GDPR for SMEs in Reunion Island
— your obligations in practice
GDPR is not optional, even for a 3-person micro-business. In 2025, the CNIL imposed €486 million in fines — a historic record. Reunion Island SMEs are not immune: the simplified procedure specifically targets small organisations.
Mandatory processing register, CNIL notification within 72 hours of a breach, data subject rights to uphold, processors to manage contractually. ECLAUD IT supports SMEs in Reunion Island in achieving GDPR compliance: audit, register, security policy, outsourced DPO.
What GDPR concretely requires of SMEs
The General Data Protection Regulation applies to any organisation that processes personal data — with no minimum size or turnover threshold. Your client database, employee payslips, prospect email addresses, website cookies: all of this constitutes personal data processing within the meaning of GDPR.
For a Reunion Island SME, the obligations come down to four pillars: document (processing register), secure (technical and organisational measures), inform (data subject rights, privacy policy) and react (CNIL notification within 72 hours of a breach). This is not theory — the CNIL simplified procedure, in place since April 2022, specifically targets micro-businesses and self-employed professionals.
"48% of French SMEs have no formalised cybersecurity strategy — and most do not have a GDPR-compliant processing register." — Konica Minolta / IFOP study, 2025
In Reunion Island, the situation is even more pronounced. The local economy is 95% micro-businesses and SMEs. Many operate with an Excel file for their client list, a non-compliant web host and no GDPR documentation. On the day of a CNIL inspection or a ransomware attack that exfiltrates data, the consequences are serious — financially and reputationally.
The 5 concrete GDPR obligations for your SME
Processing register
Document every personal data processing activity: purpose, categories of data, retention period, security measures. Mandatory for every organisation, even a micro-business with 2 employees.
Data security
Implement appropriate technical and organisational measures: encryption, backups, access control, pseudonymisation. The CNIL verifies the proportionality of measures relative to risks.
CNIL notification within 72 hours
In the event of a data breach (ransomware, leak, unauthorised access), you must notify the CNIL within 72 hours and inform affected individuals if the risk is high.
Data subject rights
Respond to requests for access, rectification, erasure and portability from your clients, patients or employees. Legal deadline: 1 month maximum.
Managing processors
Your IT providers, cloud hosts and SaaS vendors must have GDPR clauses in their contracts. You remain responsible for the processing even if the data is held by a third party.
CNIL penalties and risks for SMEs — 2025 figures
2025 marks a turning point in CNIL enforcement. With €486 million in cumulative fines — nine times more than in 2024 — the Commission has clearly accelerated. Topics targeted: non-compliant cookies, employee monitoring, data security failures and unregulated transfers outside the EU.
Nine times more than in 2024 (€55.2M). The CNIL is considerably toughening its sanctions.
The simplified procedure (since April 2022) specifically targets micro-businesses and self-employed professionals.
Or 4% of global annual turnover. For an SME, typical fines range from €5,000 to €500,000.
For an SME, typical penalties range from €5,000 to €150,000. But the most dangerous aspect is not the fine — it is the publication of the sanction. When the CNIL publishes your company's name on its website (the "name & shame" effect), the impact on your commercial reputation can be devastating. Your clients, partners and prospects will see it when searching for your name on Google.
The most frequently penalised failures in SMEs: absence of a processing register, security failures (plaintext passwords, unencrypted backups), failure to respect the right to object, non-compliant cookie banners. These are all elements that can be corrected within a few weeks with structured support.
Beyond administrative penalties, GDPR provides for criminal sanctions of up to 5 years' imprisonment and €300,000 in fines for the most serious cases (fraudulent collection, misuse of data). Criminal prosecutions are rare, but they do exist.
How ECLAUD IT brings you into GDPR compliance
We do not sell paperwork. Our GDPR approach is operational: we audit your IT estate, identify the gaps, fix the technical vulnerabilities and formalise the documentation. The result: compliance that holds over time, not a folder gathering dust.
Initial GDPR audit
Mapping of your data processing activities, identification of compliance gaps, risk assessment. Deliverable: report with prioritised action plan.
Processing register
Drafting and implementation of your CNIL-compliant register. We document every processing activity: HR, clients, suppliers, website, video surveillance.
Security policy
IT charter, incident management procedures, password policy, sensitive data encryption. Compliant with ANSSI recommendations.
Outsourced DPO
Part-time Data Protection Officer. CNIL interface, regulatory monitoring, training your teams, handling data subject requests.
