[Lazare]

Yes, your understanding is completely correct. Only EU member states can levy fines under the GDPR, and it's likely few will have any interest in trying to fine small businesses. Lawsuits are possible, but only for damages, and good luck showing any damages from a minor technical violation by a small SaaS tool. And without any prospect of large damages from a deep-pocketed defendant, good luck finding a law firm willing to work on contingency.

The whole thing is FUD, although mad props to the people behind the linked service for making a play at profiting from it.

[Matticus_Rex]

I don't have a lot of actual information on this, but the buzz in my privacy professional listservs is that EU courts have been VERY expansive about what constitutes "damage" in related legal spheres, and that those of us coming from a US legal background should not rely on our instincts about what kinds of damage could actually create a cause of action worth suing over.

[DanBC]

No. EU courts tend to define damage conservatively, and people suing for damage normally have to demonstrate actual financial losses.

But it's irrelevant here, because the law isn't based on damages.