GDPR turned eight years old in 2025. It's no longer a new regulation — it's an established enforcement regime, and the numbers reflect that.
Total GDPR fines exceeded EUR 2.3 billion in 2025, a 38% increase over the previous year. But the headline number isn't the most important part. What matters for European SMBs is the pattern: enforcement is shifting, and smaller companies are no longer below the radar.
The Numbers at a Glance
| Metric | 2024 | 2025 | Change |
|---|---|---|---|
| Total fines issued | ~EUR 1.7B | ~EUR 2.3B | +38% |
| Number of enforcement actions | ~1,400 | ~1,900 | +36% |
| Average fine amount | ~EUR 3.2M | ~EUR 4.4M | +38% |
| Fines against SMBs (under 250 emp.) | ~18% of actions | ~24% of actions | +33% |
| Cross-border enforcement actions | ~120 | ~180 | +50% |
The trend is clear: more fines, larger fines, and a growing share directed at small and medium-sized businesses.
Five Trends That Matter for SMBs
1. Regulators Are Moving Down-Market
The early years of GDPR enforcement focused on the obvious targets: Meta, Google, Amazon, and other tech giants made the headlines with nine-figure fines.
That phase isn't over — large platform fines continue — but data protection authorities (DPAs) across Europe have built out their enforcement capacity. They now have the staff, the processes, and the mandate to investigate smaller companies.
In 2025, roughly one in four GDPR enforcement actions targeted a company with fewer than 250 employees. In 2021, that figure was closer to one in ten.
The reasons are practical: DPAs receive complaints from individuals, and those complaints don't distinguish between large and small companies. A data subject who can't exercise their access rights doesn't care whether the company has 30 employees or 30,000.
2. Data Subject Requests Are the Trigger
The most common trigger for GDPR enforcement against SMBs isn't a data breach. It's failure to properly handle data subject access requests (DSARs).
When a customer, employee, or user submits a request to access, correct, or delete their personal data, you have 30 days to respond. Failing to respond — or responding inadequately — is the single most common violation leading to enforcement action against smaller companies.
This is significant because it's entirely preventable. You don't need expensive software to handle DSARs. You need a process, a responsible person, and the awareness that these requests have legal deadlines.
3. Third-Party Tools Are Creating Liability
Many SMBs assume that if they use a well-known SaaS tool, GDPR compliance is handled for them. It isn't.
Under GDPR, you are the data controller for your customers' data. Your SaaS providers are data processors. You need:
- Data Processing Agreements (DPAs) with every processor
- Transfer Impact Assessments for any processor outside the EU/EEA
- Assurance that adequate safeguards (Standard Contractual Clauses, adequacy decisions) are in place
Several enforcement actions in 2025 targeted businesses that were transferring personal data to US-based processors without adequate safeguards. The EU-US Data Privacy Framework helps, but only for processors that have self-certified — and you need to verify this, not assume it.
The analytics tools you use, the CRM, the email platform, the cloud storage — each one is a data processing relationship that needs to be documented and governed.
4. Breach Notification Failures Are Costly
GDPR requires that data breaches are reported to the relevant DPA within 72 hours. If the breach poses a high risk to individuals, those individuals must also be notified.
In 2025, a growing number of fines were issued not for the breach itself, but for failure to detect it in time, failure to notify within 72 hours, or failure to notify the affected individuals.
For SMBs, the lesson is that you need a breach response plan before you have a breach. The 72-hour window starts when you become "aware" of the breach — and regulators have made clear that if reasonable security monitoring would have detected it earlier, the clock starts from when it should have been detected.
5. The "We Didn't Know" Defence Doesn't Work
Several 2025 enforcement actions included a consistent finding: the company claimed it was unaware of its GDPR obligations or believed they didn't apply.
Ignorance has never been a valid defence under GDPR, but regulators are now explicitly calling it out as an aggravating factor rather than a mitigating one. The reasoning: GDPR has been in force since 2018. Seven years later, claiming unawareness suggests wilful neglect, not honest confusion.
Which DPAs Are Most Active?
Enforcement activity varies significantly by country. The most active regulators in 2025:
| Country | Notable Trend |
|---|---|
| Spain (AEPD) | Highest volume of decisions, many targeting SMBs. Fast turnaround, lower average fines but high volume. |
| Italy (Garante) | Active across all sectors. Increasingly focused on consent and marketing violations. |
| France (CNIL) | Mix of large and small targets. Cookie consent and analytics remain a primary focus. |
| Ireland (DPC) | Still the lead authority for Big Tech. Cross-border mechanism reforms are accelerating decision timelines. |
| Germany (LfDI/BfDI) | Decentralised across 16 state-level authorities. Employee data and workplace surveillance are key focus areas. |
| Netherlands (AP) | Growing enforcement capacity. Targeting public sector and healthcare. |
If your business operates across multiple EU countries, you're subject to the DPA in your main establishment — but complaints can be filed in any country where you have data subjects.
