6 reasons SMEs get fined under the GDPR

This article explores the 6 main reasons SMEs are being fined under the GDPR and how you can prevent your organisation from similar penalties. It will explain the grounds for each fine, followed by a case study to illustrate. It will then suggest ways you can avoid making the same mistakes and the key takeaways 🥡.

Whilst fines exist, it is important to also note that the proportionality principle applies which states that so long as SMEs have tried to comply with the GDPR, then regulators will take this into account when assessing the penalties it dishes out. If SMEs show ignorance towards the GDPR then fines are likely to be harsher.

Remember however that non-compliance is more than just a fine as there are additional costs that add up. They are in the form of litigation fees, public relation costs and reputational damage that may all contribute towards the overall landscape of non-compliance.


Reason 1: Organisations not following the principles for processing data (i.e sending unsolicited emails)

SMEs are liable to being fined if they don’t follow the principles for processing data. This translates to unsolicited emails and marketing directly to customers as it shows an irresponsible attitude towards personal data and data subject rights, which goes against the principle of processing data in a lawful, fair and transparent manner (see Article 5(1)(a) GDPR).

Case study

Tax Returned Limited, with less than 15 employees, was fined £200,000 for sending millions of unsolicited marketing text messages and equally, Rancom Security Limited was fined 125,000 for sending unsolicited marketing calls.

Key takeaways

  • Sending direct marketing emails require opt in consent only.

  • Pre-ticked boxes are not enough to demonstrate your organisation’s compliance with the GDPR.

Reason 2: Insufficient legal basis for processing data

Another common reason fines are handed out is due to the lack of a legal basis for processing data which comes with no surprise as the biggest GDPR fines to date have been associated with this Article (see Article 6 GDPR). These 6 grounds for lawful processing are:


(a) Consent

(b) Contract

(c) Legal obligation

(d) Vital interests

(e) Public task

(f) Legitimate interests


They legitimise the use, transfer and storage of personal data, whereby if not met would deem the controller as processing data without a lawful basis.

Case study

Alterna Operador Integral SL (Flip Energy) was fined €50,000 when a customer filed a complaint stating that her energy provider was switched to Flip Energy without her consent. This breaches Article 6 as the data transferred was without a legal basis, such as consent or legitimate interest.

We can also learn from the biggest fine to date: France v Google Inc. In the case of Google, whilst consent was obtained, it was not legitimately obtained for two reasons: the consent was not informed and was not specific to the purposes of processing. Thus, consent can only be informed if the user is aware of the extent to which their data will be used in personalised ads and other marketing materials. Specificity must also be met if users agree to each purpose that their data would be used separately. Google had instead used a one box fits all exercise whereby a tick in one box meant that the user would agree to all forms of processing, and this was held to be unlawful as the net was cast too wide.

Key Takeaways

  • Your organisation should make your customer base and users aware of the extent to which you may capture their personal data.

  • It is also crucial that you specify the purposes for which you will process their data and the user must be asked to agree to each one separately and individually.

  • You therefore cannot make users tick one box that would give their consent in full to all purposes for which their data would be processed.

Reason 3: Data Breaches

Issues of storing too much data and not knowing exactly where they are stored can make data breaches costly. It is crucial that SMEs are aware of the mechanisms available that can help prevent data breaches or at the very minimum control them.

Given that currently, due to Covid-19, many workers are now working remotely, it is ever more crucial to prevent data breaches via incorrect email recipients being added and employees being victims to phishing emails. Therefore, an extra layer of protection is required from your organisation in the form of education and business best behaviours to reduce and avoid the risk of data breaches.