Enforcement accelerating in 2026

GDPR fines reached EUR 2.3B in 2025.
Is your business compliant?

Enforcement is accelerating. Average fines are rising. SMBs are no longer exempt from scrutiny. Find your gaps in 5 minutes.

Check GDPR compliance — free

GDPR enforcement by the numbers

EUR 0M

GDPR fines in 2025

+38% year-on-year

EUR 0K

Average GDPR fine

Enforcement increasingly targeting SMBs

0%

Increase in subject access requests YoY

Your customers know their rights

Who needs to comply

The GDPR applies to your business if:

  • You process personal data of EU residents
  • You have customers, employees, or users in the EU
  • You collect email addresses, names, or other personal data
  • You use analytics, CRM, or marketing tools that process EU data

This applies regardless of where your business is based.

Penalties

EUR 20M

or 4% of global annual revenue

For serious violations: unlawful processing, lack of consent, breach of data subject rights.

EUR 10M

or 2% of global annual revenue

For administrative violations: record-keeping failures, breach notification delays, DPO requirements.

Regulators are increasingly targeting SMBs — not just tech giants. The cost of non-compliance far exceeds the cost of getting compliant.

Get your GDPR compliance score

Create a free account and check your GDPR compliance in 5 minutes.

Start free check

GDPR FAQ

We're a small business — does the GDPR really apply to us?

Yes. The GDPR applies to any organisation processing personal data of EU residents, regardless of company size. Small businesses are not exempt. However, some documentation requirements are relaxed for businesses with fewer than 250 employees.

What counts as "personal data"?

Any information that can directly or indirectly identify a person: names, email addresses, IP addresses, location data, device IDs, cookie identifiers, employee records, customer data. If you collect any of this from EU residents, the GDPR applies.

What are the fines for non-compliance?

Up to EUR 20 million or 4% of annual global turnover, whichever is greater. Even smaller administrative fines (up to EUR 10M or 2%) are significant for SMBs. Regulators are increasingly focusing on smaller businesses, not just tech giants.

We use Google Analytics — is that a GDPR issue?

Potentially. Several EU data protection authorities have ruled that standard Google Analytics configurations violate the GDPR due to data transfers to the US. You need to assess your analytics setup and ensure adequate safeguards are in place. ComplyOne checks this as part of your compliance assessment.

Free compliance check — find out which EU regulations apply to your business