Back to articles
RGPD
GDPR Compliance Guide CNIL

GDPR Compliance: The Complete Guide for Businesses

15 October 2025 12 min read DPLIANCE

GDPR compliance: the complete guide for businesses

GDPR compliance is not a box to tick. It is a posture. One that considers the personal data of your clients, employees and partners as deserving the same care as your financial assets.

Since 25 May 2018, the General Data Protection Regulation (GDPR) applies to any organisation processing personal data of European residents. Eight years later, the reality is brutal: in 2025, the CNIL (French DPA) issued 486.8 million euros in fines — nine times more than in 2024. Google was sanctioned 325 million euros for cookies deposited without consent. SHEIN for 150 million. France Travail for 5 million for security failures.

The message is clear: the era of tolerance is over.

This guide details the 8 fundamental GDPR obligations, proposes a checklist adapted to your company size, and identifies concrete tools for each obligation.

The 8 key GDPR obligations

1. Maintain records of processing activities (Article 30)

The records of processing activities are the backbone of your GDPR compliance. They document all operations performed on personal data: collection, storage, use, transfer, deletion.

What they must contain:

  • The purpose of each processing operation
  • The categories of data processed
  • The recipients of the data
  • Retention periods
  • Security measures implemented

The records are not a static document. They must be updated with every new processing operation, every change of processor, every evolution of purpose. The CNIL (French DPA) has repeatedly stated that the absence of records is one of the most frequent non-compliances.

A common trap: many companies create records during their initial compliance effort, then never update them. Yet outdated records are almost as problematic as absent records. Every new marketing campaign, every CRM tool change, every new processor agreement should result in an update.

A tool like Complio automates the compliance audit of your website and identifies data processing operations to document.

2. Appoint a DPO when required (Article 37)

The Data Protection Officer (DPO) is mandatory for:

  • Public authorities and bodies
  • Companies whose core activity involves regular and systematic monitoring of individuals on a large scale
  • Companies processing sensitive data on a large scale (health, biometrics, political opinions)

Even when not mandatory, appointing a DPO remains recommended by the CNIL (French DPA) as best practice, particularly for SMEs handling significant volumes of customer data.

The DPO’s role goes beyond administrative compliance. They must inform and advise the data controller, monitor compliance with the regulation, cooperate with the CNIL (French DPA) and serve as a contact point for data subjects. An effective DPO is a strategic asset: they anticipate risks, structure processes and strengthen the confidence of business partners.

For SMEs that lack the resources for a full-time internal DPO, using an outsourced DPO is a pragmatic solution. The average daily rate is around 600 euros, and the engagement can be scaled to the company’s actual needs.

3. Conduct Data Protection Impact Assessments (DPIAs) (Article 35)

The Data Protection Impact Assessment is mandatory when processing is likely to result in a high risk to the rights and freedoms of individuals. The CNIL (French DPA) has published a list of processing operations for which a DPIA is systematically required.

Typical cases requiring a DPIA:

  • Large-scale profiling
  • Systematic monitoring of a publicly accessible area
  • Large-scale processing of sensitive data
  • Large-scale data cross-referencing

The DPIA methodology comprises four steps: description of the envisaged processing, assessment of necessity and proportionality, appraisal of risks to the rights and freedoms of individuals, and definition of measures to address those risks. The CNIL (French DPA) offers a free tool (PIA) to support companies in this process.

A DPIA is not a one-off exercise. It must be reviewed regularly, particularly when the processing context changes (technology change, expanded purposes, new processor).

4. Guarantee individuals’ rights (Articles 15 to 22)

The GDPR confers concrete rights on individuals over their data:

  • Right of access: know what data is collected
  • Right to rectification: correct inaccurate data
  • Right to erasure (“right to be forgotten”): request deletion
  • Right to data portability: retrieve data in a usable format
  • Right to object: refuse processing, particularly for direct marketing
  • Right to restriction: temporarily freeze processing

Your company must have an internal process to respond to these requests within a maximum of one month.

In practice, managing individuals’ rights is one of the most neglected points by companies. Yet it is a direct indicator of GDPR maturity. Setting up a dedicated email address (dpo@yourcompany.com or gdpr@yourcompany.com), a documented procedure with response templates, and a tracking register for requests is the bare minimum. The CNIL (French DPA) systematically checks this during inspections.

