EU GDPR · Pillar guide

GDPR Compliance Guide for SMEs

Updated April 2026 EU GDPR 2016/679 EDPB aligned

EU GDPR applies to every organisation that processes personal data of individuals in the EU — regardless of where the organisation is established. This guide covers the full scope of obligations under Regulation (EU) 2016/679, with EDPB guidelines referenced throughout. For the UK-specific version covering UK GDPR and DPA 2018, see the UK GDPR compliance guide.

How to read this guide. This guide explains requirements and expectations derived from EU GDPR 2016/679 and EDPB published guidance. Where we write “EU GDPR requires” we cite the regulation. Where we write “EDPB guidance indicates” we cite regulatory guidance, which is not identical to a statutory obligation. Application of GDPR obligations may vary depending on member state law and supervisory authority interpretation — consult a qualified data protection practitioner familiar with the relevant jurisdiction.

⚠ Not legal advice

This guide is derived from EU GDPR (Regulation (EU) 2016/679) and EDPB published guidelines. It is informational only. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.

GDPR — the General Data Protection Regulation, Regulation (EU) 2016/679 — entered into force on 25 May 2018, replacing the Data Protection Directive 95/46/EC. Unlike a directive, it applies directly in all EU member states without national implementing legislation, creating a uniform set of rules across all 27 member states. It is enforced by national data protection authorities (DPAs) and coordinated at EU level by the European Data Protection Board (EDPB).

Who must comply

EU GDPR applies to any organisation established in the EU that processes personal data. Under Article 3(2), it also applies to organisations outside the EU that offer goods or services to EU individuals or monitor their behaviour. There is no minimum size threshold. Every data controller subject to GDPR must be able to demonstrate compliance — the accountability principle under Article 5(2) is not optional.

The five governance areas

1. Data audit and mapping

Before any other obligation can be addressed, an organisation must know what personal data it holds, why, where it came from, who it shares it with, and how long it keeps it. This is the foundation of the Article 30 Record of Processing Activities (ROPA) — the document supervisory authorities request first in any investigation.

2. Lawful basis and consent

Every processing activity must have a documented lawful basis under Article 6. For special category data, an Article 9(2) condition must also be documented. Where legitimate interests is relied upon, a Legitimate Interests Assessment must be conducted and retained. Where consent is relied upon, a valid consent record must be maintained.

3. Privacy notices, policies, and processor agreements

Articles 13 and 14 transparency requirements mandate that data subjects are informed of processing purposes and lawful basis at the point of data collection. Where personal data is processed by a third party on your instructions, a Data Processing Agreement compliant with Article 28(3) must be in place before processing begins.

4. Data subject rights and security

Articles 15 to 22 give data subjects eight distinct rights, each requiring an operational procedure. Technical and organisational security measures appropriate to the risk must be implemented under Article 32. A breach log and 72-hour notification procedure should be in place before any breach occurs.

5. Training, accountability, and ongoing governance

Article 5(2) requires organisations to demonstrate compliance. Staff training should be documented. Internal review processes are commonly used to demonstrate compliance with the accountability principle. Where a DPO is required under Article 37, their appointment and independence must be evidenced. Compliance is an ongoing obligation — not a one-time project.

Enforcement

National DPAs can issue fines of up to €20 million or 4% of annual worldwide turnover for serious breaches under Article 83(5), and up to €10 million or 2% of turnover for less severe infringements. EU GDPR enforcement has produced some of the largest data protection fines in history. National DPAs also investigate SMEs — SAR failures, inadequate security, and marketing without consent attract consistent enforcement action across member states.

The evidence record

Compliance that cannot be demonstrated is, from a regulatory perspective, no compliance at all. GDPRLedger governs the proof the work was done — 54 tasks for Standard, 87 for professional services Pro — producing a timestamped, SHA-256 tamper-evident evidence pack that is yours permanently.

EU GDPR guides

Fundamentals

By sector

Research

Record this. Every governance decision, every policy update, every rights request handled, every DPA executed — must be recorded with a date. Supervisory authorities do not assess intentions. They assess evidence.

Note: EU GDPR applies directly across all 27 member states, but national law overlays — particularly on employment data, special category processing, and AML retention — vary materially between jurisdictions. Confirm requirements with a practitioner familiar with the relevant member state law.

Not legal advice. This guide is derived from EU GDPR (Regulation (EU) 2016/679) and EDPB published guidelines as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.