WeCheck360 – go to homepage

GDPR for SMEs: the basics, obligations and fines

Last updated: July 2026 · Reading time approx. 6 minutes · Not legal advice

The General Data Protection Regulation has applied since 2018 and affects practically every company with a website. This guide sums up the basics that really matter for small and medium-sized enterprises: what the GDPR is, who is affected, where the most common mistakes lie and how high fines can be.

What is the GDPR?

The General Data Protection Regulation (GDPR) is an EU regulation in force since May 2018 that governs the handling of personal data. It applies to all companies processing data of EU citizens — regardless of where the company is based.

Who is affected?

All companies, sole traders and organisations that process personal data. This includes names, email addresses, IP addresses, location data and more. There is no exemption for small businesses.

What are the most common violations?

Missing cookie consent banner, no privacy policy, missing records of processing activities (RoPA), no data processing agreement (DPA) with service providers, missing Data Protection Officer (DPO).

How high are the fines?

Up to €20 million or 4% of global annual turnover — whichever is higher. In practice, fines for SMEs often start at €5,000–€15,000.

Knowing the obligations is one thing. Whether your website actually meets them is not always visible from the outside. Which cookies are set, which trackers load and which services are embedded often stays hidden.

See where your website stands.

The free WeCheck360 teaser scan checks your website in a few minutes for GDPR and the EU AI Act together: detected AI services, tracking, cookie consent, transparency obligations. You see your score and the number of findings immediately. Just URL and email, no subscription.

Check your website for free now

Last updated: July 2026. This article has been editorially reviewed and does not constitute legal advice. For your individual case, consult a specialised law firm or your data protection officer.