What GDPR actually costs a small business in 2026.

A 10-person UK business that registers with the ICO at Tier 1 (£40 standard, £35 by direct debit), uses a free or entry-tier cookie consent tool, drafts policies in-house, runs awareness training at £15-£25 per head, and pays for occasional advisory calls can spend roughly £400 - £3,000 in year 1.

• ICO fee Tier 1: £40 (or £35 DD).
• CMP: £0 - £40 / month (Iubenda free tier, Klaro OSS, CookieYes entry).
• Policies and ROPA: £0 (in-house) - £500 (template pack).
• Training: £8 - £30 per head, e-learning.
• Advisory: £0 - £2,000 year 1 (occasional fractional or paid policy review).

Realistic year 1 range £3,000 - £18,000. At this tier the organisation has typically grown beyond a single processing context. A documented ROPA, a fractional DPO retainer (£500 - £1,200 / mo), a real CMP (£10 - £30 / month entry tier), formal awareness training, and a paid policy bundle review become reasonable.

Realistic year 1 range £15,000 - £75,000. This tier crosses into structured documentation, fractional DPO at the higher band or DPaaS premium tier, formal training programme with audit trail, and a mid-tier CMP. Multi-jurisdiction processing typically appears for the first time and pulls cost into the upper end of the range.

• Vendor pages quoting enterprise figures. OneTrust, Securiti, BigID and similar enterprise platforms publish ranges that begin at £10k+ ACV. SMEs do not need this stack and should not be benchmarked against it.
• Consultancy quotes priced for mid-market. A £25,000 consultancy retainer pitched to a 25-person SaaS is rarely necessary at year 1. A short paid scope (gap assessment + policy review) at £4,000 - £8,000 is usually the better procurement.
• “Fully managed compliance” subscriptions. DPaaS at the premium tier is rarely required for a 25-person UK B2B SaaS. The same outcome at lower cost: ICO fee, fractional advisory call package, structured documentation, and a CMP.
• The “we are too small for GDPR to apply” mistake. UK GDPR applies to a sole trader processing personal data of named customers. The micro tier (£40 ICO fee, free CMP, basic training) is the realistic obligation, not exemption.

A 25-person UK B2B SaaS without sensitive-category processing and without large-scale systematic monitoring is unlikely to trigger the Article 37 mandatory criteria. A designated person plus a fractional retainer at £700-£1,200 / month is a defensible position. Voluntary DPO appointment is reasonable at the upper end of the SME range if the company is selling into UK enterprise that asks the question in procurement DDQs. The full DPO crossover analysis sits at /dpo-cost.

ICO fee non-payment penalty (the duty to pay applies regardless of headcount, and civil penalties apply for non-payment) is the commonest oversight. Breach exposure is the second; the regulator does not size the obligation by company size, only the penalty (and the response cost is independent of company size). CMP renewal escalation is the third; the “forever free” tier rarely stays free as the site grows. Multi-jurisdiction discovery (an EU customer, an EU server, a US sub-processor) is the fourth.