GDPR for small businesses

A GDPR lawyer from Morling helps businesses structure data protection work and strengthen compliance

CONTACT US

GDPR guidance for small businesses: the requirements in your business

Few companies operate without processing personal data. The General Data Protection Regulation sets out the conditions under which companies may process personal data, for example to perform a contract. It is therefore essential that companies apply and comply with GDPR requirements whenever personal data is processed.

When companies process personal data, they also have a legal duty to understand and reduce the risks associated with that processing and to take measures to safeguard the data. Depending on the business, a range of measures—some more complex than others—may be needed. As complexity varies with your specific circumstances, a thorough understanding of the framework is vital, both to meet GDPR requirements and to avoid making compliance more complicated than necessary for your operations. This is core gdpr guidance for small businesses and highly relevant to gdpr for businesses across sectors.

 

Approach for GDPR in companies

Top-down view of a tidy workspace with a laptop, notebook, and two suited hands framing a blank sheet of paper to signal scope and clear objectives for legal counsel.

We gather enough material to understand which processing activities are most business-critical in the company and where responsibility sits within the organisation. This allows the work to be scoped to the right systems, processes, and parties from the outset.

Close-up of a whiteboard with simple arrows and neutral markers representing data flows, as legal counsel places a marker.

We translate your processing activities into a clear set of requirements and assess where the risk is greatest based on the type of personal data, purposes, and exposure. The result is decision support showing what needs to be prioritised and why.

Calm meeting table with three neutral document stacks and a pen indicating prioritization; two gender-neutral legal counsel in the background with simplified, faceless features.

You receive a workable plan with sequence, timeline, and ownership that links measures to risk and business value. The plan makes it easier to decide what to handle internally and what should be addressed with external support.

Legal counsel reviewing a tabbed binder beside an open laptop and a checked box on a blank form, signaling implementation and documentation.

We prepare or update the required documentation and support the rollout of routines in day-to-day operations so the work is consistent. The focus is on being able to demonstrate how requirements are handled when questions arise from customers, suppliers, or during supervision.

Legal counsel places a neutral token on a stack of folders with a blank calendar in the background, symbolising governance and recurring follow-up.

You get a setup for ongoing controls where changes in the business are captured and translated into updated routines and decisions. This ensures compliance doesn’t become a one-off project, but part of governance over time.

Build controllable compliance

For companies, GDPR is about being able to demonstrate control, not just “having a policy”. Set the framework with records, contracts and clear routines for how data is handled and retained. Click through to build a structure that withstands change and growth.

Data Protection Officer
Privacy Counsel
Data processing agreement
Data retention
Illustration of a courthouse and judge’s gavel representing GDPR fines and legal compliance, symbolizing GDPR for small businesses that must follow EU data protection rules.

GDPR fines for companies: what it means for gdpr for small businesses

GDPR infringements can result in significant fines for companies. Administrative fines may be up to the higher of EUR 20 million or 4% of global annual turnover. The amount in an individual case depends on the specific circumstances. The Swedish Data Protection Authority (IMY) may also issue a warning, reprimand or an order, including restrictions or prohibitions. Depending on what has occurred, a fine is not inevitable.

 

The high maximum amounts underline the importance of taking GDPR seriously and implementing robust data protection practices. Beyond financial impact, infringements can damage reputation and erode the confidence of customers and other stakeholders. To reduce the risk of fines, companies should:

  • Train staff in GDPR and data protection.
  • Review technical security measures to protect personal data.
  • Maintain clear processes for handling personal data breaches.
  • Keep a GDPR checklist within the business.
  • Regularly review and update data protection practices.
  • Appoint a person responsible for GDPR within the business.

REGARDLESS OF SIZE

GDPR for businesses: scope and practical implications for GDPR for small businesses

Does GDPR apply to companies? Yes — GDPR applies to all companies that process personal data. It therefore affects most businesses and imposes requirements across every phase of personal data processing. A challenge is that companies of all sizes face the same baseline obligations. GDPR for small businesses is therefore as relevant as for larger organisations, irrespective of the resources available to support compliance.

What does GDPR mean for companies? To comply with GDPR, companies must adhere to the principles for processing personal data and a range of detailed requirements, including implementing appropriate technical and organisational security measures. This entails, for example, having clear procedures for personal data processing, ensuring data is accurate and up to date, and having systems to erase or rectify inaccurate data. GDPR is extensive, and these examples are only a selection.

One fundamental principle is transparency. Companies must clearly inform individuals about how their personal data is collected and used. This means there must be a clear and easily accessible privacy notice describing the personal data processing for which the company is responsible.

