| It's not that simple because there isn't a single type of small company. Let's take 2 examples: 1) A small startup that has 20 employees have been around for say 2 years and likely have been serving a fairly small number of customers for a fairly limited amount of time say 6-12 months. They are both technically capable and small enough to maybe adapt without breaking too many laws. 2) A small retailer/speciality trader with 8 employees that has been in business for 30 years, has digitized records from the 90's has been taking orders via the phone for that duration and had a computerized ordering system singe the mid 90's.
They operate their own website on some ecommerce platform and do all the books, accounting and billing in house via some SMB accounting software e.g. Sage Books/Accounts/50 etc.... Over those 30 years they might have collected information from 10,000's or even 100,000's of individuals. Number 2 is the real problem because these types of companies outnumber the tech bootstrapped startups what a 100 to 1? 10000 to 1? and there are plenty of small businesses that never really grow beyond their immediate market but still are successful enough to remain in business for decades. On May 25th I can send a Subject Access Request letter to my fucking dry cleaner and they will be legally obliged to handle it within no later than one month, if that isn’t a kicker the I don’t know what is. |