Back to blogCompliance

GDPR: the most common mistakes made by SMEs

NRNicolas Renard·July 22, 2026· 7 min read

GDPR applies to any organization that processes personal data, regardless of its size. The CNIL, the French authority responsible for enforcing it, regularly points out in its inspections that compliance is not limited to a consent banner on a website, contrary to a belief widespread among many SMEs.

The most common mistakes

  • Not keeping a record of processing activities, even though it is mandatory as soon as personal data is processed.
  • Retaining data indefinitely, with no defined retention period.
  • Confusing consent with legal basis: not every processing activity requires explicit consent.
  • Not contractually governing subprocessors who process data on the company's behalf.
  • Ignoring data subject rights (access, rectification, erasure), for lack of an internal process to handle them.
  • Having no procedure to notify a data breach.

What GDPR concretely requires

ObligationWhat it involves
Record of processing activitiesDocumenting each processing activity: purpose, data collected, retention period, recipients
Legal basisIdentifying the legal basis for each processing activity (consent, contract, legal obligation, legitimate interest)
Data securityImplementing technical and organizational measures proportionate to the risks
Data subject rightsAllowing access, rectification and erasure requests to be handled within one month
Breach notificationNotifying the data protection authority within 72 hours for a personal data breach presenting a risk

How to structure your compliance effort

  1. Map the personal data processing activities carried out by the organization.
  2. Identify high risk processing activities, which may require an impact assessment.
  3. Formalize a record of processing activities and keep it up to date.
  4. Set up a procedure to handle data subject rights requests.
  5. Train the teams who handle personal data on a daily basis.

GDPR penalties can reach deterrent amounts, but the CNIL focuses its inspections on the most serious or most reported failings, as it states in the control priorities it publishes each year. The most concrete risk for an SME is often not a formal inspection but a poorly handled data breach, with the resulting loss of customer trust. That angle, more tangible than an abstract threat of sanctions, is what justifies measuring the gap between current practices and the regulation's requirements, domain by domain.

GDPR Diagnostic·See a diagnostic preview

Ready to assess your organization?

Try for free