Jump to main content
GDPR20 March 20263 min read

GDPR for Small Businesses — What Are Your Real Obligations

Many entrepreneurs believe GDPR only applies to large corporations. Incorrect. Here are the minimum obligations for a Romanian SME, the real risks involved, and how to comply with reasonable effort.

Cătălin Gaina

Founding Partner · Corporate & M&A, Privacy & GDPR

Key takeaways

  • GDPR applies to any company processing data of EU individuals
  • Minimum obligations: record of processing, privacy policy, security measures
  • ANSPDCP has sanctioned SMEs — this is not a theoretical risk
  • Compliance does not require an internal department — an external audit is sufficient
  • Annual review plus targeted updates is enough for most SMEs

GDPR applies to your company — regardless of size

The General Data Protection Regulation (GDPR) applies to any data controller established in the EU or processing data of EU individuals — regardless of company size or sector.

If you have employees, customers or individual suppliers, if you process enquiries, send marketing emails or have a website with a contact form — you are a data controller and GDPR applies in full.

Minimum obligations for an SME

The first obligation is identifying and documenting processing activities — what data you collect, from whom, for what purpose, on what legal basis and for how long you retain it. This is materialised in a Record of Processing Activities, mandatory for companies with more than 250 employees, but recommended for all.

The second obligation is informing data subjects — employees, customers, website visitors must be informed about how you process their data. This is achieved through a Privacy Policy published on the website and through Information Notices for employees.

The third obligation is implementing appropriate technical and organisational security measures — strong passwords, encryption, restricted access to personal data, backup procedures.

What real risks exist for an SME?

The National Supervisory Authority for Personal Data Processing (ANSPDCP) has issued sanctions to small companies, not just corporations. The most common sanctions relate to: lack of a privacy policy on the website, sending marketing emails without consent, failure to respect data subject rights (right of access, erasure, rectification).

Sanctions can reach 4% of annual global turnover or EUR 20 million (whichever is higher). For an SME, even a sanction of a few thousand euros can be significant.

How to comply with reasonable effort

GDPR compliance for a simple SME does not require a dedicated internal department. A GDPR audit conducted by an external specialist, identifying gaps and establishing priorities, can be completed in a few days and is the starting point.

The essential documents — Privacy Policy, Information Notices, Record of Processing Activities, procedures for responding to data subject rights — can be adapted to the specific business without being overly complex documents.

Annual review of GDPR compliance is sufficient for most SMEs, with targeted updates when processing activities or legislation change.

Conclusion

GDPR is not an unbearable bureaucratic obstacle for SMEs — it is a framework of best practices in managing personal data, with real benefits in the relationship with customers and employees. Reasonable compliance is accessible to any company, regardless of size, with the help of a specialist.

gdprdata protectionSMEprivacycompliance

Cătălin Gaina

Founding Partner · Corporate & M&A, Privacy & GDPR

View full profile

Have questions about the topic of this article?

Our partners offer an initial consultation to assess your specific situation and identify the optimal steps.

Free consultation