5. Notify data breaches (Articles 33-34)

In the event of a personal data breach (leak, unauthorised access, loss), you must:

  • Notify the CNIL (French DPA) within 72 hours of discovering the breach
  • Inform the affected individuals if the breach poses a high risk to their rights and freedoms

The France Travail sanction (5 million euros in January 2026) illustrates the consequences of insufficient security: an attacker accessed the data of millions of registrants by exploiting security vulnerabilities.

Prevention is as important as reaction. Implementing an incident detection system (access monitoring, abnormal behaviour alerts, event logging) enables faster response. Documenting a notification procedure with clear responsibilities, pre-drafted templates and an escalation chain is essential. The CNIL (French DPA) has indicated that response time and quality of communication to affected individuals are mitigating factors in sanction assessments.

6. Apply Privacy by Design (Article 25)

Privacy by Design requires integrating data protection from the design stage of any new product, service or processing operation. It is not a compliance layer added after the fact — it is an architectural principle.

Concretely, this means:

  • Minimise data collected (collect only what is strictly necessary)
  • Pseudonymise or anonymise data when possible
  • Encrypt data in transit and at rest
  • Limit data access to strict need

Privacy by Default complements Privacy by Design. By default, only data strictly necessary for the purpose should be processed. This applies to the volume of data collected, the extent of processing, the retention period and accessibility. A registration form should not collect a phone number if communication is by email. A user account should not be public by default unless the user has chosen this option.

At DPLIANCE, Privacy by Design is a founding principle. Mirage Analytics deposits no cookies and stores no IP addresses — compliance is not a configuration, it is the default behaviour.

7. Regulate transfers outside the EU (Articles 44 to 49)

Any transfer of personal data to a country outside the European Union must be governed by appropriate safeguards. Article 44 of the GDPR sets a clear principle: the level of protection guaranteed by the regulation must not be undermined.

Authorised mechanisms:

  • European Commission adequacy decision
  • Standard contractual clauses (SCCs)
  • Binding corporate rules (BCRs)
  • Approved codes of conduct or certifications

The EU-US Data Privacy Framework adopted in July 2023 is subject to legal challenges (potential “Schrems III”) and could be invalidated. The safest solution remains hosting in Europe. This is DPLIANCE’s choice: all our solutions are hosted on Scaleway, a European cloud infrastructure.

Beware of indirect transfers. Using Google Analytics, a US CDN, or even Google Fonts can constitute a data transfer to the United States. Each third-party script loaded on your site is a point of vigilance. A complete audit of your data flows is essential to identify all transfers, including those you had not anticipated.

8. Demonstrate your compliance (accountability) (Article 5.2)

The accountability principle reverses the burden of proof: it is not for the CNIL (French DPA) to prove you are non-compliant, it is for you to prove that you are.

Expected evidence:

  • Up-to-date records of processing activities
  • Clear and accessible privacy policies
  • Proof of consent collection
  • DPIA documentation
  • Processor contracts (Article 28)
  • Breach management procedures
  • Staff training records

Accountability is not built the day before an inspection. It is a continuous process requiring systematic documentation of every decision, every measure and every evolution. Companies that take accountability seriously gradually build a solid compliance dossier that, in the event of a CNIL (French DPA) inspection, demonstrates good faith and diligence. This is a recognised mitigating factor in the CNIL (French DPA)‘s sanction assessments.

Checklist by company size

Micro-businesses (fewer than 11 employees)

  • Draft a compliant privacy policy
  • Set up a compliant cookie banner with Cookilio
  • Maintain simplified records of processing activities (the CNIL (French DPA) provides a template)
  • Secure data access (passwords, encryption)
  • Verify website compliance with Complio
  • Respond to rights exercise requests
  • Raise staff awareness of basic GDPR rules

SMEs (11 to 250 employees)

All of the above, plus:

  • Assess the need to appoint a DPO
  • Map data flows with processors
  • Contractually govern each processor (Article 28 clause)
  • Implement a breach notification procedure
  • Train teams on GDPR best practices
  • Replace Google Analytics with a compliant solution like Mirage Analytics
  • Document the legal basis for each processing operation
  • Implement a formal process for managing rights exercise requests

Mid-cap companies (250+ employees)

All of the above, plus:

  • Appoint a DPO (often mandatory at this scale)
  • Conduct DPIAs for high-risk processing
  • Implement a structured compliance programme
  • Regularly audit processors
  • Document non-EU transfers and associated safeguards
  • Integrate Privacy by Design into development processes
  • Establish a data governance committee
  • Conduct regular internal compliance audits

DPLIANCE tools for each obligation

GDPR compliance cannot be solved with a single tool. But the right tools significantly simplify the work.

