If you’re not compliant, you are a subject to fines ranging from 20 million euros up to four percent of your organization’s annual revenue, whichever amount is larger. The GDPR law is long and complex, and you should educate yourself as much as possible before you suffer a huge loss.

Let’s take John’s example. John’s startup specialized in dog walking and yard cleanup services for busy working people. His site was up and running quickly, and five years later he had over 70 employees in four cities. By then John had gone through two cloud platforms and three customer management and accounting systems, and his company made nearly as much revenue from selling customer data for advertising as from its monthly fees. Then John suffered a data breach, which by law he had to report.

When his customers found out, 10 of them filed data subject access requests. They demanded complete details of all personal data John had collected, and everyone he had shared it with over the past five years. Five customers cancelled their service and invoked their right to be forgotten under GDPR.

John had thirty days to comply, but he had no idea how to answer the access request or to prove he was able to honor the right to be forgotten mandate. Three months and a huge legal bill later he was finally able to comply.

For the breach and slow compliance John’s company was fined a hundred and fifty thousand euros, far less than the maximum of 20 million he could have faced. But because of the fine and bad publicity, John had to lay off half of his team and put off plans to grow further.

Now all of this may sound extreme, but GDPR deliberately has no exceptions for small businesses. While John would never be fined one hundred eighty-three million pounds as a large airline just was for their data breach, even a relatively small fine can put many companies out of business forever.