Skip to main content
HubSecure
Menu

Blog

The SMB Compliance Starter Kit: Data Protection Without a Legal Team

You do not need a dedicated compliance department to meet your data protection obligations. This starter kit gives you the minimum viable compliance programme for a small or medium-sized business — practical, prioritised, and buildable in weeks.

· By HubSecure Compliance

Data protection compliance is often presented as something that requires a dedicated legal team, a DPO on retainer, and months of consulting work. For large organisations processing complex data across multiple jurisdictions, that may be accurate. For the overwhelming majority of small and medium-sized businesses, it is not.

A functioning compliance programme for a 10 to 100 person business is achievable without specialist legal staff. It requires clarity about what you actually need, discipline about maintaining what you build, and infrastructure that makes compliance a byproduct of normal operations rather than a separate workload.

This guide gives you the minimum viable compliance programme — the essentials that protect your business, satisfy the core requirements of GDPR and equivalent laws, and give you a defensible position if you ever face a regulatory investigation.

Step 1: Map your data (the record of processing activities)

Before you can protect data, you need to know what you have. GDPR requires controllers to maintain a Record of Processing Activities (ROPA) — a register of every category of personal data you collect, why you collect it, how long you keep it, and who you share it with.

For most SMBs, the categories are straightforward:

  • Customers/clients: contact details, purchase history, correspondence, contractual information
  • Prospects: contact information, marketing preferences, interaction history
  • Employees: personal details, payroll information, performance records, health information where relevant
  • Suppliers: contact information, contractual terms, payment records
  • Website visitors: analytics data, cookie data, contact form submissions

For each category, document:

  1. What data you collect
  2. Why you collect it (the purpose)
  3. The lawful basis (contract, legal obligation, consent, legitimate interests)
  4. How long you keep it (retention period)
  5. Who you share it with (processors and third parties)

This document is the spine of your compliance programme. Everything else connects to it.

Time to complete: 2–4 hours for most SMBs. Use a spreadsheet to start — structure matters more than format at this stage.

Step 2: Sort out your lawful basis

For each processing activity in your ROPA, you need a lawful basis. The most commonly applicable grounds:

Contract: you process the data because it is necessary to perform a contract with that person or to take pre-contractual steps at their request. This covers most customer data processing.

Legal obligation: you process the data because you are legally required to. This covers payroll data (tax requirements), health and safety records, and accounting records.

Legitimate interests: you process the data for a genuine business purpose that is proportionate and does not override the individual’s rights. This often covers fraud prevention, network security, and some marketing to existing customers. It requires a documented balancing test — write down your purpose, why the processing is necessary, and why you believe your interests are not outweighed by the individual’s rights.

Consent: only use this where the other grounds genuinely do not apply. Consent is high-maintenance and creates ongoing management obligations.

Time to complete: 1–2 hours once the ROPA is drafted.

Step 3: Update your privacy notice

Your privacy notice must reflect reality. If your ROPA says you share customer data with a marketing platform and your privacy notice does not mention this, you have a disclosure gap.

A compliant privacy notice for an SMB covers:

  • Who you are and how to contact you
  • What data you collect and why (by category)
  • The lawful basis for each category
  • Who you share data with and why
  • How long you keep data
  • The rights individuals have (access, correction, deletion, objection, portability)
  • How to complain to the supervisory authority

Plain language is legally preferable to legal language. A notice that a customer can read and understand is more effective than one that is technically precise but incomprehensible.

Time to complete: 2–3 hours for a first draft. Review by a lawyer or DPO is worthwhile but not mandatory for the initial version.

Step 4: Audit your processors

Every company you share personal data with that processes it on your behalf is a processor. You need a Data Processing Agreement with each of them.

Start with your highest-risk processors:

  • Cloud storage providers (Google Drive, Dropbox, OneDrive)
  • Email marketing platforms (Mailchimp, HubSpot, Campaign Monitor)
  • CRM systems
  • HR and payroll software
  • IT support providers with access to your systems
  • Accounting software

Most major SaaS providers have a DPA available through their privacy settings or legal documentation pages. For IT support companies and smaller providers, you may need to request one or use a template.

Maintain a register of your processors with the DPA reference and the last review date.

Time to complete: 4–8 hours to identify and collect DPAs for existing processors.

Step 5: Build a data subject rights process

When someone asks to access, correct, or delete their personal data, you have one month to respond. You need a process for receiving these requests, tracking them, and responding within the deadline.

The minimum viable process:

  1. A designated inbox or contact point for rights requests (ideally privacy@yourcompany.com or similar)
  2. A template acknowledgement that confirms receipt and the response deadline
  3. A documented process for identifying all data held about the individual across your systems
  4. A decision framework for any requests you may need to decline (partial exemptions apply in some circumstances)
  5. A log of all requests received with their status and outcome

For most SMBs, this is a simple internal procedure and a spreadsheet log. The key is that it exists, is known to the relevant staff, and is actually used.

Time to complete: 2–3 hours to design and document.

Step 6: Set up a breach response procedure

You need a process for identifying, assessing, and — where required — reporting data breaches within 72 hours.

The minimum viable breach procedure:

  1. A clear definition of what constitutes a breach (shared with all staff)
  2. A reporting path — any employee who suspects a breach must know who to tell immediately
  3. A named person responsible for breach assessment decisions
  4. A log template for documenting the breach, the assessment, and the response
  5. The contact details for your supervisory authority and the notification procedure

The 72-hour clock runs from when any responsible member of staff becomes aware of the breach. Make sure the reporting path gets notifications to the decision-maker quickly.

Time to complete: 2–3 hours to design and document.

Step 7: Train your team

Staff who handle personal data need to understand the basics: what constitutes personal data, what a breach is and how to report it, how to handle a data subject request, and what they must never do with personal data.

A one-hour annual training session covering these points, with individual attendance records, is a meaningful compliance asset. Training that is never documented is not distinguishable from training that never happened.

Time to complete: 1 hour per session, plus preparation time. Many online training providers offer GDPR awareness modules.

Maintenance: what to do monthly, quarterly, annually

Monthly: review any pending data subject requests for deadline compliance; check breach log is current.

Quarterly: review processor list for any new providers that need DPAs; check any recent regulatory guidance.

Annually: review and update ROPA; review and update privacy notice; refresh staff training; review retention schedules and execute any required deletions; test breach response procedure.

What this gives you

Following these seven steps gives you:

  • A documented record of your processing activities
  • A clear lawful basis for each category of data you process
  • A privacy notice that accurately reflects your practices
  • DPAs with your processors
  • A working process for data subject rights
  • A breach response capability
  • A trained team

This is not a complete enterprise compliance programme. It is a genuine, defensible compliance baseline for an SMB — the foundation on which more sophisticated measures can be built as the business grows.

It is also more than most SMBs currently have.