GDPR compliance for SMEs: step-by-step practical guide

·

Regulation (EU) 2016/679 — known as the GDPR — has been in force since May 2018, yet many Spanish SMEs still operate with privacy policies copied from the internet, forms without a clear legal basis and CCTV systems without the required information notice. Organic Law 3/2018 (LOPDGDD) adapts the European regulation to Spanish law and assigns the Spanish Data Protection Agency (AEPD) responsibility for supervision and enforcement. The sanctioning framework under Article 83 of the GDPR provides for fines of up to €20 million or 4% of total annual global turnover — amounts that, for an SME, can threaten its very viability.

This guide does not replace specialist legal advice or the support of a data protection team, but it does offer a compliance roadmap structured into logical, ordered phases, with verifiable regulatory references. The aim is for the company's decision-maker to know what needs to be done, in what order and when external help is needed.

What does GDPR compliance actually mean?

GDPR compliance is not the same as publishing a privacy policy on your website. Compliance involves a set of organisational and technical measures that affect the company's internal processes: how data is collected, for what purpose, how long it is retained, who can access it and how it is protected. The principle of accountability (Art. 5(2) GDPR) requires the data controller to be able to demonstrate compliance at all times — not merely to claim it.

The starting point is always a diagnosis: knowing what data the company processes, for what purpose and on what legal basis. Without that map, any technical measure is meaningless.

Phase 1: processing inventory and the Record of Processing Activities

Article 30 of the GDPR requires data controllers to maintain a Record of Processing Activities (RPA). This document is not a single form: it is a living inventory that captures, for each processing activity carried out by the company, at least:

To build the RPA, the first step is to identify all the company's data flows: candidates sending their CVs, customers filling in a contact form, employees whose payroll is managed by an external firm, images captured by security cameras, newsletter subscribers. Each of these flows is a processing activity that must be documented.

Phase 2: legal basis for each processing activity

The GDPR does not permit personal data to be processed without a valid legal basis (Art. 6). The six legal bases are: consent, performance of a contract, compliance with a legal obligation, protection of vital interests, public interest task and legitimate interests of the controller. For most SMEs, the most common processing activities rest on three of them:

Assigning the correct legal basis to each processing activity is fundamental, because it determines which rights data subjects can exercise and how the company must respond to access, rectification or erasure requests.

Phase 3: information and transparency towards data subjects

The duty to inform (Arts. 13 and 14 GDPR) requires data subjects to receive, at the point their data is collected, clear information about who processes their data, for what purpose, on what legal basis, for how long it is retained and what rights they have. This information must be concise, transparent and presented in accessible language: an unreadable block of legal text does not comply.

In practice, this affects web forms, clauses in client contracts, notices on CV-collection forms, information signs at CCTV-monitored entrances and information clauses in employment contracts. Every data-collection touchpoint must be accompanied by the corresponding information notice.

Phase 4: CCTV and cameras in the workplace

The installation of CCTV systems is regulated by Article 22 of the LOPDGDD, which requires the placement of a visible information sign indicating the existence of cameras, the identity of the controller and the possibility of exercising data rights. The maximum retention period for images is thirty days, unless they serve as evidence of events that must be reported to police or the courts.

When cameras are installed in the workplace, Article 89 of the LOPDGDD (employee monitoring) also applies. This permits the use of cameras to monitor compliance with employment obligations, but requires the employer to inform employees and their legal representatives expressly, clearly and unambiguously beforehand. Covert surveillance in the workplace — except in very exceptional and documented circumstances — constitutes a serious infringement.

Phase 5: cookie policy and compliance with the LSSI-CE

Cookies that are not strictly necessary for the site to function require prior user consent, in accordance with Article 22(2) of Law 34/2002 on Information Society Services (LSSI-CE) and the AEPD's Guide on the Use of Cookies (updated in 2023). The requirements are demanding:

The AEPD has already sanctioned several companies for cookie banners that did not meet these requirements. Reviewing the site's cookie management system is one of the actions with the greatest external visibility and the lowest correction cost.

Phase 6: contracts with processors

Any company that engages third-party services involving access to personal data — a payroll firm, an email marketing platform, a cloud CRM provider, an external CCTV service — must sign a data processing agreement with those providers (Art. 28 GDPR). This agreement must cover, among other things, the obligation for the processor to process data only on the controller's instructions, to apply appropriate security measures and to delete or return data when the service ends.

The absence of this contract is one of the most frequently detected deficiencies in AEPD inspections and can result in shared liability between the controller and the processor.

Phase 7: security breach management

The GDPR requires data controllers to notify the AEPD of any security breach that poses a risk to the rights and freedoms of data subjects within a maximum of 72 hours of becoming aware of it (Art. 33 GDPR). If the notification cannot be complete within that timeframe, it may be submitted in stages, stating the reasons for the delay.

In addition, where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must also communicate it to the affected individuals without undue delay (Art. 34 GDPR), unless technical measures such as encryption have been applied that render the data unintelligible to anyone not authorised to access it.

To manage a breach correctly, the company must have an internal protocol in place in advance that establishes who notifies, how the incident is documented and what the communication channels are. Notification to the AEPD is made through the AEPD's electronic portal.

Phase 8: when is it mandatory to appoint a Data Protection Officer?

A Data Protection Officer (DPO) is mandatory under the circumstances set out in Article 37 of the GDPR: when processing is carried out by a public authority or body, when core activities require large-scale, regular and systematic monitoring of data subjects, or when large-scale processing of special categories of data is involved (health, ethnic origin, sexual orientation, biometric data, among others). The LOPDGDD adds further cases in its Article 34 for the Spanish context.

Even where it is not mandatory, many companies choose to appoint an external DPO as a permanent advisory figure. The DPO's functions (Arts. 38–39 GDPR) include informing and advising the controller, monitoring compliance, cooperating with the AEPD and acting as a contact point for data subjects. The DPO must act with independence and may not receive instructions in the exercise of their functions.

Phase 9: technical and organisational security measures

The security principle (Art. 32 GDPR) requires the implementation of technical and organisational measures appropriate to the risk level of the processing. There is no closed list of mandatory measures: the regulation requires a prior risk analysis and the application of appropriate measures to mitigate those risks. The most common measures for SMEs include:

When is a Data Protection Impact Assessment (DPIA) required?

Where intended processing is likely to result in a high risk to the rights and freedoms of individuals, the GDPR requires a Data Protection Impact Assessment (DPIA) to be carried out before the processing begins (Art. 35 GDPR). The AEPD has published lists of the types of processing that require a DPIA and those that do not. If you are unsure whether your company needs one, see our dedicated article on when a DPIA is mandatory.

Frequently asked questions

Is the GDPR the same as the LOPDGDD?

No. The Regulation (EU) 2016/679 (GDPR) is a European regulation that applies directly in all member states. Organic Law 3/2018 (LOPDGDD) is the Spanish law that adapts and complements the GDPR to the national context, adding specificities such as the cases in which a DPO must be designated in Spain or the regime for workplace CCTV. Both instruments coexist and apply simultaneously.

What happens if I suffer a data breach and do not notify the AEPD?

Failing to notify a reportable breach constitutes an infringement of Article 33 of the GDPR. The sanctioning framework under Article 83 provides for fines of up to €10 million or 2% of annual global turnover for this type of infringement (lower tier), and up to €20 million or 4% for the most serious infringements. In addition to the financial penalty, failure to notify can aggravate liability towards the affected data subjects.

Is a privacy policy on the website enough to comply with the GDPR?

No. A privacy policy is a transparency element, but GDPR compliance is far broader: it requires a Record of Processing Activities, documented legal bases, processor contracts, technical and organisational security measures, breach management protocols and, where applicable, a DPO and DPIA. The privacy policy is only the visible layer of a compliance system that must be built from the inside out.

How long does it take to bring an SME into GDPR compliance?

It depends on the complexity of the processing activities and the company's starting point. For an SME of fewer than 20 employees with typical processing activities (clients, suppliers, employees, website), a guided compliance process can be completed in four to twelve weeks. The cost and timescale vary depending on data volumes, the variety of processing activities and the prior state of documentation. For a no-obligation estimate, you can consult our data protection team.

What is different from the compliance process I carried out in 2018?

The initial 2018 compliance exercise was, in many cases, an accelerated documentation exercise. Since then, the AEPD has published new guidelines (cookies, artificial intelligence, workplace CCTV), the Court of Justice of the EU has issued rulings affecting international data transfers, and companies themselves have adopted new digital tools that generate new processing activities. GDPR compliance is not a one-off project: it is a living management system that must be reviewed periodically.