Skip to main content

GDPR Fines for SMBs: Examples & How to Avoid

GDPR, General data protection regulation compliance. Server room background.

2022 saw a record year for GDPR fines, with over €2.92 billion in total administered. For small to medium-sized businesses looking to grow, these fines can be detrimental to both revenue and reputation. 

As experienced professionals in GDPR compliance and helping businesses lawfully process and protect data, we’ve outlined the previous GDPR fines for small to medium-sized businesses, the most common reasons why SMBs receive these fines and some helpful tips for successfully navigating GDPR compliance. 

What is GDPR? 

The General Data Protection Regulation (GDPR) is a European regulation that provides guidance and restrictions for how businesses are able to collect, process and use their customers’ personal information. It was established to provide individuals with more control over and visibility into the personal information being gathered and how it’s being managed. 

Examples of GDPR Fines for Small to Medium-sized Businesses:

  1. Tax Return Limited: Fined €200,000 for sending millions of unsolicited text messages without consent. 
  2. DM Design Bedrooms Ltd.: Fined €160,000 for making millions of unsolicited calls to subscribers. 
  3. Lifestyle Marketing, Mother & Baby Ltd.: Fined €140,000 for reselling personal information without consent. 
  4. Secure Home Systems: Fined €80,000 for making unsolicited calls to numbers they had purchased from a third-party but did not have consent to contact directly. 
  5. Eldon Insurance Services Limited: Fined €60,000 for sending unsolicited emails without consent. 

Most Common Reasons Why Small to Medium Sized Businesses Receive GDPR Fines: 

  • Failing to follow guidelines for the proper processing of data (for example, sending emails to users without their subscription or explicit permission) 
  • Failing to get consent for the data being gathered 
  • Failing to integrate measures that safeguard their business from data breaches 
  • Failing to conduct proper data minimization activities (for example, collecting personal data they will not make use of and storing it for longer than necessary) 
  • Failing to lawfully transfer data to third parties 
Emerging Data Privacy Considerations – GDPR, CPRA, VCDPA, and More!

How to Avoid GDPR Fines:

  1. Always obtain consent for the data gathering
  2. Conduct data mapping
  3. Ensure your GDPR-compliant privacy policy is up to date
  4. Conduct data minimization to eliminate the gathering of data you don’t need
  5. Enhance cybersecurity efforts with modern tools & technologies 
  6. Report breaches as soon as they happen 

If you make sure to obtain consent for all the data you gather and provide transparency from the get-go, you won’t run into nearly as many issues with GDPR compliance down the line. Plus, obtaining consent and putting everything in the clear builds trust and credibility for your business. 

2. Conduct data mapping  

Data mapping is a method of documenting your customers’ personal information in one place, providing you with a full-scale view of what your data is, where it’s being used and how it relates to other areas of your business. 

Even without the threat of a GDPR fine, data mapping should be considered a best practice, as it provides more visibility and ensures the use of accurate data.  

3. Ensure your GDPR-compliant privacy policy is up to date 

Privacy policies provide detailed information for the types of personal data being gathered and how they’re being used. Ensuring your privacy policy is up to date is essential for establishing GDPR compliance and adhering to regulations regarding transparency. 

What should a GDPR-compliant privacy policy include? 

  • Contact information for whoever is controlling (re: collecting or processing) your data (ex: sales teams) 
  • The legal basis for which you are permitted to gather data  
  • The reasoning behind why you are collecting personal data (ex: marketing purposes) 
  • The types of data you are collecting (ex: IP addresses) 
  • The amount of time for which the data will be stored  
  • Where the data is transferred (ex: overseas) 
  • Whether or not you use the data for automating purposes (ex: developing price quotes for how much your products or services cost) 
  • Any third parties that have access to this data and an explanation as to why they have access 
  • The rights of the users whose data you are gathering (ex: the right of access) 
  • How you plan to inform users of changes to your policy (ex: email) 

4. Conduct data minimization to eliminate the gathering of data you don’t need 

Data minimization is the process of limiting the amount of data you gather to only what is explicitly needed. For example, you may not need to ask someone for their home address or social security number if they’re simply trying to sign up for your blog or newsletter. 

5. Enhance cybersecurity efforts with modern tools & technologies 

There are many tools and technologies that you can utilize to safeguard your business, employees and customers from threats.  

Consider installing antivirus software and network protection tools to eliminate the potential for a breach – and always make sure your people are properly trained on the dangers of phishing and other cybersecurity attacks. 

6. Report breaches as soon as they happen 

If a breach does happen, it is vital to communicate the breach to the appropriate authorities, impacted customers, and partners.

It’s also best to provide some information as to why this breach occurred, what you’re doing to mitigate it and the measures you plan to implement to avoid this happening in the future. This way, you’re best prepared to rebuild trust and credibility for your business, comply with data privacy regulations and repair any damage that’s been done to your reputation. 

Need GDPR Compliance Support?

EU’s General Data Protection Regulation (GDPR) and The California Consumer Privacy Act (CCPA) are transforming the way organizations process and manage data, giving more control to citizens and customers. Failure to comply with these regulations can have a devastating impact on your business and customer relationships — but Bridgepoint Consulting can help you determine the gaps, identify the best mix of services for your business and address all phases of compliance.

Contact us today or learn more about our GDPR support services at the link below.

GDPR & CCPA

Insights By

John Patrick

IT Manager, Risk & Compliance

John is an IT risk and compliance manager with deep experience across a multitude of skill sets, including cybersecurity and data protection policies, procedures and best practices, IT audit, security, risk, and compliance.

Recent Insights