What distinguishes us from a traditional GDPR consultancy: we are also your IT provider. When the audit reveals that your backups are not encrypted or that your host is non-compliant, we do not just write it in a report — we fix it. Technical security and legal compliance advance together.
For SMEs in Reunion Island, we offer on-the-ground support: on-site audit, in-person team training, a single point of contact reachable at +33 6 58 56 53 79.
GDPR and cloud processors — what you need to check
Your GDPR responsibility does not stop at the walls of your company. The moment you entrust personal data to a provider (host, SaaS vendor, online accountant, cloud CRM), you remain the data controller under GDPR. This is the principle of joint liability.
In practice, this means three things for your SME:
GDPR contractual clauses
Every contract with a processor must include GDPR clauses (Article 28): object and duration of processing, nature of data, security obligations, fate of data at end of contract. If your IT provider or host does not have these clauses, you are both in breach.
HDS hosting for health data
If you process health data (medical practice, dental, pharmacy, mutual fund, HR with detailed sick leave records), your host must be HDS certified. This is not a recommendation — it is a legal obligation (Article L1111-8 of the French Public Health Code). ECLAUD IT works exclusively with HDS-certified hosts for sensitive data.
Transfers outside the European Union
If your CRM, email or cloud backup stores data on servers outside the EU, you must frame the transfer: standard contractual clauses (SCC), adequacy decision, or the Data Privacy Framework for the United States. The CNIL is increasingly controlling these transfers — several French companies have been sanctioned for using Google Analytics without sufficient safeguards.
We audit your entire IT processing chain: hosting, SaaS, cloud backup, collaboration tools. For each provider, we verify the location of data, certifications and contractual clauses. Result: a clear map of your data flows and a remediation plan if needed.
GDPR compliance pricing for SMEs
| Service | Includes | Indicative price |
|---|---|---|
| One-off GDPR audit | Processing activities mapping, gap identification, report with prioritised action plan | €1,500 — €3,500 |
| Full support package | Audit + register + security policy + IT charter + team training | €3,000 — €6,000 |
| Outsourced DPO | CNIL interface, regulatory monitoring, handling data subject requests, ongoing training | From €300/month |
Indicative prices for an SME of 5 to 50 employees. The outsourced DPO can be shared among several organisations in the same sector. All services are eligible for the training tax credit and are tax deductible.
FAQ — GDPR for SMEs
Does GDPR apply to my SME with fewer than 10 employees?
Yes, without exception. GDPR applies to any organisation that processes personal data, regardless of its size. Even a self-employed person with a client list in Excel is concerned. The only nuance: companies with fewer than 250 employees benefit from a relaxation on certain documentation obligations — but the processing register remains mandatory whenever the processing is not occasional.
What penalties could a Reunion Island SME concretely face?
The CNIL now uses the simplified procedure for SMEs and self-employed professionals. Typical fines for an SME range from €5,000 to €150,000: security failures, non-compliant cookies, absence of a register. Beyond the fine, publication of the sanction (name & shame) can be devastating for your reputation. In 2025, the CNIL imposed €486M in cumulative sanctions.
Do I need to appoint a DPO (Data Protection Officer)?
A DPO is mandatory if you process sensitive data at scale (health, judicial data) or if you carry out regular and systematic monitoring of individuals. In practice, a medical practice or an accounting firm must have a DPO. For other SMEs, it is not mandatory but strongly recommended. ECLAUD IT offers an outsourced DPO service tailored to SMEs.
Is my cloud host GDPR compliant?
Not necessarily. If your host transfers data outside the EU (servers in the United States for example), it must implement standard contractual clauses or rely on the EU-US Data Privacy Framework. For health data, the host must be HDS certified. ECLAUD IT audits your processors and ensures that contracts include the mandatory GDPR clauses.
How much does GDPR compliance cost for an SME?
A one-off GDPR audit for an SME of 5 to 20 employees costs between €1,500 and €3,500. The full support package (audit + register + security policy + training) ranges from €3,000 to €6,000. The monthly outsourced DPO starts at €300/month. This is a minimal investment compared to the risk of CNIL fines or reputational damage.
What GDPR changes in 2025-2026 affect SMEs?
Three major developments: the Data Act (September 2025) governs IoT and industrial data sharing. The AI Act (August 2026) imposes transparency obligations for high-risk AI systems. And the CNIL is stepping up its controls on cookies, data security and transfers outside the EU. If you use AI tools (ChatGPT, copilots), you must document these processing activities in your register.
Your GDPR compliance
deserves a field expert
Free GDPR audit — gap identification, prioritised action plan, no commitment.