GDPR and Cybersecurity: A Guide for SMEs

What is GDPR and When It Applies to Your Business

The General Data Protection Regulation was adopted by the European Union in 2016 and became enforceable in 2018. It replaced a patchwork of national data protection laws with a single framework that applies across the EU and the wider European Economic Area. Each member state has its own Data Protection Authority responsible for enforcing GDPR within its territory, with the European Data Protection Board coordinating decisions across countries.

GDPR applies to you if:

• You or your company is based in the EU and processes personal data, regardless of where the processing happens
• You or your company is based outside the EU but offers goods or services to people in the EU, or monitors their behavior

What is personal data?

Personal data, according to GDPR, is any information about an identified or identifiable person. That includes:

• Name and address
• ID card or passport number
• Email address and IP address
• Income and financial information
• Location data and online identifiers
• Health and medical records

Some categories of personal data carry stricter rules and cannot be processed without specific legal grounds. These include health data, biometric data, racial or ethnic origin, religious beliefs, political opinions, and trade union membership.

What are controllers and processors?

GDPR defines two important roles. Knowing which one you play matters because each carries different obligations.

A data controller decides why personal data is collected and how it will be used. If you run an online store and collect customer email addresses to send order confirmations and marketing, you are the controller of that data. You decide the purpose, the retention period, and who else gets access.

A data processor handles personal data on behalf of a controller, following their instructions. Your email marketing platform, your cloud hosting provider, your payroll service, and your CRM vendor are all processors. They store and use your customer or employee data, but only for the purposes you defined in the contract.

Most SMEs are both at once. You are a controller for the personal data of your own customers and employees, and a processor when you handle data on behalf of a client (for example, an agency running campaigns for a brand, or an IT service provider managing a customer's systems).

Both roles carry direct obligations under GDPR. Controllers are responsible for choosing processors who provide sufficient security guarantees, and for putting written contracts in place that specify what the processor can and cannot do with the data. Processors must follow those instructions, secure the data, and notify the controller without delay if they suffer a breach.

What rights do individuals have?

GDPR gives every person whose data you hold a set of rights you have to respect:

• The right to know what data you hold about them and why
• The right to access a copy of their data
• The right to correct inaccurate data
• The right to have their data deleted
• The right to object to direct marketing
• The right to data portability

In practice, these rights are where most SMEs encounter GDPR day to day. A customer asking for their data to be deleted, a former employee requesting a copy of their file, or a prospect demanding to be removed from your mailing list. The mishandling any of these is one of the most common triggers for a complaint to the data protection authority. And a complaint can lead to a fine without a data breach.

Cyber Risk Management at the Core of GDPR

GDPR was built to protect the personal data of EU citizens. The regulation requires you to apply security measures appropriate to the risk, whatever the cause of a potential breach: a phishing attack, a misconfigured cloud system, or an employee mistake. Two principles in particular make these security obligations explicit.

Data protection by design and by default

Data protection by design means privacy considerations are built into a system or process from the start, not patched in afterward. When you choose a new CRM, launch a customer portal, or design an internal tool, the questions to ask up front are: what data do we actually need, how long will we keep it, who should have access, and how will we delete it when the time comes.

Data protection by default means that when a system offers privacy choices, the most privacy-friendly option has to be the starting point. A new social media profile should default to private, not public. A signup form should leave the marketing opt-in unticked, not pre-checked. The user has to take an active step to share more, not to share less.

This principle also reshaped how consent works online. The ePrivacy Directive already required consent for tracking cookies, but GDPR raised the bar on what counts as valid consent: it has to be a clear, affirmative action. That is why pre-ticked boxes and "by continuing to browse, you accept" banners largely disappeared after 2018.

Documentation as proof of compliance

Record keeping is essential under the regulation. Documentation, evidence of testing, and records of decisions are part of GDPR rather than optional good practice. They allow you to prove to the regulatory authorities that you are acting in compliance and meeting your obligations, whether the trigger is a breach, a complaint, or a routine audit.

When a complaint reaches the Data Protection Authority, your documentation is what they assess first. A company that can show consent logs, deletion records, and a clear response trail is in a very different position from one that cannot.

A strong cyber risk management program and documented cybersecurity policy will help you pass any inspection by the Data Protection Authority.

Your Cybersecurity Obligations Under GDPR

GDPR does not list specific technologies you must deploy. It sets principles and expects you to translate them into measures appropriate for your business.

