Agnes reviewing a privacy risk assessment on her laptop in a small office

GDPR Risk Assessment for SMBs: When You Need One and How to Do It

GDPR

You have a processing register. You probably even have data processing agreements with your main suppliers. But do you actually know where you are most vulnerable? Which processing activity carries the biggest risk if it goes wrong?

That is what a GDPR risk assessment tells you. And yes, the GDPR expects you to have one. Not as a dusty document buried in a folder, but as a working part of your privacy programme.

This article explains what a risk assessment is, when you need one, and how an SMB can run a useful one in five steps. Without the legal theatre.

What a GDPR risk assessment actually is

A GDPR risk assessment is a structured review of the risks your processing of personal data creates. For each processing activity you ask two questions: how likely is it that something goes wrong, and how serious is the damage if it does?

"Something goes wrong" can mean many things. A data breach through a phishing email. An old system storing data unencrypted. An employee with more access than they need. A supplier going bankrupt and taking your customer data with them.

Article 32 GDPR talks about "appropriate technical and organisational measures". What counts as appropriate depends on the risk. Without an assessment, you are flying blind.

Risk assessment versus DPIA

Many SMBs mix these up. A risk assessment is the broad screening: you walk through all your processing activities and judge the risk level. A DPIA (Data Protection Impact Assessment) is the deeper investigation that Article 35 makes mandatory when processing presents a high risk to the rights and freedoms of individuals.

Think of the risk assessment as a blood pressure check at the GP. The DPIA is the follow-up scan at the specialist, only needed when the first check shows something that warrants a closer look.

When you need a risk assessment

Short answer: always. The GDPR assumes you know what risks your processing creates. But certain moments make a fresh assessment especially urgent:

  • You are rolling out a new system that processes personal data. A CRM, an HR tool, a marketing platform.
  • You are onboarding a new supplier who will have access to customer or employee data.
  • You had a data breach or a close call. That is the moment to revisit your assumptions.
  • You are growing. More employees, more data, more systems. The risks scale with you.
  • You are preparing for an audit from a client, a certification body, or your data protection authority.
  • It has been more than twelve months since your last assessment.

Do not wait for your data protection authority to ask. When they call, you want a current document ready.

A GDPR risk assessment in 5 steps

Step 1: Map your processing activities

You cannot assess risks for things you do not know about. Start with your processing register. If you do not have one yet, that is step zero.

For each activity, capture the basics: what personal data you process, whose data it is, why, on what legal basis, and who has access. Be concrete. "Customer data in our CRM" is too vague. "Name, email, phone number and payment history of customers in HubSpot, on the basis of contractual necessity" is something you can work with.

Step 2: Score likelihood and impact per activity

Walk through each activity and ask two questions.

How likely is it that something goes wrong here? Think about unauthorised access, data loss, a leak at a supplier, human error, misconfiguration.

How serious is the impact if it does? Judge this from the perspective of the people whose data you hold, not from your own. A leaked national ID number or medical record weighs heavier than a leaked work email.

Use a simple scale. Low, medium, high works fine. Do not make it more complicated than it needs to be.

Step 3: Determine the risk level

Combine likelihood and impact into a risk level. High likelihood plus high impact is your red flag. Low and low is green. Everything else sits in between.

This is where your priorities become visible. Which activities need attention first? Where are the gaps in your security?

For activities that come out as "high risk", you are very likely required under Article 35 to run a full DPIA. The European Data Protection Board and your national supervisor have published lists of processing operations that always require a DPIA.

Scoring risks by hand across dozens of systems and suppliers gets messy fast. In ComplianceHive you link processing activities directly to suppliers and systems, and keep risk scores up to date in one place instead of in spreadsheets that go stale within a month.

Step 4: Document your measures

For each risk, record the measures you are taking to reduce it. Those can be technical (encryption, MFA, access controls, logging) or organisational (awareness training, procedures, contractual clauses).

Two things matter here. First, document not only what you do but also what you deliberately do not do, and why. "We do not encrypt this data because it consists solely of publicly available company information" is a valid choice. Not writing it down is not.

Second, link measures to specific risks. "We have MFA enabled" is fine. "We use MFA on our CRM to reduce the risk of unauthorised access to customer data" is what an auditor wants to see.

Step 5: Plan your review cycle

A risk assessment is not a one-off action. Set a fixed review cycle. At least annually, and at every significant change in your processing.

Write down who owns the review and when the next one is scheduled. Without an owner and a date, it does not happen.

Three mistakes SMBs keep making

The assessment stays too abstract

"We process personal data and the risk is medium." That is not a risk assessment. That is a description of every company in Europe. The value lives in the specifics: which data, which systems, which concrete risks, which concrete measures.

Nothing gets documented

You have thought about risks. You probably discussed them in a meeting. But it is not written down anywhere. For your data protection authority, that does not count. What is not documented does not exist.

One-off and then forgotten

You ran a risk assessment in 2023. Since then: four new tools, two new suppliers, an office move and a remote-work policy. The 2023 assessment no longer reflects reality. An out-of-date risk assessment is almost as weak as no assessment at all.

Where to take it from here

A GDPR risk assessment does not need to be a months-long project. Start with your processing register, walk the five steps, document your findings, and set a review date. For most SMBs that is a few focused sessions of work.

The key is to treat it as a living document. Connect it to your supplier management, your data processing agreements and your security controls. That is how it turns into a working tool instead of a paper exercise.

Want to keep this structured from day one?

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free