GDPR also grants individuals specific rights, such as the right to data portability and the right to be forgotten. Companies need procedures to handle such requests from data subjects. If these requests are frequent, there should be established routines to manage them promptly, typically within 30 days. This is central to practical gdpr guidance for small businesses and applies equally as gdpr for businesses across industries, including gdpr compliance for saas companies where data flows are continuous.

May companies record calls under GDPR?

Telephone call recording is sensitive from a privacy perspective. A call contains not only the conversation, but also other personal data protected by GDPR such as voice and emotional tone. Calls may also include data the company did not expect to capture, for example health information or other special categories of personal data protected under Article 9 GDPR. More than one person is involved in a call—such as a customer and an employee—and they may have different interests in whether recording is permissible.

These aspects require careful consideration before recording calls. The answer will depend on whether the company can apply the GDPR principles. Companies should consider:

  • Can the data subjects be informed before recording starts?
  • Have we defined a clear purpose for the recording?
  • Is there a lawful basis to record the call, for example consent, legitimate interests or legal obligation?

Consent can appear straightforward as a lawful basis. However, it may not be the most appropriate, as there are strict requirements for valid consent, including that it must be freely given. If consent is not provided, the call must not be recorded.

Some sectors are required by law to record calls, for example parts of the insurance industry. In such cases, legal obligation should be evaluated to confirm it covers the intended recording. Legitimate interests may also be relevant following a balancing test.

Customer support agent on a video call recording client details on a laptop, illustrating GDPR for small businesses and compliant handling of customer data in call centers.

Key steps for call recording under GDPR

When a company plans to record calls, it must ensure that the processing of personal data complies with GDPR. This means taking several concrete steps to address both legal and practical requirements. Key steps include:

  • Inform data subjects that the call will be recorded and why, before recording begins.
  • Establish the lawful basis for recording, for example consent, legitimate interests or legal obligation.
  • Document the purpose of the recording and limit use of recordings to that purpose.
  • Implement safeguards to prevent unauthorised access to recordings.
  • Set procedures to handle requests for access, rectification or erasure of recorded calls.

By following these steps, companies can reduce the risk of infringements while building trust with customers and employees.

CONTRACTS GOVERNING PROCESSING

GDPR agreements between companies

References to GDPR agreements between companies often mean a data processing agreement or a joint controllership agreement. It can also refer to a data transfer agreement governing the conditions for a transfer of personal data between two separate controllers. These agreement types help ensure compliance with the Regulation.

A data processing agreement must be in place where a company acting as a processor processes personal data for a company acting as a controller. The agreement must be in writing and describe the parties’ obligations regarding the handling of personal data, and GDPR lists the matters that must be covered. Among other things, it should set out:

  • The purpose of processing and the types of personal data concerned.
  • How personal data is protected and which technical and organisational measures will be taken.
  • Procedures for reporting personal data breaches.
  • If and how personal data may be transferred to third countries.
  • Requirements for the processor to delete or return personal data after the engagement ends.
  • Any right to appoint sub-processors and the requirements that apply to them.

When transferring personal data to another company, it is also important to transfer only the data that is necessary for the specific purpose and to inform data subjects about the transfer. Documentation of the processing is central to meeting GDPR’s accountability requirements.

A joint controllership agreement is required where two or more companies are joint controllers, meaning they jointly determine the purposes and means of processing. Such an agreement defines each party’s responsibilities and roles in relation to the joint processing, including:

  • How responsibility for informing data subjects is divided between the parties.
  • Procedures for upholding data subject rights, for example access, rectification and erasure.
  • Which party will notify the Data Protection Authority and inform data subjects in the event of a breach.
  • How costs and resources for the processing will be allocated.

It is also important to document and communicate these responsibilities internally within the organisations and externally to data subjects, for example through privacy notices. Joint responsibility means all parties can be liable for damage caused by the processing, which makes clear contractual provisions particularly important.

A data transfer agreement is often used when personal data (or other sensitive information) is transferred to another company and is intended to ensure the transfer complies with applicable data protection laws and regulations.

In general, when transferring personal data, consider information security in connection with the transfer, for example encryption in transit. This is a recurrent issue in gdpr compliance for saas companies given vendor ecosystems and frequent integrations.

Two business professionals connecting puzzle pieces with a padlock icon, symbolizing GDPR for small businesses and how legal experts help implement data protection and privacy compliance.

