GDPR for SMEs in 2026: 30-minute compliance checklist

GDPR has been in effect for 8 years as of 2026. Too many SMEs remain in partial non-compliance, exposing them to fines (up to 4% of global turnover). Here is the actionable 30-minute checklist.

1. Processing register (15 min)

Mandatory document from 1 employee onward. Lists all personal data processing activities with:

• Name of processing (HR, payroll, commercial prospecting, etc.)
• Purpose
• Data involved
• Data subjects (employees, prospects, customers)
• Recipients
• Retention period
• Security measures

Free CNIL template available for download.

2. Legal notices and privacy policy (10 min)

On your website:

• Page /legal-notice: editor, hosting provider, contact, intellectual property
• Page /privacy or /privacy-policy: purposes, legal basis, retention periods, rights, DPO contact
• Notice in forms: "Your data is used solely to process your request"

3. Cookies (5 min)

If you use tracking cookies (Google Analytics, Facebook Pixel):

• Consent banner mandatory (Tarteaucitron, Axeptio, etc.)
• Refusal as easy as acceptance
• No third-party cookies without consent

Alternative: use Plausible or Vercel Analytics (GDPR-friendly, no tracking cookie, no banner required).

4. Data subject rights

Process for responding to GDPR requests:

• Right of access (copy of held data)
• Right to rectification
• Right to erasure (within legal limits)
• Right to data portability
• Right to object
• Response deadline: 1 month maximum
• Designate a contact (DPO or simple responsible party)

5. Minimum technical security

• HTTPS everywhere (Let's Encrypt free)
• MFA on all admin accounts
• Immutable backup
• CNIL breach notification procedure (72h)

6. Data processors

List all data processors with access to your data: Google, Microsoft, AWS, Hostinger, Vercel, etc. Verify they have signed a Data Processing Agreement (DPA) with you. Available automatically from all major vendors.

7. Team awareness (annual)

30 minutes minimum per year. Cover: phishing, passwords, no account sharing, reporting all incidents, not communicating personal data via unencrypted email.

Conclusion

30 minutes for the basics. 2–4 days to truly get up to speed. External audit (approx. €3,000 excl. VAT) if you want a professional check before a CNIL inspection.