GDPR Compliance Guide: What Your Business Needs to Know
A practical, non-legal guide to GDPR for SMBs. What data you can collect, how to handle consent, and how to avoid fines — without hiring a legal team.
In This Guide
What Is GDPR?
The General Data Protection Regulation (GDPR) is a data privacy law that governs how businesses collect, process, store, and share personal data of EU residents. It went into effect in May 2018 and remains the most comprehensive data protection framework in the world.
For SMBs, GDPR boils down to three requirements: be transparent about what data you collect and why, give people control over their data, and protect the data you hold. If you follow these principles, compliance is straightforward.
This is not legal advice — consult a lawyer for your specific situation. But understanding the fundamentals will help you make informed decisions about your data practices and choose tools that support compliance. For more on data management, see our data migration guide.
What GDPR covers:
Does GDPR Apply to You?
GDPR applies more broadly than most SMBs realize. You do not need to be an EU company or have an EU office. If you process data of EU residents in any capacity, GDPR applies to your business.
In practice, any business with a website accessible from the EU, EU contacts in their CRM, or EU customers needs to comply. Here are the specific triggers.
Key GDPR Principles
GDPR is built on seven core principles. If you understand and follow these, you will be compliant in practice, even if you have not memorized every article of the regulation.
Lawfulness, fairness, and transparency
Process data legally and be open about what you collect and why. No hidden tracking, no deceptive collection practices.
Purpose limitation
Collect data for specific, stated purposes only. Do not collect email addresses for a newsletter and then share them with partners for advertising.
Data minimization
Only collect what you need. If you do not need someone's date of birth for your service, do not ask for it.
Accuracy
Keep personal data accurate and up to date. Provide easy ways for people to correct their information.
Storage limitation
Do not keep data longer than necessary. Set retention policies and delete data when it is no longer needed for its original purpose.
Integrity and confidentiality
Protect data against unauthorized access, loss, or damage. Use encryption, access controls, and secure backups.
Accountability
Be able to demonstrate compliance. Document your data practices, consent records, and processing activities.
Consent Management
Consent is the most visible part of GDPR compliance. When you ask someone for their data, the consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes, bundled consent, and hidden opt-ins do not qualify.
The golden rule: if someone would be surprised to learn you have their data or are using it in a specific way, you do not have valid consent. Transparency builds trust and protects your business.
Opt-in forms
Explicit checkboxes (unchecked by default) with clear descriptions of what the person is consenting to.
Double opt-in
Confirmation email after signup. Adds friction but provides bulletproof consent records.
Consent records
Store when, how, and what the person consented to. You must be able to prove consent if challenged.
Easy withdrawal
Make it as easy to withdraw consent as it was to give it. One-click unsubscribe, not "email us to opt out."
Separate purposes
Get separate consent for separate uses. Marketing email consent is different from product updates consent.
Cookie consent
Cookie banners with granular control. Users must be able to accept or reject each category independently.
Legitimate interest
Some B2B processing may rely on legitimate interest instead of consent. Document your assessment carefully.
Third-party sharing
If you share data with partners, explicit consent for sharing is required. Name the partners.
Data Subject Rights
GDPR gives individuals specific rights over their personal data. As a business, you must be able to fulfill these requests within 30 days. Having the right tools and processes in place makes this manageable.
The most common requests are access requests (people wanting to see their data) and deletion requests (the "right to be forgotten"). With a well-organized CRM, both are straightforward to handle.
Right of access
People can request a copy of all personal data you hold about them. Provide it in a commonly used, machine-readable format within 30 days.
Right to rectification
People can request corrections to inaccurate data. Update the records promptly and confirm the correction.
Right to erasure
People can request deletion of their data. Remove it from all systems unless you have a legal obligation to retain it (e.g., tax records).
Right to data portability
People can request their data in a format they can transfer to another service. Export as CSV or JSON.
Right to object
People can object to processing of their data for specific purposes like direct marketing. Stop processing upon objection.
Right to restrict processing
People can request that you stop processing their data while a dispute is resolved, without deleting it.
Data Processing Agreements
Every tool that processes your customers' data on your behalf is a "data processor." GDPR requires a written agreement (DPA) between you and each processor that defines how data is handled, protected, and returned or deleted.
Most SaaS providers offer DPAs as standard. If a vendor does not have a DPA or refuses to sign one, that is a red flag. Check your CRM, email tool, analytics platform, and any other service that touches customer data.
Identify all processors
List every tool and service that accesses or processes your customer data. Include CRM, email marketing, analytics, payment processing, hosting, and any third-party APIs.
Review existing DPAs
Check if your current vendors have DPAs in place. Most major SaaS providers publish them on their websites. Review the terms and ensure they meet your requirements.
Sub-processor management
Your processors may use sub-processors (e.g., cloud hosting providers). Ensure you are informed about sub-processors and that the chain of data protection extends to them.
Data location requirements
Know where your data is stored and processed. EU data stored outside the EU requires additional safeguards (Standard Contractual Clauses or adequacy decisions).
