7 Common GDPR Mistakes SMBs Make (And How to Avoid Them)
GDPR, Compliance, SMB
The GDPR has been in force for years now. Yet most small and medium businesses keep tripping over the same mistakes. Not because they don't care, but because compliance gets pushed to the back burner when daily operations demand attention. Until a supervisory authority comes knocking. Or a client asks questions you can't answer.
This article walks you through the seven GDPR mistakes we see most often at SMBs across Europe. For each one: why it happens, what regulators think about it, and what you can do to fix it today.
Mistake 1: No Record of Processing Activities
This is the classic. "We're a small team, we don't need a processing register, do we?" Yes, you do. Article 30 of the GDPR requires a Record of Processing Activities (ROPA) from virtually every organisation that systematically processes personal data. The exemption for companies with fewer than 250 employees only applies if your processing is non-risky and incidental. If you handle customer data, payroll, or website analytics, you're already past that threshold.
Why SMBs skip this: it feels like paperwork. Without a clear owner, it stays on the to-do list indefinitely.
What regulators say: during inspections, the ROPA is often the first document requested. If you can't produce one, the conversation starts on the wrong foot. Multiple European supervisory authorities have flagged the absence of a ROPA as a standalone violation. The Dutch DPA (Autoriteit Persoonsgegevens) has issued enforcement orders specifically for failing to maintain an adequate processing register.
How to fix it: start small. List your ten most important processing activities: customer data, HR records, website analytics, email marketing. For each one, note the purpose, legal basis, and which systems are involved. Build from there. For the full approach, read the GDPR checklist for SMBs.
In ComplianceHive, you build your processing register step by step, linked to your tools and vendors. No scattered spreadsheets, just a current overview you can show in any audit.
Mistake 2: Missing or outdated Data Processing Agreements
You use a CRM, accounting software, an email tool, cloud storage. Each of those vendors processes personal data on your behalf. And for every vendor that does, you need a Data Processing Agreement (DPA). Article 28 GDPR.
Why SMBs miss this: many SaaS tools have a DPA buried somewhere on their website, but nobody actively downloads or reviews it. When new tools are added, the DPA is an afterthought. And for existing tools, the DPA might be years old and no longer cover current processing activities.
What regulators say: this is one of the most frequently fined violations across Europe. The Spanish DPA (AEPD) has issued dozens of fines specifically for missing processing agreements. The French CNIL and other authorities have similarly flagged this as a critical gap. The reasoning is straightforward: without a DPA, there's no legal framework governing how your vendor handles personal data.
How to fix it: create an inventory of all tools and vendors that process personal data. Check whether you have a signed DPA for each. Set a reminder for annual review. Read more about vendor management and GDPR compliance.
In ComplianceHive, you link the DPA status, processing type, and review date to each vendor. So you know exactly where the gaps are.
Mistake 3: No data breach procedure
An employee sends a customer list to the wrong email address. A laptop gets stolen. A vendor reports a security incident. What do you do?
At many SMBs, the answer is: improvise. And that is precisely the problem. The GDPR requires you to report data breaches to your supervisory authority within 72 hours if there's a risk to data subjects. That's not much time when you still need to figure out who's responsible, what exactly was exposed, and how to file the report.
Why SMBs don't prepare: "We've never had a data breach." That's not a reason. Regulators expect preparedness, not just reaction.
What regulators say: in 2023 and 2024, multiple European supervisory authorities issued fines for late breach notifications. The Dutch DPA fined one organisation 440,000 euros for failing to report on time. The DPA receives around 25,000 breach notifications annually and spot-checks whether organisations take their notification obligations seriously.
How to fix it: create a simple breach response procedure. Who is the first point of contact? How do you assess severity? When do you report to the authority? Prepare communication templates. Read the complete guide in What to do when you discover a data breach.
Mistake 4: No retention periods defined
You store customer data. But for how long? And why? If you can't answer that, you have a problem. The GDPR requires that personal data is not kept longer than necessary for the original purpose. "We keep everything forever, just in case" is not a valid legal basis.
