What's the actual risk for an SMB that ignores GDPR?

Realistically, a complaint to the DPA — usually triggered by an angry customer or an ex-employee. The DPA opens an investigation, asks for your records, and decides whether to issue a fine. Most SMB fines are €10k–€50k; bigger fines are public companies. Reputational damage is often worse than the fine.

Do I need to register with the Dutch DPA?

No. The notification register was abolished in 2018. You only contact the DPA in case of a breach (72-hour rule) or in response to a complaint.

Yes, but they need an adequate transfer mechanism — Standard Contractual Clauses or the EU-US Data Privacy Framework certification. Clair tracks which of your processors meet which mechanism.

How often do data subject requests actually happen?

Rarely for B2B SMBs. A handful per year if any. The procedure is the work; the volume isn't.

What's the fastest way to get started?

Sign up, run the scan, address the top three actions. You'll be roughly 60% covered by end of week one. The remaining 40% is paperwork that takes another two weeks.

GDPR for SMBs — A practical guide

What GDPR actually is.

The General Data Protection Regulation is the EU law that governs how organisations collect, store, use, share and protect personal data. In force since 2018. Applies to every business that handles data about EU residents — regardless of where the business itself sits.

Why it matters

Fines can reach 4% of global annual turnover. But the bigger risk for an SMB is reputational — a breach in the press costs more than a fine.

Who it applies to.

EU-based businesses. Any business registered or operating in an EU member state, regardless of where its customers are.
Non-EU businesses targeting EU residents. If you sell into the EU or track EU users, you're in scope — even from outside.
Data processors. If you process data on behalf of someone else (e.g., a SaaS vendor), GDPR obligations attach to you separately.
Anyone handling personal data. Names, emails, IPs, behavioural data. If it identifies a person, it's in scope.

The seven principles.

Lawfulness, fairness, transparency. Tell people what you do with their data, in language they can read.
Purpose limitation. Use data for the reason you collected it. Not for what someone in marketing thought up later.
Data minimisation. Collect what you need. Stop there.
Accuracy. Keep it correct. Let people fix it when it isn't.
Storage limitation. Don't keep it longer than you need it. Decide a retention period and stick to it.
Integrity & confidentiality. Encrypt in transit and at rest. Limit who can see what. The boring security work.
Accountability. Be able to show you've done all of the above. Documentation is the difference between compliant and "trust me".

What SMBs actually have to do.

Records of processing. A list of what you collect, why, where it sits, who you share it with. Article 30.
Privacy notices. Plain-language notice at the point of collection. Cookie banner if you use non-essential cookies.
Consent management. Where you rely on consent, capture it explicitly and let people withdraw it as easily as they gave it.
Breach notification. 72 hours to notify the DPA from the moment you become aware. Earlier is better.
DPIAs (when high-risk). If you're doing something risky with personal data — large-scale profiling, sensitive categories — write a Data Protection Impact Assessment first.
Subject rights handling. Procedure to respond to access, deletion, portability requests within 30 days. Most never come; you still need the procedure.

Common mistakes.

Policies written once, never updated. A privacy notice from 2019 isn't legally compliant in 2026. Review yearly.
Assuming consent is the legal basis. Most SMB processing isn't consent — it's contract or legitimate interest. Get this wrong and your whole basis falls.
No incident plan. When the breach happens at 11pm Friday, the plan needs to already exist. Drafting it Monday morning is too late.
Ignoring sub-processors. Every SaaS tool you use is a sub-processor. Each needs a DPA. Auditors check this.
Forever-keep retention. Keeping every customer email indefinitely is a violation. Pick a number.
Untrained staff. The breach is usually a person clicking something. 30-minute annual training catches most of it.

The nine-step checklist.

Audit what you collect. Map every form, signup, integration, supplier. What data, where, why.
Define the legal basis. For each processing activity: contract, legitimate interest, consent, legal obligation, vital interests, or public task. One per activity.
Update privacy notices. Plain-language. Listed processors. Retention periods. Rights.
Set up consent capture. Where it's the basis. Explicit opt-in, not pre-ticked. Logged.
Implement security measures. Encryption, access control, MFA, backups. Document each.
Write the incident plan. Who decides it's a breach. Who notifies whom. How fast. Tabletop it once a year.
Sign DPAs with processors. Every SaaS tool. Most have a self-serve DPA in their dashboard.
Train your staff. 30 minutes. What to share, what not to. What to do if something goes wrong.
Schedule reviews. Annual. Or when something material changes — new product, new market, new processor.

How AIR-Tools helps with each.

Auto-discovery of processing. Clair scans your stack and lists what data sits where. Step 1 done.
Risk mapping. Each processing activity gets a basis suggestion and a risk score. You confirm; we record.
Action plans, not lists. Step-by-step weekly actions with time estimates and impact scores.
Policy drafting. Privacy notice, retention, incident response — drafted, you and your lawyer sign off.
Ongoing monitoring. Drift, new processors, lapsed certs — flagged before an auditor sees them.
Framework tracking. GDPR coverage in percent. With the actions to close the gap.

The short version.

GDPR is mostly common sense, written legally. The work is staying on top of it. That's what Clair does.

GDPR, for SMBs.