ObligationDPLIANCE tool
Website complianceComplio — automated audit, tracker detection, privacy policy verification
Cookie managementCookilio — CMP compliant with CNIL (French DPA) recommendations, refusal as simple as acceptance
Cookieless analyticsMirage Analytics — zero cookies, zero persistent trackers, consent-exempt
Sovereign hostingAll DPLIANCE solutions are hosted on Scaleway in Europe

Privacy is not a compromise. Neither is sovereignty. This conviction guides every product we design.

The most common GDPR compliance mistakes

Beyond formal obligations, certain mistakes come up systematically in CNIL (French DPA) inspections:

Confusing compliance with documentation. Having a privacy policy on your site is not enough if it does not reflect the reality of your processing. The CNIL (French DPA) checks consistency between what is declared and what is practised.

Neglecting processors. Every SaaS tool you use (CRM, email marketing, analytics, hosting) is a processor under the GDPR. Without a compliant Article 28 contract with each of them, your compliance is incomplete.

Ignoring the minimisation principle. Collecting data “just in case” is a GDPR violation. Each piece of data collected must correspond to a specific and documented purpose.

Underestimating training. The weakest link in compliance is often human. An employee who sends a client file via unencrypted email, uses a weak password, or shares data with an unauthorised provider creates a risk that all the documentation in the world cannot compensate for.

FAQ

Does the GDPR apply to micro-businesses and sole traders?

Yes, without exception. The GDPR applies to any organisation processing personal data of European residents, regardless of size. The CNIL (French DPA) and EDPB have published specific guides to support SMEs in their compliance efforts. The CNIL (French DPA)‘s simplified procedure allows rapid sanctioning of even small structures, with fines up to 20,000 euros.

How much does GDPR compliance cost?

The cost varies by organisation size and complexity. For a micro-business, essential tools (CMP, compliant analytics, site audit) represent a few dozen euros per month. For an SME, support from an outsourced DPO costs between 3,000 and 7,000 euros for an initial audit, then a few hundred euros per month for ongoing support. The real cost is that of non-compliance: fines can reach 20 million euros or 4% of global annual turnover.

What is the difference between GDPR and ePrivacy?

The GDPR governs the processing of personal data broadly. The ePrivacy Directive (and the CNIL (French DPA) recommendations derived from it) specifically governs cookies and trackers. The two complement each other: a site must comply with the GDPR for data processing AND with ePrivacy for cookie deployment. In practice, cookie compliance is often the first subject checked by the CNIL (French DPA) because it can be easily verified remotely with automated robots.

Is a DPO mandatory?

Not for all companies. The DPO is mandatory for public bodies, companies whose core activity involves systematic large-scale monitoring, and those processing sensitive data at scale. For others, it is recommended but not imposed. Even without a legal obligation, designating an internal GDPR point of contact helps structure the approach and provides an identified contact in case of inspection.

How to prove compliance during a CNIL (French DPA) inspection?

By presenting your up-to-date records of processing activities, privacy policies, proof of consent, DPIA documentation, processor contracts and breach management procedures. Accountability requires continuous documentation, not a one-off effort. Regular website audit reports with Complio also constitute tangible evidence of your vigilance.

What are the most common CNIL (French DPA) sanctions?

In 2025, the most frequent grounds for sanctions were: cookies deposited without consent (21 sanctions), data security failures, absent compliant privacy policies, and non-respect of individuals’ rights. The simplified procedure was used for 67 of the 83 sanctions issued, showing that the CNIL (French DPA) now also targets “simple” cases with great efficiency.

Sources: CNIL (French DPA) — SME Guide, CNIL (French DPA) — 2025 Sanctions Review, CNIL (French DPA) — Non-EU Data Transfers, EDPB — GDPR Guide for SMEs. Article updated 24 March 2026.

Write to us

contact@dpliance.com
Contact us