Technical and organizational measures

GDPR requires "appropriate technical and organizational measures to ensure a level of security appropriate to the risk." That language is deliberately non-prescriptive: there is no fixed checklist of controls every business must deploy. What it does require is a strategy. You have to assess the risk your processing creates for the people whose data you hold, and put measures in place that match that risk. A small B2B firm with a contact database faces a different bar than a company holding payment data and millions of customer records.

That said, data protection authorities across Europe are consistent. Technical measures they expect to see include:

• Encryption of personal data, at rest and in transit
• Strong authentication, with multi-factor authentication on accounts that access personal data
• Access controls based on the principle of least privilege
• Tested backups capable of restoring data after an incident

Organizational measures can include:

• A documented information security policy
• Regular employee awareness training
• A process for managing access when employees join or leave
• Contractual data protection clauses with vendors who process data on your behalf

Not knowing the rules is not a recognized defense under GDPR. You are required to understand your obligations and stay compliant. When a data protection authority opens an investigation after a complaint, a breach, or a routine audit, what they want to see is what you did to comply.

What to do in the event of a data breach?

In the event of a data breach, you must notify the authorities. According to the regulation, a data breach occurs when personal data you are responsible for is disclosed to unauthorized recipients, altered, or made temporarily unavailable. This could be accidently or by a cyber criminal.

When this happens, you have to:

1. Notify your data protection authority within 72 hours of becoming aware of the breach
2. Notify the affected individuals if the risk to them is high
3. Document the breach, your assessment, and the actions you took

The 72-hour clock starts when you become aware of the breach, not when the investigation is complete. Companies that wait before notifying can be fined. A documented incident response plan, rehearsed at least once a year, is the difference between a breach you can manage and a breach that becomes a regulatory case.

The Cost of Non-Compliance

GDPR fines can reach up to €20 million or 4% of global annual turnover, whichever is higher. And these fines are not only triggered by data breaches. Any of the following can lead to an investigation:

• A complaint from a customer who keeps receiving marketing after asking to be removed
• A former employee reporting that their data was not erased after they left
• A user requesting access to their data and not getting a timely response
• A vendor or partner reporting that you handled their data improperly
• A routine audit by the data protection authority

In other words, GDPR enforcement does not require a hacker. A single complaint to the data protection authority is enough to start an investigation that can quickly expose broader compliance gaps. This is why documentation matters as much as technical controls.

Fines are reaching SMEs

Major fines like the €1.2 billion penalty issued to Meta in 2023 dominate media coverage, but they are not the norm for SMEs. Spain's data protection authority has published over 900 enforcement cases since GDPR took effect, the majority against small local businesses rather than large tech groups. SME fines typically range from €5,000 to €100,000, occasionally more for security-related violations.

How regulators calculate a fine

When calculating a fine, regulators consider:

• The nature and gravity of the infringement
• Whether it was intentional or negligent
• The categories of personal data affected
• Your degree of cooperation with the investigation
• The corrective action you took

A company that has documented its measures, notified promptly, and acted on the gaps is assessed very differently from one that cannot demonstrate any of those things.

GDPR Is One of Several Regulations You Need to Address

GDPR is not a standalone regulatory obligation in the EU. There are a number of other enforceable regulatory frameworks such as NIS2, DORA, the EU AI Act, and a growing list of sector-specific rules that overlap.

NIS2 applies to many mid-market companies in sectors including manufacturing, food production, postal services, and digital providers. DORA applies to financial entities and their critical ICT third-party providers. Both regulations impose security requirements that overlap substantially with GDPR, and go further on incident reporting, supply chain risk management, and board-level accountability.

A security program designed only for GDPR could fall short of NIS2 or DORA. A risk-based cybersecurity program will satisfy multiple requirements with a single program.

A Risk-Based Approach Keeps You Compliant

GDPR compliance comes down to a few essentials: knowing what personal data you hold and why, applying security measures that match the risk, documenting your decisions, and being ready to respond when something goes wrong.

That same approach carries over to NIS2, DORA, and the sector-specific rules that may apply to your business. A cybersecurity program grounded in cyber risk management does not need to be rebuilt for each regulation. Once you understand your exposure and have documented how you manage it, any gaps are easier to identify and fix.

For most SMEs, the challenge is not understanding what GDPR requires — it is finding the time and expertise to map their data, assess their controls, and document it all in a way that holds up under scrutiny. That work is hard to do internally without a dedicated security or compliance function, which most mid-market companies do not have.