// Guides

GDPR basics for small businesses

GDPR data protection applies to every business that processes personal data. For small businesses, what counts is a pragmatic implementation of the basics — not perfectionist bureaucracy.

Updated: 2026-06-19

Immediate steps

1. 1Create a record of processing activities: which data, for what, how long, with which tools?
2. 2Clarify the legal basis for each processing activity (Art. 6 GDPR: contract, legitimate interest, consent).
3. 3Data minimisation and access rights: collect only what is needed; limit access to what is necessary.
4. 4Technical and organisational measures (TOMs): encryption, backups, two-factor authentication, updates.
5. 5Conclude data processing agreements (DPAs) with service providers (cloud, newsletter, IT).
6. 6Prepare a process for data-subject rights (access, erasure) and for breaches (notification within 72 hours).
7. 7Raise staff awareness — the most common weak point is the human factor.

What not to do

• Do not collect data “just in case” that you do not need.
• Do not use cloud/tools without a DPA and without checking the data transfer.
• Do not conceal a breach — failing to report can cost more than the incident itself.

Common questions

Do I need a data protection officer?

It depends on business size and the nature of processing. Check the exact threshold against current rules (BDSG) — when in doubt, ask the competent supervisory authority.

When must I report a breach?

If there is a risk to data subjects, usually within 72 hours to the competent data protection authority — which is why the process should be prepared.

Are standard tools (cloud, newsletter) enough?

Often yes — but only with a data processing agreement, appropriate technical measures and a check of the data transfer (e.g. to the USA).

Sources

• LDI NRW — data protection for companies
• BSI for companies and organisations