We support GDPR for small businesses

Our solutions are tailored to your needs. Whether you are a small business tackling your first GDPR question or looking to take the next step with ongoing support, we are ready to help. Our services include:

  • GAP analysis of your current state.
  • Drafting data protection policies and procedures.
  • Advice on lawful bases for personal data processing.
  • Support with personal data incidents.
  • Ongoing advice on GDPR compliance and regulatory monitoring.

Contact Morling Consulting for an initial meeting at no cost. Let us help you not only meet GDPR requirements but also use data protection as a competitive advantage in your business. We operate across Europe.

Common questions and answers on GDPR for businesses

Yes. GDPR applies to all companies that process personal data — regardless of size, sector or scale. There are no exemptions for small businesses. Even if processing is limited, the company must follow the requirements of the Regulation.

GDPR contains a wide range of requirements, and Morling Consulting helps map how they apply in your operations. To comply, companies should, among other things:

  • Identify which types of personal data are processed and why.
  • Ensure the company has a lawful basis for processing.
  • Provide clear information to data subjects, for example via a privacy notice.
  • Ensure technical and organisational measures are implemented commensurate with the risk.
  • Document your personal data processing.
  • Maintain procedures to handle personal data breaches and data subject rights.

A data processing agreement is required where a company engages a third party to process personal data on its behalf.

Example: A company engages an IT provider to store customer data on its behalf. The agreement must regulate responsibilities, security measures, incident reporting and more, in line with GDPR.

It depends on the purpose of the recording and your lawful basis. Before recording, you must:

  • Inform callers that the call will be recorded and why.
  • Choose the correct lawful basis: for example consent, legitimate interests or legal obligation.
  • Avoid collecting special category data unless necessary and you have a lawful basis.

Remember that if your lawful basis is consent, it must be freely given, informed and easy to withdraw.

Consequences can be serious. The Data Protection Authority can issue:

  • Warnings or reprimands.
  • Orders, for example to temporarily or permanently cease specific processing.
  • Administrative fines — up to EUR 20 million or 4% of global annual turnover.

Beyond this, the company risks reduced trust from customers and partners.

Yes. If your company collects personal data via the website — for example through contact forms, newsletters or cookies — you must have an accessible, clear privacy notice. It should explain:

  • What data is collected.
  • For which purposes the data is used.
  • The lawful basis for processing.
  • Which rights the visitor has.
  • How to contact the controller (the company).

It depends on the purpose of processing. Common lawful bases include:

  • Contract — when processing is necessary to perform a contract, for example delivering the service purchased by the customer.
  • Legal obligation — for example processing required to meet accounting requirements.
  • Consent — when the individual actively agrees to the processing.
  • Legitimate interests — when the company’s interests outweigh the individual’s privacy interests and processing is necessary for the purpose.

Selecting the right lawful basis is critical — Morling Consulting’s GDPR lawyers can help assess your specific processing, including gdpr guidance for small businesses and gdpr for businesses with complex vendor landscapes.

It depends on the type of processing you carry out. Under GDPR, a Data Protection Officer is required if:

  • Processing is carried out by a public authority.
  • The company monitors individuals systematically and on a large scale.
  • The company processes special category data on a large scale.

If you are not legally required to appoint a Data Protection Officer, it may still be beneficial to have external data protection support — for example from Morling Consulting.

Yes. If you do not have the right expertise or resources internally, you can appoint an external Data Protection Officer. Morling Consulting can take that role and help to:

  • Monitor GDPR compliance.
  • Act as a contact point with the Data Protection Authority.
  • Advise on data protection matters, including risk assessments and Data Protection Impact Assessments (DPIAs).
  • Support incident response and dialogue with data subjects.
  • Provide regulatory monitoring and ongoing compliance support.

This offers assurance and continuity in data protection without building in-house capacity.

Advice is tailored to each company’s needs and maturity. Examples include:

  • Drafting or updating a privacy notice for your website or app.
  • Reviewing or drafting data processing agreements before starting a new engagement.
  • Support in a personal data incident, for example assessing whether notification to the Data Protection Authority is required.
  • Legal analysis of the appropriate lawful basis for specific processing.
  • GAP analyses and current-state assessments to identify gaps and development areas.
  • Ongoing advice to the Data Protection Officer or leadership team on interpretation and application of GDPR in the business.

Contact

Porträtt av Felix Morling, jurist och legal consultant, kontakta oss för rådgivning.
Felix Morling

Speak to a GDPR lawyer

Does your business need practical help with GDPR? Contact us to discuss

"*" indicates required fields