GDPR: the most common mistakes made by SMEs
GDPR applies to any organization that processes personal data, regardless of its size. The CNIL, the French authority responsible for enforcing it, regularly points out in its inspections that compliance is not limited to a consent banner on a website, contrary to a belief widespread among many SMEs.
The most common mistakes
- Not keeping a record of processing activities, even though it is mandatory as soon as personal data is processed.
- Retaining data indefinitely, with no defined retention period.
- Confusing consent with legal basis: not every processing activity requires explicit consent.
- Not contractually governing subprocessors who process data on the company's behalf.
- Ignoring data subject rights (access, rectification, erasure), for lack of an internal process to handle them.
- Having no procedure to notify a data breach.
What GDPR concretely requires
| Obligation | What it involves |
|---|---|
| Record of processing activities | Documenting each processing activity: purpose, data collected, retention period, recipients |
| Legal basis | Identifying the legal basis for each processing activity (consent, contract, legal obligation, legitimate interest) |
| Data security | Implementing technical and organizational measures proportionate to the risks |
| Data subject rights | Allowing access, rectification and erasure requests to be handled within one month |
| Breach notification | Notifying the data protection authority within 72 hours for a personal data breach presenting a risk |
How to structure your compliance effort
- Map the personal data processing activities carried out by the organization.
- Identify high risk processing activities, which may require an impact assessment.
- Formalize a record of processing activities and keep it up to date.
- Set up a procedure to handle data subject rights requests.
- Train the teams who handle personal data on a daily basis.
GDPR penalties can reach deterrent amounts, but the CNIL focuses its inspections on the most serious or most reported failings, as it states in the control priorities it publishes each year. The most concrete risk for an SME is often not a formal inspection but a poorly handled data breach, with the resulting loss of customer trust. That angle, more tangible than an abstract threat of sanctions, is what justifies measuring the gap between current practices and the regulation's requirements, domain by domain.
GDPR Diagnostic·See a diagnostic preview
Related diagnostic
Ready to assess your organization?
Try for free