GDPR is not bureaucracy for its own sake: it protects your customers, your employees, and ultimately your company. This guide takes you from the initial diagnosis to having a functional privacy system in eight weeks — without unnecessary technicalities.
Weeks 1-2: Data inventory — know what you have before you act
The first step is mapping what personal data your company handles. Include customer data (name, email, phone, tax ID), employee data (payroll, time tracking, performance reviews), supplier data, and any data you process on behalf of third parties. For each category, identify: who has access, where it is stored, how long you keep it, and whether it leaves the company. This inventory is the foundation of the Record of Processing Activities (RPA), mandatory for companies with more than 250 employees — though recommended for all.
Week 3: Legal basis — by what right do you process each piece of data?
Every data processing activity needs a legal basis to justify it. The most common ones in SMEs are: performance of a contract (customer data where you have a contractual relationship), legal obligation (employee data for payroll or taxation), legitimate interest (anonymous internal statistics), and explicit consent (newsletters, non-essential cookies). Consent is the weakest basis because it can be withdrawn at any time; whenever possible, rely on a stronger legal basis.
Consent must be freely given, informed, specific, and unambiguous. A pre-ticked checkbox does not count. Silence does not count. Bundled consent with other terms does not count.
Week 4: Data subject rights — how to handle them
Right of access
The data subject can ask what data you hold on them. You have 30 days to respond and the response is free of charge.
Right to rectification
If data is inaccurate or incomplete, the data subject can ask you to correct it.
Right to erasure
The 'right to be forgotten': they can ask you to delete their data when it is no longer necessary or they withdraw consent.
Right to object
They can object to their data being processed for direct marketing. You must stop immediately with no exceptions.
Weeks 5-6: Supplier contracts and privacy policy
Every supplier that accesses personal data belonging to your customers or employees is a 'data processor'. You must sign a Data Processing Agreement (DPA) with each one. This includes your accountant, email marketing platform, CRM, hosting provider, and any SaaS tool that processes your data. Request the standard DPA from each supplier: large providers (Google, Microsoft, HubSpot) publish it and make it available for digital signing. For smaller ones, you will need to draft it yourself or use the AEPD template.
Weeks 7-8: Website, email marketing and security measures
Your website needs: a privacy policy accessible from any page, a legal notice, a granular cookie consent banner (a simple 'accept all' without a rejection option is not sufficient), and forms with a consent checkbox separate from accepting terms and conditions. For email marketing, audit your list and delete contacts without documented consent. For technical measures: enable 2FA on all accounts with data access, encrypt sensitive documents, and establish a password policy. Document everything: if there is an inspection, the burden of proof falls on you.
Minimum GDPR compliance checklist
RPA completed and up to date
Record of Processing Activities covering all data categories, legal bases, and retention periods.
Processor agreements signed
DPA signed with every supplier that accesses personal data.
Website and forms correct
Privacy policy, legal notice, granular cookie banner and consent checkboxes on all forms.
Breach procedure in place
Documented protocol to detect, manage and notify a security breach within 72 hours.
Want us to audit your company's compliance status at no cost? Contact our team .