[Fradow]

GDPR impose a few things to do as soon as you have a single PII, as well as doing this a certain way (opt-out are a no-go, you must be able to prove consent, you probably need a DPO and a DPA), and things that were just not done in practice until now (right to be forgotten for example is not exercised, and thus there is no tool to exercise it).

Just because you absolutely respect the spirit of the law (don't do shitty things with PII) doesn't mean you are GDPR compliant, unfortunately.

I very much agree with GP that small business should have more relaxed obligations, and more proportional fines (the minimum fine exceed the total revenue of non-negligible percent of small business).

[gcthomas]

Consent is usually not needed, since there are plenty of other lawful reasons for processing data. Small businesses will not usually need a DPO, and neither will many large ones. Small businesses will have proportionate fines, and probably no fines at all for accidental breaches of the law.

And no, there is no minimum fine set by GDPR, only maximum fines. Most companies will just get a warning to sort themselves out, if the past behaviour of the regulatory authorities is anything to go by — their emphasis is on getting compliance, so only egregious failures will attract fines, with others directed to carry out specified improvements to their processes.