What This Means for 2026
Based on the 2025 trajectory, here's what European SMBs should expect:
More SMB enforcement. DPAs have invested in capacity. The complaint-driven model means any customer, employee, or user can trigger an investigation. Expect the share of SMB enforcement actions to continue climbing.
AI-related GDPR enforcement. The intersection of GDPR and the AI Act will create new enforcement vectors. Using AI to process personal data triggers GDPR obligations (lawful basis, transparency, data minimisation) in addition to AI Act obligations. Regulators are already signalling interest in AI-related data processing.
Cross-border coordination improvements. The proposed GDPR procedural regulation aims to speed up cross-border enforcement. This means faster decisions, not slower ones.
Cookie consent remains in focus. Despite being the least glamorous area of GDPR, cookie consent violations remain one of the easiest things for regulators to investigate. Non-compliant cookie banners are low-hanging fruit for DPAs looking to increase enforcement numbers.
What Does This Actually Cost a Small Business?
The headline fines — EUR 20 million, 4% of global turnover — are designed for large corporations. But the maths for a smaller business is more concerning than most owners realise.
Take a typical European SMB doing EUR 300,000 in annual revenue:
| Violation Type | Maximum Fine Formula | Amount for a EUR 300K Business |
|---|---|---|
| Major GDPR violation (Art. 83(5)) | EUR 20M or 4% of turnover | EUR 12,000 (4%) |
| Minor GDPR violation (Art. 83(4)) | EUR 10M or 2% of turnover | EUR 6,000 (2%) |
Those percentages look manageable — until you consider how fines are actually issued.
The percentage is the floor, not the ceiling. DPAs regularly issue fines well above the percentage-of-turnover amount for smaller companies. The Spanish AEPD routinely issues EUR 10,000 to EUR 60,000 fines to very small businesses. A EUR 30,000 fine on a EUR 300,000 business is 10% of annual revenue.
The fine is rarely the biggest cost. For SMBs, the enforcement process itself is where the real damage happens:
| Cost Component | Typical Range |
|---|---|
| Legal fees to respond to investigation | EUR 5,000 – EUR 20,000 |
| Staff time diverted from business operations | EUR 3,000 – EUR 10,000 |
| Mandatory remediation (system changes, new processes) | EUR 5,000 – EUR 15,000 |
| The fine itself | EUR 5,000 – EUR 50,000 |
| Total realistic cost | EUR 15,000 – EUR 50,000 |
That's 5% to 17% of annual revenue — from a single enforcement action triggered by a single complaint.
It starts with something simple
A customer emails "I want a copy of all the data you hold on me" and doesn't get a response within 30 days. That's all it takes to trigger an investigation.
What You Should Do
If you haven't started GDPR compliance:
-
Data mapping. Understand what personal data you collect, where it's stored, who processes it, and why. This is Article 30 — the record of processing activities. It's mandatory for most businesses.
-
Privacy policy. Publish a clear, accurate privacy policy that covers everything GDPR Article 13 and 14 require: what data you collect, why, the legal basis, retention periods, data subject rights, and your DPA contact details.
-
Data subject request process. Establish a documented process for handling access, rectification, erasure, and portability requests. Assign someone responsible. Test it.
-
Processor agreements. Review every third-party tool that processes personal data on your behalf. Ensure you have a signed DPA with each one. Check data transfer mechanisms for non-EU processors.
If you think you're compliant:
-
Audit your cookie consent. Is your cookie banner actually compliant? Pre-checked boxes, walls that force acceptance, and analytics loading before consent are all violations.
-
Review your breach response plan. Do you have one? Does everyone who needs to know about it, know about it? Can you realistically detect and report a breach within 72 hours?
-
Check your data retention. Are you actually deleting data when you said you would? Retention policies that exist on paper but aren't enforced are a common enforcement finding.
-
Update for new processing activities. If you've added AI tools, new analytics, new marketing platforms, or new data sources since your last compliance review, your documentation needs updating.
How ComplyOne Helps
ComplyOne's free compliance health check evaluates your business against GDPR and five other EU regulations in about five minutes. The report identifies:
- Whether GDPR applies to your specific business activities
- Your compliance gaps, with references to specific GDPR articles
- Prioritised action items based on risk and enforcement likelihood
- Upcoming deadlines and regulatory changes you need to track
Check your GDPR compliance
Take the free compliance health check and find out where your gaps are — before a regulator does.
Free Compliance CheckFurther Reading
- EDPB enforcement tracker
- GDPR Enforcement Tracker — searchable database of GDPR fines
- CNIL guidelines on AI and GDPR — practical guidance on AI-related data processing
ComplyOne is an AI-powered compliance intelligence platform for European SMBs. We help businesses understand and manage their EU regulatory obligations — GDPR, the AI Act, Data Act, NIS2, Swiss FADP, and UK GDPR — from one dashboard.
This article is for informational purposes only and does not constitute legal advice. For legal advice, consult a qualified attorney licensed in your jurisdiction.