The EU’s General Data Protection Regulations (GDPR) came into effect on May 25, and companies collecting and maintaining even limited data about residents of the EU must comply. A U.S.-based company conducting only 5 percent of its business with European customers is still obligated to follow GDPR rules. But GDPR requirements are challenging to meet, and because smaller companies may have limited resources they risk falling short of requirements and facing the law’s serious sanctions of up to 4% of global revenue. But there are steps small and medium-sized enterprises can take to comply and limit their exposure to regulatory sanctions.

What’s the Challenge for Small and Medium-sized Companies?

Smaller companies often lack necessary financial resources. Smaller companies have smaller budgets, and fewer resources to direct to data protection compliance compared to larger companies. Smaller organizations need to determine how to get the most from their investment in compliance.

Compliance may require expertise that in-house legal staff may lack. Large enterprises normally invest in in-house legal teams or departments to deal with any issue. Mid-market companies in many cases do not have the specialized expertise required for GDPR compliance and must outsource legal work.

GDPR compliance requires expertise beyond legal. Preparing for GDPR compliance requires more than legal know-how. GDPR also requires companies to develop internal policies that promote protection and responsible data practices and implement programs and process that insure they are carried out. Compliance involves training employees and identifying someone in the company responsible for data protection and compliance. Completing the full range of tasks necessary to come into compliance – and to stay in compliance over time – requires time and money that most mid-market companies simply do not have.

What Should Small and Medium Sized Companies Do? 

  • Make sure all legal and technical measures in place. The GDPR greatly expands companies’ obligations to protect data and honor their customers rights. Companies are well advised to implement the necessary programs and processes and provide appropriate security so that data is secure, protected and used responsibly.
  • Identify the right internal teams to oversee data protection and GDPR compliance. The GDPR requires that companies identify an individual or team to take responsibility for data protection and GDPR compliance.
  • Keep your workforce informed and privacy-aware. The GDPR requires that companies develop a workforce that understands the risks to individuals’ data can pose and the importance of privacy. Meeting that requirement is good for compliance and good for business. Training at employee onboarding, in company communications and during annual training sessions are good opportunities to stress the importance of data protection and smart data practices with company personnel.
  • Identify the right GDPR solution for your organization. There is no one-size-fits-all solution to GDPR compliance. Companies need to understand the strengths and limitations of their legal team and identify a solution that can best address their needs. While automated solutions may seem attractive, much of what the GDPR requires involves measures such as risk assessment, employee training, and developing a privacy notice that accurately reflects the company’s data processing and protection activities. For many smaller organizations, a combination of automated intake and client counseling may offer the best way forward.

GDPR compliance requires a thoughtful review of the company and how it can make optimal use of resources to fulfill the regulations obligations. Understanding the company’s needs, and the range of tools and counsel available to address them, is one of the first steps.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact