GDPR at a small company: the IT side and the legal side
GDPR can look complex and expensive, especially right after an email that promises fines. For a small company, though, it comes down first to good organization and discipline on the IT side, not a thick stack of documents bought under pressure. We’ll split it, calmly, in two: the IT side, where we can help, and the legal side, where the right answer is a lawyer and the ANSPDCP guidance, not a blog post.
What it actually asks, in plain terms
Behind the jargon, GDPR sets out a few simple things. Inside your company you hold personal data about customers, employees, and suppliers: names, addresses, national ID numbers, emails. You have to keep it safe, use it only for the purpose you’ve stated, and be able to respond when someone asks what data you hold about them, or when, at some point, that data ends up where it shouldn’t.
Those are the substantive requirements. The rest (registers, policies, forms) is how you demonstrate, on paper, that you meet them. What matters, beyond the documents, is that they actually happen. A company with well-written policies but no verified backup is compliant on paper and exposed in reality.
The IT side, which falls to us
This is where we come in, because half of GDPR is really IT hygiene applied properly. It means knowing who has access to which data and why, so that not everyone has access to everything. It means a verified backup, so the data doesn’t get lost, and workstations kept updated and protected, so an attack can’t compromise them. And where it’s warranted, on laptops and on copies kept off-site, encryption, so a lost computer doesn’t automatically turn into a data breach.
This is also where the part few people think about until they have to comes in: what you do when an incident does happen. GDPR gives you 72 hours to notify the authority once you’ve learned of a serious breach, and 72 hours go by fast if the roles aren’t set. That’s why it pays to have a clear plan ready in advance: who isolates the incident, who works out which data was exposed, who notifies. This is exactly the plan we prepare together during the audit.
The legal side, for a lawyer
The other half is legal and organizational, and here we don’t claim expertise: the record of processing activities, the legal basis for each type of data, consent where it’s needed, the GDPR clauses in your contracts, the notices to data subjects. You handle those with a lawyer or a consultant, and you follow the ANSPDCP, the authority responsible for data protection in Romania.
The line is simple. How the data is protected technically falls to a competent IT provider; what you’re entitled to do with it and how you document that falls to a lawyer. The two areas complement each other, but neither stands in for the other.
Our role in GDPR compliance
We don’t sell you a “GDPR package,” and we don’t sell you fear. What we do is put the IT side in order so that, when a customer, an auditor, or even the authority asks, you have concrete answers, not promises: who has access, when the backup was last verified, how the workstations are protected, what happens in the event of a breach. It starts with a free on-site audit: we review the current state of the data, and at the end you get a clear list of what’s in good shape and what’s worth shoring up.