Skip to content
Step 1 /
flag Introduction

The essentials of the GDPR for SMEs

The GDPR is not only for large companies. It is European law that applies uniformly across every EU member state and sets out how every organisation, including your SME, must handle personal data. In this short module we cover the context, the scope, and why compliance matters for SMEs.

target What you will learn in this module
  • check_circle Why the GDPR matters for SMEs
  • check_circle About the essentials of the GDPR
  • check_circle Through real-world examples
gavel Course disclaimer

This course covers the GDPR elements most relevant to SMEs, not every rule. It offers a pragmatic view, not legal advice. Some information may differ per country.

menu_book Theory · 1 of 3

GDPR, context

The GDPR is European law The GDPR is Regulation (EU) 2016/679. As an EU regulation it applies directly and uniformly across all EU member states, without each country needing its own implementing law. Read the regulation (EUR-Lex)open_in_new and therefore uniform across all EU member states.

  • In force since May 2018.
  • Supervised in each country by a national data protection authority. The European Data Protection Board (EDPB) coordinates them across the EU.
  • In the UK: the EU GDPR was retained as UK GDPR After Brexit the UK kept a near-identical version of the EU GDPR as 'UK GDPR', alongside the Data Protection Act 2018. For SMEs the practical rules are the same; the main differences are around international transfers and adequacy decisions. ICO guidanceopen_in_new after Brexit, supervised by the ICO The UK's supervisory authority for data protection. The ICO handles complaints, issues guidance, and enforces the UK GDPR and Data Protection Act 2018. To the ICO websiteopen_in_new .
info Remember

One European law, applied uniformly, with a national supervisor in each country. The UK retained a near-identical version after Brexit.

menu_book Theory · 2 of 3

GDPR, scope

The law applies to personal data, whether the interaction is digital (website, app, etc.) or in a brick-and-mortar shop or office.

It is mandatory for all organisations worldwide that serve the EU market:

  • From large to small;
  • Including non-profits and associations of every kind (football clubs, scouts, rotary, etc.);
  • Across every industry.
menu_book Theory · 3 of 3

In practice: importance for SMEs

  • The GDPR is a legal obligation for every SME.
  • The supervisory authority can impose Fines GDPR fines can reach €20 million or 4% of global annual turnover (whichever is higher). For SMEs the consequences are usually indirect, but the fine risk is real. Lees meer in de kennisbankarrow_forward if you are not compliant.
  • Problems are often Indirect consequences Not a direct mistake, but via an indirect trigger: a customer or employee who walks away, a complaint, or a contract you lose because you cannot show you are compliant. , via the breakdown of staff or customer relationships.
  • The GDPR has Chain responsibility You remain partly responsible for the parties that process personal data on your behalf, your processors, such as your accounting or email software. Larger customers will use a data processing agreement to make sure you too are compliant. Lees meer in de kennisbankarrow_forward built in: larger companies expect you to be compliant.
  • A business must Demonstrating compliance The GDPR has an accountability obligation: being compliant is not enough, you also have to be able to prove it, for example with a records-of-processing register, a privacy notice, and evidence of training. Lees meer in de kennisbankarrow_forward , and customers care about privacy.
hub The essentials in one picture

The GDPR is about personal data and sets out four rules around it: data minimisation, transparency, security, and the rights of data subjects. We work through these in the next modules.

cases Example · 1 of 2

”Does this really apply to me?”

Case 1 The physiotherapist with everything on his laptop

“My calendar, patient records, and accounts are all on my laptop. I do not think I need to do anything for the GDPR."

check_circle The GDPR classifies health data as special category data. It is therefore very important that you can demonstrate you have taken the necessary privacy measures: training, data security, and a records-of-processing register, to name just three.
cases Example · 2 of 2

"I do not sell online”

Case 2 No webshop, so no privacy notice?

The assumption: without online sales there are no GDPR obligations.

check_circle The GDPR imposes a duty to inform for every processing of personal data. You must inform data subjects about offline channels too. The privacy notice on your website should also describe the processing that happens in the shop or office.
quiz Practice · question 1 of 2
info Just practice, this does not count toward your certificate
"Our software has lots of fields for storing customer data, but we only use a few of them."
Correct: the GDPR requires data minimisation: use only personal data that is strictly necessary for the business purpose. Security, cloud, or consent do not remove that obligation.
quiz Practice · question 2 of 2
"Those cookie pop-ups since GDPR are really annoying, why are they needed?"
Correct: cookies can collect personal data; the GDPR aims to prevent unwanted processing; and a website can also be built without tracking cookies. All three are true.
summarize Summary

What you take away from module 1

  • bolt The GDPR is European law, uniform across all EU member states, in force since May 2018, supervised by a national DPA in each country (in the UK, the ICO supervises UK GDPR after Brexit).
  • bolt It applies to personal data, both digital and in a shop or office.
  • bolt Mandatory for all organisations that serve the EU market, from large to small, including non-profits, across every industry.
  • bolt A legal obligation for SMEs with real fine risk; problems are often indirect, and you must be able to demonstrate compliance.
workspace_premium Module complete

Module 1 complete 🎉

Nice work. You now understand the context, scope, and importance of the GDPR for SMEs. Ready for module 2 on personal data.

lock_open 1 of 8 modules

On your way to your “GDPR essentials for SMEs” certificate

Complete all 8 modules and pass the final exam (at least 70%) to receive a personal certificate in your name, with a verifiable code.

check_circle Module 1 completeradio_button_unchecked Modules 2-8radio_button_unchecked Final exam ≥ 70%
workspace_premium