The misconception
“I’m just a small business. The supervisory authority has better things to do than fine me. Those GDPR fines are for Google and Facebook, not for me.”
It’s a logical thought. You read in the news about billion-euro fines for Meta and Amazon. Why would the supervisory authority bother with your bakery, webshop, or consultancy?
But reality is more nuanced - and more dangerous than you think.
It’s not just about the mega-fines
The big fines make the news. Meta’s $1.2 billion fine in 2023 was in every newspaper. But beneath that is an iceberg of smaller fines you never see in the news:
- In Germany, the Lower Saxony supervisory authority issued a fine of $12,500 to a small business that had no processing register
- In Spain, a dental practice received a fine of $5,000 for sending marketing emails without consent
- In Romania, a small webshop was fined $3,000 for not responding to an access request
- In Belgium, the GBA imposed a fine of $15,000 on an SME that used personal data for a purpose other than what it was collected for
These are not incidents. According to the GDPR Enforcement Tracker, more than 2,100 fines have been issued in Europe since 2018, and a significant portion involves businesses with fewer than 50 employees.
The fine is not your biggest risk
Here’s where it gets really interesting. For most SMEs, the fine itself is not the biggest problem. It’s the associated costs and consequences:
Customer complaints
When a customer files a complaint with the supervisory authority (the GDPR deliberately makes this easy), you must respond. That costs you:
- Time: you must provide documents, give explanations, answer questions
- Money: you may need legal advice
- Stress: an investigation by the supervisory authority is unpleasant for any business owner
Employee complaints
Former employees who discover their data hasn’t been processed correctly are a growing source of complaints. Especially when the departure wasn’t entirely smooth.
Reputation damage
If a customer discovers you handle personal data carelessly, you lose trust. In a time when consumers are increasingly privacy-aware, that can cost you customers.
Proportionate, but not painless
The GDPR requires fines to be “effective, proportionate, and dissuasive”. This means supervisory authorities consider your business size. A freelancer won’t receive the same fine as Amazon.
But proportionate does not mean painless:
- A fine of $5,000 is a significant blow for a sole trader
- A fine of $25,000 can represent a quarter’s profit for an SME with 10 employees
- The administrative costs of an investigation come on top of that
And remember: the supervisory authority can also impose a penalty payment. That means you must stop a certain violation, and for every day you don’t, you pay an amount. That adds up quickly.
What you should do
1. Stop comparing yourself to Google
The question is not whether you’ll get the same fine as a tech giant. The question is whether you have the basics in order when a complaint comes in.
2. Get the basics right
The most common violations by small businesses are surprisingly simple:
- No processing register
- No processing agreements with processors
- Not responding to data subject requests (access, deletion)
- Marketing emails without valid consent
These are all things you can sort out in a few weeks.
3. Think about the customer, not the fine
The best motivation for GDPR compliance is not fear of a fine. It’s your customers’ trust. Customers increasingly choose businesses that are transparent and careful with their data.
4. See it as business hygiene
Just like you keep your bookkeeping in order and take out insurance, GDPR compliance is part of good business practice. It’s not a luxury, it’s a necessity.
GDPRWise scans your website and gives you a complete picture of your GDPR status. In 15 minutes you'll know what's in order and what you still need to arrange.