How a data breach can cause gdpr fines for SME's

New EU general data protection regulations came into force across Europe in May 2018. However, in the 12-months since then, law firm DLA Piper has identified the UK as having recorded the third highest rate of GDPR data breaches in all of Europe. Partly, this is due to a third of British businesses still not being GDPR compliant.

GDPR Data Breaches Present Grave Challenges to SMEs

Why startups and SMEs need to fast-track GDPR compliance (if they haven’t already) is simple.

In the event of a GDPR data breach, companies of any size can be fined up to €20 million, or 4% of a company’s gross annual turnover, whichever is higher. For startups and SMEs, GDPR fines can, therefore, be catastrophic. However, GDPR fines aren’t representative of the total costs companies stand to incur responding to data breaches.

Data Breach Containment Costs

GDPR data breach

Whenever a data breach occurs, UK companies are required to inform the Information Commissioners Office within 72-hours. Depending on the advice the ICO gives the company in question, affected individuals will have to be contacted without undue delay. In some cases, SMEs will need to set up helplines during this time to cater to customer inquiries concerning the affected data.

  • Whenever a data breach occurs companies will be required to start a thorough internal security audit
  • External IT contractors may need to be hired to assist with investigations and security audits
  • Affected consumers and members of the public, have the right under GDPR, to be compensated for material damages arising as a result of data losses


Studies by IBM and the Ponemon Institute estimate that recovery costs after data breaches can average £100 per lost record. It is hard to calculate average costs as it is dependent on the breach itself. Therefore, for SME’s it is imperative that you are GDPR compliant as any fine could be catastrophic for the overall business.

GDPR Enforcement Measures

GDPR guidelines are explicitly designed to protect EU citizens from personal data theft and misuse of personal information. After a data breach is reported, the Information Commissioners Office, therefore, has the power to enforce stricter data protection compliance if it feels this is necessary.

In some cases, SMEs which have previously omitted to do so may be forced to hire a dedicated Data Protection Officer. In other cases, the Information Commissioners Office might demand a comprehensive review of data protection measures, before SMEs can resume normal business operations.

In every case, GDPR enforcement measures can increase costs of resuming business, even after responses to data breaches have been finalized.

GDPR Fines Can Result in Significant Reputation Damage

GDPR fines and recovery costs

As well as GDPR fines and data breach recovery costs, data breaches themselves can significantly tarnish startup and SME business reputations. This can reduce the future profitability of companies, especially when businesses offer IT and financial services.

Can You Afford Not to be GDPR Compliant?

The financial ramifications of data beaches can undermine the continued existence of most SMEs. For this reason, non-compliance with new data protection regulations is not an option.

Thankfully, here at LeadLabs, we provide a comprehensive suite of GDPR compliant sales lead generation and cloud-based marketing tools. We can also offer free GDPR audits to UK based SMEs. To find out how your business can benefit, call or contact us today for a free, no-obligation consultation.      


We promise. No spam.