GDPR in 2025, updated guide for SMEs

The General Data Protection Regulation (GDPR), is an European Union regulation that protects individuals' privacy against the processing of their personal data. It affects all businesses operating within the EU, regardless of their size.

Although its legal structure has not changed since it came into force, new guides, tools, and clarifications have been published by:

• The Spanish Data Protection Agency (AEPD), at the national level.
• The European Data Protection Board (EDPB), at the European level.

These updates aim to adapt to new digital environments, including technologies such as Big Data, biometrics, and Artificial Intelligence.

Main obligations for SMEs and freelancers

All businesses operating with customer data within the European Union must comply with the 6 key principles of the GDPR:

1. Lawfulness, Fairness, and Transparency: Organizations can only process a user's personal data if there is prior consent (freely given, specific, and unambiguous).

2. Purpose Limitation: Data can only be collected for specific, explicit, and legitimate purposes.

3. Data Minimization: Only personal data that is necessary and proportionate to the intended purpose may be processed.

4. Accuracy: Inaccurate or outdated personal data must be rectified or erased.

5. Storage Limitation: Businesses must have internal policies for data retention and deletion processes.

6. Security: Necessary measures must be established to ensure that data is properly protected.

Practical Example:

An SME focused on online commerce can store and use its customers' data for order delivery. However, it cannot use them for email marketing campaigns without prior consent.

How does the use of AI affect the GDPR?

An increasing number of small businesses are incorporating AI tools into their daily operations, whether for customer service, price management, experience personalisation, or task automation. If these tools process personal data, they must also be subject to the GDPR.

The EDPB has highlighted three critical points:

1. Personal data should not be used to train AI without a clear legal basis.

2. Even if models claim to use anonymous data, it must be demonstrated that it is not possible to identify individuals.

3. If automated decisions with significant effects on individuals are made, a Data Protection Impact Assessment (DPIA) must be conducted.

Practical Example:

An SME using AI to manage appointments must clearly inform the user and ensure that the decision can be reviewed by a person.

Resources and tools to facilitate compliance

Both the AEPD and the EDPB offer a range of free resources and tools to help SMEs and freelancers apply the GDPR:

• Facilita RGPD (AEPD): Step-by-step guide for SMEs with low-risk processing.
• Gestiona RGPD (AEPD): Tool for organising activity records, risk analysis, and impact assessments (DPIA).
• Evalúa-Riesgo RGPD (AEPD): Risk level assessment according to the type of processing.
• Comunica-Brecha RGPD (AEPD): Assistant for reporting security incidents to the AEPD.
• Guía de protección de datos para pymes (EDPB): Collection of information and advice for applying the regulation practically.

As you have seen, the GDPR is a regulation that, due to the rapid evolution of technology, is constantly being updated. Therefore, it is important to regularly access official information to keep customer information safe.

From Acelera pyme, we have prepared a downloadable checklist that will help you quickly verify if your business meets the essential requirements of the GDPR. Download it here!