November 26, 2025

Helen Dixon on GDPR, SMEs, and Practical Privacy Solutions

When people think of Helen Dixon, they usually think of landmark GDPR decisions and fines against Big Tech. But behind the headlines is a regulator who spent years watching ordinary organizations, especially small and mid-sized ones, struggle to make privacy work in the real world.

In a recent episode of VeraSafe’s Privacy in Practice podcast, hosts Kellie du Preez and Danie Strachan sat down with former Irish Data Protection Commissioner and former Communications Regulator Helen Dixon to unpack what GDPR compliance actually looks like for growing companies, and what U.S. organizations need to know when dealing with EU rules and regulators.

During her time at the Data Protection Commission, Dixon oversaw high-profile GDPR cases, including rulings on Meta and investigations into Twitter, TikTok, and Apple. Under her leadership, the Commission transformed from a small office into a major regulator with over 220 staff.

Her insights are valuable not only for large multinationals but also for small and medium-sized enterprises (SMEs) navigating the complex landscape of data protection. This article unpacks her reflections on GDPR flexibility, SME challenges, e-Privacy considerations, and practical compliance strategies.

SME Challenges and GDPR

Understanding the SME Burden

Many SMEs and micro enterprises feel the weight of GDPR compliance. While recent proposals for GDPR simplification include provisions for SMEs, the reality is that smaller organizations still face significant challenges due to limited resources and Dixon is sympathetic to the reality that micro and small businesses face:

“Every day I saw the challenges that SMEs and micro enterprises experienced in trying to comply.”

However, Dixon points out that an organization’s small size can’t serve as a blanket exemption. The GDPR is built on a risk-based approach, which in her view is fundamentally correct, and cautioned against assuming that smaller size equals lower risk. Risks to individuals’ rights and freedoms can be severe even in small organizations.

Even so, SMEs often lack dedicated privacy teams, meaning compliance responsibilities can fall on staff juggling IT, HR, and other roles. So where should those organizations focus their efforts?

Know Your Data and Your Estate

Dixon repeatedly comes back to one foundational truth, which is that most organizations don’t actually have a clear, current picture of what data they process and how. When Dixon and her team stepped back from individual complaints and asked basic questions—What systems are in use? What personal data is held? Which business functions depend on it?—senior leaders often couldn’t answer with confidence. For her, this lack of visibility is a fundamental blocker.

She views data and system understanding as the non-negotiable starting point for everything else:

“It is foundational in terms of starting to understand what is the business we’re in, what have we got, and what are the risks applicable to the personal data processing.”

Her message to organizations is clear: you cannot apply a risk-based GDPR approach if you don’t know what data you have.

Additional key steps for SMEs include:

Conducting risk assessments to identify high-impact processing activities.
Leveraging existing frameworks and guidance from supervisory authorities to avoid reinventing the wheel.
Implementing iterative compliance, gradually improving processes with clear documentation.

Dixon emphasizes that GDPR compliance should be viewed as a strategic enabler rather than a regulatory burden. By demonstrating commitment to privacy, SMEs can strengthen trust with customers, potentially yielding commercial benefits.

Privacy Compliance Steps for SMEs

Dixon outlines a practical privacy compliance roadmap for smaller organizations that are unsure where to begin:

Gap Analysis: Review existing processes, including data collection, storage, and jurisdictional considerations.
Risk Assessment: Identify areas of exposure, including public-facing websites, cookies, and cross-border data transfers.
Documentation Review: Examine internal policies, templates for responding to data subject rights, and public-facing privacy notices.
Staff Training: Refresh employee knowledge, particularly HR teams, on recognizing and handling access requests.
Action List: Prioritize tasks based on risk and resource availability, addressing foundational elements first.

Human Element in Compliance

One of the most striking threads in the conversation is how often Dixon returns to common sense and fairness as a practical compass for smaller organizations. She’s seen many organizations make their own lives much harder by:

Trying to delay, restrict, or over-argue obvious obligations, or
Treating every interaction as pre-litigation rather than as an opportunity to resolve a human problem.

Dixon encourages organizations to assume reasonableness until proven otherwise and to look for solutions that treat the person fairly. The same thinking applies to subject access requests (SARs), which Dixon identified as a major challenge for many organizations. She observed that difficulties often arise not from volume but from attempts to restrict or delay responses.

She encourages organizations to engage directly with data subjects, clarifying requests, and limiting data searches to what is necessary.

Treating requests as opportunities to demonstrate accountability, rather than pre-litigation exercises, reduces operational burdens and strengthens trust.

