AI Automation

DSGVO for a Team of Six: The Compliance Theater You Can Safely Skip

The GDPR conversation for small firms is run by people who profit from your fear. Consultants, overlay vendors and cousins-who-read-an-article all push the same message: DSGVO is enormous, the fines are ruinous, buy the full package. A six-person firm ends up paying for a data-protection apparatus scaled for a corporation, and still does not do the few things that actually matter. So the useful question is not "how do I do all of DSGVO." It is "what does a firm my size genuinely have to do, and what is theater I can drop." The regulation is real and the must-do list is short. The oversold part is most of what gets sold. This piece is general orientation, not legal advice, and a genuinely risky data operation deserves a real Datenschutz specialist. For an ordinary small service or trade firm, here is the honest split.

Joshua Agonya Pi'Rwot

By Joshua Agonya Pi'Rwot

Founder, Business Growth Accelerator

Executive summary

Most GDPR work at a six-person firm is fear-driven overkill sold by consultants who profit from the fear. Here is the short must-do list that actually protects you, and the expensive theater you can drop.

Section 1

The genuine must-do list

These are cheap, they matter, and skipping them is where small firms actually get bitten. • A privacy notice (Datenschutzerklärung) on your website. Required, standard, and generated well by reputable tools. This is the single most common thing regulators and warning-letter lawyers (Abmahnung) check, because it is public. • A lawful basis for what you collect, and data minimisation. Do not collect what you do not need. For a small firm that mostly means: contact forms ask for the minimum, and you can say why you hold each category of data. • Basic data security. Locked devices, sensible passwords, access limited to who needs it, backups. Unglamorous, and it is what turns a lost laptop from an incident into a non-event. • Contracts with your processors (Auftragsverarbeitung, AVV). When a third party processes personal data for you (your newsletter tool, your cloud bookkeeping, your IT provider), you need a data-processing agreement in place. The providers supply the template. You sign it and file it. • A records-of-processing document (Verzeichnis von Verarbeitungstätigkeiten, the Article 30 ROPA). People believe the "fewer than 250 employees" line exempts them. Read Article 30(5): the exemption falls away if processing is not occasional, which describes every firm that runs payroll and keeps a customer list. So yes, you almost certainly need a ROPA. The good news is that for a six-person firm it is a short, honest list of what you process and why, not a corporate tome. That list is the real job. Most of it is a couple of afternoons and then light maintenance.

Section 2

The theater you can usually drop

Here is where the fear economy oversells a firm of six. • An appointed Datenschutzbeauftragter (DPO), in most cases. German law (Paragraph 38 BDSG) requires a formal DPO when at least 20 people are constantly engaged in automated processing of personal data. A six-person shop is far under that line and normally does not need to appoint one. Confirm your specific situation, because special-category data can pull you in regardless of headcount, but the default reflex to "hire a DPO" is misplaced at your size. • Corporate-scale documentation binders. The 80-page policy set, the annual data-protection management system, the impact assessments for routine processing. These exist to protect large organisations with large exposure. A firm holding ordinary contact and payroll data does not manufacture that risk and does not need the paperwork built for it. • Overlay and "instant compliance" widgets. The one-line script that promises to make your site DSGVO-compliant. Compliance is about what you actually do with data, and a widget cannot fix a process it cannot see. The reason to name the theater is not to be reckless. It is that every hour spent on oversized documentation is an hour not spent on the five things that genuinely protect you, and small firms routinely get this backwards.

Section 3

The line to watch

Two things move a small firm from the light regime into the heavier one, so know them: • Special-category data (health, biometric, and similar under Article 9). If you handle it, the exemptions tighten and you should get advice. • Processing as a core activity at scale, or crossing the 20-person automated-processing threshold, which triggers the DPO requirement. If neither applies, you are in the light regime, and the must-do list above is close to the whole job.

Section 4

The fitness test

Your DSGVO work is right-sized if: • You have the privacy notice, the processor contracts, and a short ROPA, and you can find all three in under five minutes. • You are not paying for a DPO or a corporate policy binder that your size and your data do not require. • You handle no special-category data and stay under the 20-person automated-processing line, so the heavy regime does not apply. If you have the binder but not the ROPA, you bought the theater and skipped the substance. Reverse it. Do the five real things, drop the oversized rest, and revisit only if your data or your headcount crosses the lines above.

FAQ

Direct answers for operators.

Does a six-person firm need to appoint a Datenschutzbeauftragter (DPO)?

Normally no. German law (Paragraph 38 BDSG) requires a formal DPO when at least 20 people are constantly engaged in automated processing of personal data. A six-person shop is far under that line. Special-category data can pull you in regardless of headcount, so confirm your specific situation.

Are we exempt from a ROPA because we have fewer than 250 employees?

Almost certainly not. Article 30(5)'s exemption falls away the moment processing is not occasional, which describes every firm that runs payroll and keeps a customer list. So you likely need a records-of-processing document. For a firm of six it is a short, honest list of what you process and why, not a corporate tome.

What does a small firm genuinely have to do for DSGVO?

A privacy notice (Datenschutzerklärung) on the website, a lawful basis with data minimisation, basic data security, data-processing agreements (AVV) with third parties that handle your data, and a short ROPA. That is a couple of afternoons of work and then light maintenance.

Can a compliance widget make my site DSGVO-compliant?

No. Compliance is about what you actually do with data, and an overlay or "instant compliance" script cannot fix a process it cannot see. Those widgets are theater, and every hour spent on oversized documentation is an hour not spent on the five things that genuinely protect you.

Joshua Agonya Pi'Rwot

Written by

Joshua Agonya Pi'Rwot

Founder, Business Growth Accelerator · Country Director, AVODA Group Uganda · EMBA

Joshua helps service-business operators turn scattered marketing into a clear path from first attention to booked call. He is Founder of Business Growth Accelerator and Country Director of AVODA Group Uganda.