Data Breach Response
GDPR requires you to report certain data breaches to your supervisory authority within 72 hours of becoming aware. If the breach is likely to result in high risk to individuals, you must also notify the affected people directly.
Having a breach response plan before you need one is essential. When a breach happens, 72 hours goes fast. Preparation ensures you can respond quickly and meet your legal obligations.
Contain the breach
Immediately stop the source of the breach — revoke access, patch the vulnerability, isolate affected systems. Speed matters.
Assess the scope
Determine what data was accessed, how many people were affected, and the potential impact. Document everything from the start.
Notify the authority
If the breach poses a risk to individuals, notify your supervisory authority within 72 hours. Include what happened, data affected, likely consequences, and measures taken.
Notify affected individuals
If the breach is high-risk, notify affected people directly. Be transparent about what happened and what they should do to protect themselves.
Document and learn
Record the breach, your response, and the outcome. Implement measures to prevent recurrence. Update your security practices based on lessons learned.
CRM & Marketing Compliance
Your CRM is the single biggest repository of personal data in your business. Making sure it is configured for GDPR compliance is one of the most important steps you can take. Here is what to check.
Consent tracking
Your CRM should record when and how each contact gave consent. This is your proof of compliance if challenged.
Data export
You must be able to export a contact's complete record (all fields, notes, communications) in a machine-readable format for access requests.
Data deletion
The CRM must support full deletion — not just archiving. When someone exercises their right to erasure, the data must be truly removed.
Access controls
Limit who can view and modify personal data. Not every team member needs access to every contact field. Use role-based permissions.
Marketing opt-outs
Your CRM must track marketing preferences per contact. When someone unsubscribes from emails, their preference must be respected across all campaigns.
Common Compliance Mistakes
These are the GDPR mistakes we see most frequently in SMBs. Most stem from misunderstanding the requirements, not from intentional non-compliance.
Using pre-checked consent boxes
GDPR requires affirmative action. Consent boxes must be unchecked by default. The person must actively check the box. Pre-checked consent is not valid consent.
No records of consent
Saying "they subscribed" is not enough. You need to prove when, where, and how consent was given. Log the timestamp, IP address, form source, and exact language shown.
Ignoring the right to be forgotten
When someone requests deletion, archive is not enough — you must actually delete. Check all systems including backups, email tools, and third-party integrations.
No data processing agreements with vendors
Every SaaS tool that processes your customers' data needs a DPA. Check your CRM, email tool, analytics, payment processor, and hosting provider.
Assuming GDPR does not apply outside the EU
GDPR follows the data subject, not the company. If you have any EU contacts, visitors, or customers, you are subject to GDPR regardless of your location.
GDPR Compliance with Dewx
Dewx is designed with GDPR compliance built in. Because all your customer data lives in one platform — CRM, inbox, finance — you have a single place to manage consent, fulfill data requests, and maintain compliance records.
Contrast this with businesses using 10+ separate tools. When someone requests their data, you have to export from your CRM, email tool, analytics platform, invoicing system, and helpdesk separately. With Dewx, one export covers everything.
For more on how Dewx handles security and privacy, see our security best practices guide or learn about our operations hub.
GDPR features in Dewx:
- Consent tracking on every contact record with full audit trail
- One-click data export for access requests — all data in one place
- True deletion capability (not just archiving) for erasure requests
- Role-based access controls to limit who sees personal data
- Marketing preference management per contact and per channel
- DPA available for all plans — GDPR compliance from day one
GDPR Compliance Guide FAQ
Does GDPR apply to my business if I am not in the EU?
Yes, if you process personal data of EU residents. If you have EU customers, website visitors from the EU, or EU-based contacts in your CRM, GDPR applies to you regardless of where your business is located. The regulation follows the data subject, not the company.
What are the fines for GDPR non-compliance?
GDPR fines can reach up to 4% of annual global turnover or 20 million euros, whichever is higher. In practice, fines for SMBs are typically much smaller — usually 5,000 to 50,000 euros for first-time violations. However, the reputational damage and cost of remediation often exceed the fine itself.
Do I need a Data Protection Officer (DPO)?
Most SMBs do not need a formal DPO. A DPO is legally required only if your core business involves large-scale processing of sensitive data or systematic monitoring of individuals. However, you should designate someone on your team as responsible for data protection, even if the role is informal.
How do I handle a data subject access request (DSAR)?
When someone requests their data, you have 30 days to respond. You must provide all personal data you hold about them in a commonly used format. With a CRM like Dewx, you can export a contact's complete record in minutes. The key is having a documented process so requests do not get lost or delayed.
Can I still use email marketing under GDPR?
Yes, but you need proper consent. Every subscriber must actively opt in (no pre-checked boxes). You must clearly state what they are signing up for, provide an easy unsubscribe option, and keep records of when and how consent was given. Legitimate interest can justify B2B marketing emails in some cases, but explicit consent is the safest approach.
Need a GDPR-ready business platform?
Dewx makes compliance simple. One platform, one data source, one place to manage consent and data requests.