MSP
SR/EN
Book an audit
Part of INTO d.o.o. · www.into.rsintomsp.com
// Security

GDPR and ZZPL for small businesses: the minimum you must have

24 June 2026 · 7 min read

Many small businesses think personal data protection concerns only large companies. It doesn't. The moment you process people's data — employees, clients, suppliers — obligations apply to you: in Serbia the Personal Data Protection Act (ZZPL), and if you do business with the EU, GDPR as well. The good news is that for a small company the "minimum" isn't out of reach; the bad news is that "nothing" isn't an option. This isn't legal advice, but a practical overview of where to start.

First: know what data you even hold

You can't protect what you don't know you have. The most useful first step is an inventory (record) of processing:

  • What personal data you collect (names, contacts, national ID numbers, employee records, video surveillance...).
  • Where it's stored (systems, files, cloud services, paper).
  • Why you process it and on what basis (contract, legal obligation, consent...).
  • Who has access to it and who you share it with (e.g. accountant, suppliers).

This inventory is the foundation for everything else, and for most companies it reveals data they didn't even know they were holding.

Second: have a basis and be transparent

Every processing activity must have a legal basis and must be clear to the people whose data you process:

  • A privacy notice (privacy policy) that clearly states what you store, why, and for how long.
  • Consent where consent is the basis — voluntary, clear and revocable, not buried in fine print.
  • Respect for people's rights: access to their data, correction, and deletion when there are grounds.

Transparency is cheap, and its absence is a common cause of complaints.

Third: technical and organizational protection

The law asks for "appropriate measures," not miracles. For a small company this practically means the hygiene you should have anyway:

  • Access control — everyone sees only what they need for their job.
  • Encryption of sensitive data and devices (laptops, phones).
  • Multi-factor login and strong passwords.
  • Backup and a recovery plan.
  • Deleting data once its purpose expires — don't keep everything forever "just in case."

Much of compliance overlaps with good IT security; these aren't two separate projects.

Fourth: contracts with those who process data for you

If someone outside processes data for you — a cloud provider, an accountant, a mailing tool — responsibility still stays with you too. The minimum is to have a contract (or clause) governing how those partners may use the data and how they protect it. Choose vendors who can demonstrate this, not just promise it.

Fifth: know what you do when there's a leak

A data incident isn't a question of "if" but "when." Decide in advance:

  • Who recognizes and reports an incident internally.
  • What deadlines and to whom you have a duty to report (the supervisory authority, and in some cases the affected individuals).
  • How you document what happened and what you did about it.

A ready, even short, procedure is the difference between a controlled response and panic.

Where small businesses most often go wrong

Typical gaps that are easy to close:

  • Keeping data "forever" with no purpose and no deadline.
  • Consent that isn't really consent (pre-ticked, unclear).
  • Access that everyone has, because "it's easier that way."
  • No record of processing, so the company doesn't even know where its data is.

Compliance isn't a one-time document you complete and forget, but a way of working. For a small company the minimum is achievable: know what data you hold, have a basis and transparency, protect it with basic measures, sort out relationships with vendors, and prepare a procedure for incidents. For the specific obligations and deadlines that apply to your exact industry, check with a lawyer — this text helps you know which questions to ask.

← All resources