to be negotiated with suppliers that are reluctant to include GDPR clauses.
What is the difference between GDPR consultancy and an external DPO?
GDPR consultancy is the adaptation project: analysis, documentation, training and implementation. The external DPO is the figure of ongoing supervision that the GDPR requires of certain organisations: a formally designated professional who acts as the point of contact with the AEPD, monitors internal compliance and advises the data controller. They are two distinct services even if they are offered by the same provider; the DPO does not replace the consultancy but complements it.
Can GDPR consultancy expenses be deducted for corporate tax purposes?
Yes. Expenditure on regulatory compliance consultancy is an ordinary business expense and is therefore deductible for Corporation Tax (or for the self-employed person's Personal Income Tax) provided it is correctly documented with an invoice and justified as a necessary business expense. Consult your tax adviser for the correct accounting treatment (usually account 623 — Independent professional services).