Why SMBs forget this: retention periods feel abstract. There's no visible deadline forcing action. And deleting data feels risky: "What if we need it later?"
What regulators say: supervisory authorities across Europe have repeatedly stressed that the absence of retention periods is a standalone violation. The Dutch tax authority received a 3.7 million euro fine in 2022, partly for retaining personal data far beyond the necessary period. For SMBs, fines will be smaller, but the message is clear: storing without limits is not acceptable.
How to fix it: define a retention period for each data category. Customer data after the end of the service relationship: 2 years (unless fiscal retention obligations apply). Job applications: 4 weeks after rejection (unless consent for longer). Document your choices and set up a deletion workflow. Read more about GDPR-compliant data retention.
Mistake 5: Treating the privacy policy as the entire compliance programme
You have a privacy policy on your website. Good. But if that's the only thing you've done, you're in trouble. A privacy policy is the business card of your privacy programme, not the programme itself. Without a processing register, DPAs, retention periods, and security measures, it's an empty promise.
Why SMBs stop here: the privacy policy is often the first (and only) thing a lawyer or consultant delivers. It feels like a box ticked. Everything else is less visible and less urgent, until something goes wrong.
What regulators say: supervisory authorities don't just check whether you inform data subjects. They check whether you deliver on your promises. If your privacy policy says you "adequately protect" personal data but you have no encryption, no access controls, and no breach procedure, you've actually made things worse. You wrote down what you'd do, and then didn't do it.
How to fix it: use your privacy policy as a checklist. Does it say you secure data? Verify that's true. Does it mention retention periods? Check that you actually enforce them. Work from the outside in: everything you promise must be backed up. See the GDPR checklist for a complete overview.
Mistake 6: Inadequate security measures
Article 32 GDPR requires "appropriate technical and organisational measures." That sounds vague, but regulators have clear expectations. MFA (multi-factor authentication) on critical systems. Encryption of sensitive data. Role-based access controls. Regular updates and patches.
Why SMBs let this slide: IT security feels like the IT team's responsibility. When there's no dedicated IT team, it becomes nobody's responsibility. Plus, many SMBs rely on SaaS tools and assume the vendor handles security.
What regulators say: the Dutch DPA fined a payroll processor 150,000 euros in 2023 for insufficient security measures. Specifically, MFA was absent and logging was inadequate. In another case, a fine was issued because personal data was transmitted over an insecure connection. The Italian DPA (Garante) and the AEPD have issued similar fines for basic security failures at smaller organisations.
How to fix it: start with the three measures that deliver the most impact. Enable MFA on all systems containing personal data. Verify that encryption is active for storage and transmission. Conduct a quarterly access review: who has access to what, and is it still needed? Read more in GDPR encryption requirements.
In ComplianceHive, you document security measures per system and vendor. So you have a current overview ready for any audit, without digging through spreadsheets.
Mistake 7: No ownership over privacy
This is the mistake that enables all the others. If nobody in the organisation is responsible for privacy, it doesn't get done. Or it gets done ad hoc, inconsistently, and incompletely.
Why SMBs don't fix this: "We don't have the budget for a Data Protection Officer (DPO)." You may not need one. Not every SMB is legally required to appoint a DPO. But someone needs to own the coordination of privacy. That can be an existing team member with privacy as an additional responsibility.
What regulators say: supervisory authorities expect you to demonstrate who within your organisation is responsible for privacy. During inspections, they ask for the privacy contact person. If nobody raises their hand, that's a red flag.
How to fix it: assign a privacy owner. It doesn't have to be a full-time role. Give that person the mandate, time, and access to the right information. Document who approves tooling, who assesses data breaches, and who handles data subject requests. Read more about compliance as a team effort.
From mistakes to structure
These seven mistakes aren't edge cases. They're the things we encounter at virtually every SMB. The good news: none of them require a large budget or a full compliance team. They require structure, ownership, and a bit of discipline.
Start with the mistake that poses the biggest risk to your organisation. No processing register? Start there. Missing DPAs? Inventory your vendors. No breach procedure? Write one today.
Want to tackle this systematically instead of ad hoc?