GDPR Fines for Small Businesses

GDPR fines get reported at the €746 million end of the scale. Those are for Meta. What does enforcement actually look like for small businesses?

Here's the honest picture.

The maximum fines (and why they don't apply to you)

GDPR has two tiers of maximum fines:

Tier 1: Up to £8.7 million or 2% of annual global turnover — for less serious violations (e.g. failing to notify a data breach in time)

Tier 2: Up to £17.5 million or 4% of annual global turnover — for the most serious violations (e.g. processing data without a lawful basis, violating core principles)

These maximums are designed for large organisations. A £17.5 million fine on a solo founder with £30,000 in revenue doesn't make economic sense and the ICO knows it.

What small business enforcement actually looks like

The ICO (UK's data protection authority) takes a proportionate approach. For small businesses, typical outcomes of complaints or investigations include:

Informal advice — the ICO contacts you, explains the issue, and tells you what to fix. This is the most common outcome for a first violation with no harm caused.

Formal reprimand — a written warning that goes on record. Public in some cases. No fine attached.

Enforcement notice — a formal order to take specific action (e.g. publish a privacy policy, stop a specific data practice). Failure to comply can lead to further action.

Monetary penalty — for serious or repeated violations, especially where harm was caused or data was handled recklessly. These are publicly announced.

Real examples at the smaller end

The ICO's public register includes enforcement actions against organisations of all sizes:

• A small estate agency fined for sending marketing emails without consent
• A sole trader fined for unlawfully sharing customer data
• A small charity fined for sending millions of unsolicited emails

The fines in these cases ranged from £3,000 to £100,000 — not millions, but still significant for a small business, and all publicly visible.

What actually triggers enforcement

Most ICO investigations start with a complaint from an individual — usually a customer who didn't know their data was being used for marketing, or couldn't get their data deleted when they asked.

The most common triggers:

• No privacy policy (basic non-compliance)
• Marketing emails sent without consent
• Failure to respond to a Subject Access Request (data access request) within 30 days
• Data breach not reported within 72 hours
• Sharing customer data with third parties without disclosure

The practical compliance floor for small businesses

You don't need a compliance department. You need:

1. A privacy policy that accurately describes what you do with data — live on your website 2. A cookie consent banner if you use any analytics or tracking 3. A way for users to request their data or deletion (an email address is fine) 4. Not sending marketing to people who didn't consent

That's it. Most small business exposure comes from not having (1) and (2).

The cost of getting it wrong vs getting it right

Getting a privacy policy wrong: potentially £3,000–£100,000 fine, public enforcement notice, reputational damage, customer complaints.

Getting it right: £9 and 10 minutes with InkTerms.

Need this document for your business? InkTerms generates it in minutes — tailored to your answers, in plain English.