Principles for Effective Subject Access Request Management

The following outlines VeraSafe’s recommended practices to help organizations strengthen and streamline their SAR management approach:

Respect individual rights: Each request reflects a real person’s privacy rights and should be treated with care and seriousness.
Timely and transparent responses: Ensure communications are clear, understandable, and meet GDPR-mandated deadlines.
Risk-based prioritization: Recognize that not all requests carry the same operational or privacy risk; allocate resources and attention according to potential impact.
Human oversight and engagement: While technology can assist, human review is essential to interpret nuances, clarify scope, and address the requester’s needs effectively.

Guidance for U.S. Companies

For U.S. organizations used to dealing with agencies like the Federal Trade Commission (FTC) or the Securities and Exchange Commission (SEC), a letter from an EU regulator can feel alarming. Dixon notes that EU data protection authorities are explicitly tasked not only with enforcement, but also with guidance and awareness-raising. This means that dialogue and consultation are built into how they work.

Dixon advises U.S. companies not to treat every regulator interaction as adversarial by default, to engage proactively, communicate clearly, and to engage with a solution-oriented mindset.

“It’s better to explain your reasoning upfront than to wait until a problem arises.”

While the GDPR doesn’t spell this out, Dixon also shares that cooperation, course correction, and documented effort matter. She explains that regulators do informally account for:

Whether an organization is genuinely trying to comply,
Whether mistakes were honest and corrected, and
Whether there is a pattern of systemic non-compliance or repeat behavior.

She draws a distinction between a once-off, reasonably handled misstep by an organization that has never otherwise come to a regulator’s attention and large-scale, systemic issues or reckless ignorance of clearly foreseeable risks (for example, ignoring “state of the art” security expectations in a high-risk environment).

In addition, regulators expect practical evidence of compliance, including:

Operational privacy measures and staff training.
Consistent implementation across jurisdictions.
Transparency when introducing new processing activities.
Documenting decisions, especially those protecting data subjects, strengthens credibility and facilitates smoother regulatory interactions.

Risk Registers and Engagement

Dixon recommends maintaining risk registers to document and prioritize privacy risks. This practice aids internal decision-making and demonstrates accountability to regulators. If a regulator later asks “what were you thinking?” it’s far better to have an honest, structured risk register with identified gaps than no record at all.

E-Privacy, Cookies, CMPs, and Email Pixels

Many organizations, especially U.S. businesses entering the EU market, underestimate the e-privacy layer of compliance (cookies, trackers, and similar technology). The EU’s e-Privacy framework remains a complex and evolving area for organizations. Dixon calls out several important points:

The current e-privacy regime is based on a directive, so national implementation is fragmented and territorial.
That means local laws differ in detail, and organizations may need jurisdiction-specific adjustments rather than a single, universal standard.
Consent management platforms (CMPs) aren’t the problem in themselves, often it’s the way they’re configured:
– “Reject all” must be as easy as “Accept all” on the first layer in many jurisdictions.
– Dark patterns or pre-ticked consent, or pushing users through multiple layers to refuse, are all enforcement magnets.

She suggests that organizations, especially those active across multiple EU member states, should study European Data Protection Board (EDPB) outputs summarizing cookie enforcement trends and follow guidance and enforcement from authorities like CNIL in France, which has taken an assertive stance on both cookies and email tracking technologies.

On email tracking pixels, she notes that this is clearly a live frontier, citing French draft guidance and recent enforcement where many organizations haven’t fully adjusted their practices or transparency. Her short-term advice is that until the EU refreshes the e-privacy framework (now expected via a broader “omnibus” law), assume the rules are stringent, not relaxed.

Lessons from Enforcement and Final Reflections

Dixon highlights common pitfalls that organizations face:

Launching systems without adequate testing.
Having strong documentation but failing to follow procedures in practice.
Inadequate monitoring of automated systems for SARs or other data requests.

These errors often stem from a lack of holistic thinking, where organizations focus on high-profile risks but overlook everyday processes that can trigger complaints or enforcement.

Dixon’s regulatory philosophy emphasizes common sense and fairness. Whether for SMEs or multinational corporations, her guidance is clear: understand your operations, prioritize risk, engage openly with stakeholders, and embrace GDPR as a framework for sustainable privacy.

Listen to the Full Conversation

This article only scratches the surface of the stories and nuances Dixon shared. If you work in or advise a growing organization trying to make sense of GDPR, e-privacy, and data subject rights, this is a great episode. To hear the full discussion, including Dixon’s recommendations on how to prioritize a limited budget or limited time, tune in here: