The following article was written by Gabriela Szlak, Luciano N. Gutman and Delfina Bianchi, and published in the Latin American Digest of the IAPP (International Association of Privacy Professionals). The original version can be read in Spanish here.
Small and Medium Enterprises (SMEs) are one of the backbones of the economy, especially in Latin America, where different institutions (OECD, IDB) estimate that 99.5% of all companies fall within this category. According to the same sources, SMEs also employ about 60% of the working population. Despite their crucial role, these companies face several legal challenges, including complex regulations that impose burdens hampering their potential to contribute to regional development and innovation.
In the specific context of personal data protection, SMEs -unlike large corporations- do not usually have areas dedicated to data management, such as legal, cybersecurity, technology, and data governance departments, among others. Therefore, the burden of correctly interpreting and applying data protection regulations can translate into excessive costs, risks of unintentional non-compliance, loss of competitiveness and deterrents to investment in emerging technologies.
This article reviews several initiatives in the European Union and Latin America that seek to support SMEs, either by relaxing certain privacy requirements that apply to them or by implementing tailored guidance materials or training programs. These efforts reflect the need to advance towards a model that aligns legal compliance with SME’s operational reality, while guaranteeing fundamental rights of data subjects and promoting innovation and development.
European Union Backgrounds
There is no doubt that the GDPR established a solid framework for ensuring the right to protection of personal data in the European Union and beyond, as it impacted the regulations and practices across several countries – including many from Latin America – through the so-called Brussels Effect. However, as recognized by the European Parliament’s Research Service, certain stakeholders are pointing out that some standards of the GDPR may hinder the competitiveness and innovation capacity of EU-based companies.
In this context, in May 2025, the European Commission presented the Omnibus IV package, a proposal aimed at simplifying the European regulatory framework and reducing the requirements faced by SMEs in various areas. The package includes the reform of Article 30.5 of the GDPR, proposing to raise the employee threshold that triggers the obligation to maintain a record of processing activities from 250 to 750 employees. Furthermore, while the current wording of the GDPR excludes this derogation where data processing may pose a risk to the rights and freedoms of the holders, the Omnibus IV package proposes that this exclusion only operates when the risk is high.
European supervisory authorities have also taken interesting approaches to the difficulties of SMEs in meeting the requirements of personal data protection rules. For example, the European Data Protection Committee and the Spanish Data Protection Agency have created guides and websites facilitating and explaining the obligations of companies under the GDPR. The Spanish authority has also developed a platform called Facilita RGPD, an interactive tool that assists SMEs engaged in low-risk data processing activities in generating mandatory documentation, such as data subject information clauses and data processing agreements.
Initiatives in Argentina and Latin America
The region provides compelling examples of regulatory simplification in personal data protection. For example, the Brazilian supervisory authority has issued Resolution CD/ANPD No. 2/2022, which applies to small data controllers and processors, including micro and small businesses, startups, nonprofits, and individuals. Among other provisions, the resolution allows small players to meet their record-keeping obligations in a simplified manner and exempts them from appointing a data protection officer. On the other hand, Chile’s new Personal Data Protection Act, which has not yet entered into force, also includes relevant provisions for SMEs, allowing the role of data protection officer to be assumed by the company owner or highest-ranking authorities. Uruguay, in turn, has published guidance materials specifically aimed at SMEs to support their compliance efforts regarding personal data processing.
In Argentina, the current regulatory framework raises concerns, as it mandates all data controllers—regardless of size—to register with the supervisory authority and report all personal data databases under their control. This requirement, which also applies to SMEs and can be particularly burdensome for them, has been abandoned by most countries that have updated their regulations. In line with that trend, Argentina’s latest reform bill—which expired in late 2024—correctly proposed eliminating these registration obligations for all companies. However, like the current legislation, the bill failed to include simplified compliance measures for SMEs, despite numerous recommendations from the private sector during the consultation process. One example is the criticism that the bill’s compliance deadline was too short—especially when compared to transitional clauses adopted in Brazil, Chile, and the European Union.
It would be advisable for the country to take note of neighboring countries’ best practices and of the EU’s ongoing GDPR review process, to ensure effective data protection while adapting certain requirements to SMEs’ capabilities. This would require taking into account their real capacity to comply and balancing the protection of rights of data subjects with operational feasibility.
While, to date, Argentina has not enacted regulations that reduce the compliance burden for SMEs in the field of data protection, we welcome the initiatives of the country’s data protection authority. The authority has recognized the challenges SMEs face and is supporting, for example, a training program for SMEs organized by the Foundation for the Internationalization of Public Administrations within the framework of the EU–Latin America Digital Alliance. This initiative aims to support SMEs in their responsible digital transformation processes by strengthening their data protection capabilities, promoting compliance with existing regulations, and facilitating alignment with international standards.
Conclusions
As mentioned above, Latin America is undergoing a process of modernizing its data protection framework. Some countries are discussing bills or implementing training and guidance initiatives, while others have already enacted new laws or compliance tools. In this context, raising protection standards for data subjects must be complemented with a comprehensive approach that considers the specific needs of SMEs and promotes their ability to comply.
One key recommendation emerging from the review of best practices in this area is the elimination of mandatory registration of controllers and databases (inspired by Directive 95/46 of the European Union, which is no longer in force). Also, In countries that have already updated their laws or that are in the process of doing so based on the GDPR, it would be prudent to consider exemptions or adaptations for SMEs for certain obligations such as keeping records of processing activities, appointing data protection officers, and conducting impact assessments.
Ultimately, to promote competitiveness and innovation, it is crucial to adopt approaches that facilitate compliance by SMEs. This can be achieved through a comprehensive approach that adapts certain regulatory requirements for these companies, as Brazil or Chile have done and, on the other hand, complements these adaptations with training programs or tailor-made guides for SMEs, as in the case of Argentina or Uruguay, respectively.
Gabriela Szlak T° 79 F° 516 CPACF
Luciano N. Gutman T° 145 F° 535 CPACF
Delfina Bianchi
_______________________________________________________________________________________________________
1- SME Policy Index: Latin America and the Caribbean 2024: https://www.oecd.org/en/publications/sme-policy-index-latin-america-and-the-caribbean-2024_ba028c1d-en/full-report.html
2- MSME Financing Instruments in Latin America and the Caribbean During COVID-19: https://publications.iadb.org/en/publications/english/viewer/MSME-Financing-Instruments-in-Latin-America-and-the-Caribbean-During-COVID-19.pdf
3- Revisiting the GDPR: Lessons from the United Kingdom experience: https://www.europarl.europa.eu/RegData/etudes/BRIE/2025/775856/EPRS_BRI(2025)775856_EN.pdf
4- The EDPB data protection guide for small business: https://www.edpb.europa.eu/sme-data-protection-guide/home_en
5- Support for Small and Medium Enterprises (SMEs): https://www.aepd.es/derechos-y-deberes/cumple-tus-deberes/directrices-de-aplicacion/pymes
6- Facilita RGPD: https://facilita.aepd.es/
7- Resolution CD/ANPD No. 2, of January 27, 2022: https://www.gov.br/anpd/pt-br/acesso-a-informacao/institucional/atos-normativos/regulamentacoes_anpd/resolucao-cd-anpd-no-2-de-27-de-janeiro-de-2022
8- Law 21719: https://www.bcn.cl/leychile/navegar?idNorma=1209272
9- Guide to Personal Data Protection for businesses (especially micro, small, and medium enterprises – MIPYMES): https://www.gub.uy/unidad-reguladora-control-datos-personales/comunicacion/publicaciones/guia-para-micro-pequenas-medianas-empresas-mipymes/guia-para-micro-0
