Blog
Compliance for SMBs: GDPR, CCPA, and SOC 2 Explained
GDPR, CCPA, and SOC 2 in plain English — which ones apply to your business, what they actually require in 2026, and where to start without overpaying.
- mid
For most growing businesses, compliance feels like a tax — abstract, expensive, and someone else’s problem, right up until a six-figure deal stalls because you can’t answer a customer’s security questionnaire. By then it’s a fire drill, and you’re negotiating from the back foot.
The good news: three frameworks cover the large majority of what US and EU customers will ever ask of an SMB — GDPR, CCPA, and SOC 2. You don’t need a compliance department to get a grip on them. You need to know which ones apply to you and what each actually demands.
GDPR: if you touch EU or UK personal data
The General Data Protection Regulation applies if you process the personal data of people in the EU or UK — regardless of where your company is based. A company in Texas with a handful of customers in Germany is in scope.
This is not a paper tiger. Cumulative GDPR fines passed €7.1 billion by early 2026, with roughly €1.2 billion issued in 2025 alone, and nine of the ten largest penalties have landed on technology companies — Meta (€1.2B), Amazon (€746M), and TikTok (€530M) among them (Kiteworks, 2026). Enforcement has also widened well beyond Big Tech into finance, healthcare, and the public sector (CMS Enforcement Tracker).
Stripped of the legalese, GDPR requires:
- A lawful basis for each piece of data you collect — consent, a contract, or a legitimate interest you can articulate.
- The ability to honor requests — access, correction, deletion (“the right to be forgotten”), and portability — within one month.
- A record of what you collect, why, and where it lives. This is the part most teams skip and most come to regret.
- Breach notification to regulators within 72 hours.
The maximum penalty is the higher of €20 million or 4% of global annual revenue, but enforcement against small companies is mostly about good-faith effort. A documented process you actually follow beats a perfect one you can’t prove exists.
CCPA: the California baseline for US data
The California Consumer Privacy Act, strengthened by the CPRA, is the closest thing the US has to GDPR. As of 1 January 2025 it applies to for-profit businesses handling Californians’ data that meet any one of these thresholds (California Privacy Protection Agency, CA Attorney General):
- $26.625 million or more in gross annual revenue (CPI-adjusted from the original $25M) — and note this counts your total global revenue, not just California sales;
- buying, selling, or sharing the personal information of 100,000+ California residents or households; or
- deriving 50%+ of revenue from selling or sharing personal information.
It’s lighter than GDPR but rhymes with it: consumers can see what you’ve collected, request deletion, and opt out of having their data “sold” or “shared” (which, read carefully, includes some common ad-tech). Penalties run up to $2,663 per unintentional violation and $7,988 per intentional violation or one involving minors (CPPA). Even if you’re under the thresholds today, building to CCPA is cheap insurance — roughly twenty other states have passed similar laws that mostly converge on the same shape.
SOC 2: the one your customers will actually ask for
GDPR and CCPA are laws. SOC 2 is different — a voluntary audit that has become the de facto password for selling software to mid-market and enterprise buyers. Industry surveys put SOC 2 (or an equivalent like ISO 27001) in 60–80% of enterprise B2B SaaS RFPs, and ISC2’s 2025 Supply Chain Risk Survey found 77% of organizations name a security-standard certification as their top vendor requirement (Secureframe). If you sell B2B software, this is the one that unblocks revenue.
Reports come in two types: Type I confirms your controls are well-designed at a single point in time (faster, cheaper), while Type II confirms they actually operated over a period of 3–12 months — and that’s what serious buyers want to see.
Budget honestly. The audit fee alone is modest, but the all-in first-year cost — readiness work, tooling, remediation, and internal time — typically runs $25,000 for a small startup to $150,000+ for a larger company (Secureframe). Set against a single enterprise deal it usually blocks, the math is straightforward. The audit covers five “trust criteria,” but security is the only mandatory one; in practice, getting ready means documented access controls, MFA everywhere, logging and monitoring, a vendor-risk process, and an incident-response plan — hygiene you should have regardless.
Which ones actually apply to you
A quick filter:
- Serve anyone in the EU or UK? GDPR.
- Handle data on US consumers at any real scale? Build to CCPA, and you’ll likely be covered for the other state laws too.
- Sell software B2B to US or EU companies? SOC 2 Type II — ideally before your buyers ask.
Most B2B software companies serving both markets end up needing all three. A purely domestic services firm might need none of them in a formal sense — but the underlying hygiene still protects you the day something goes wrong.
Where to start without overpaying
The classic mistake is buying a $30k-a-year compliance platform before you understand your own data. The cheaper, better order:
- Map your data. What you collect, where it flows, who can touch it. An afternoon with a whiteboard beats any tool.
- Fix the obvious gaps. MFA, least-privilege access, encrypted backups, a written incident plan.
- Write down what you do. Auditors and enterprise buyers grade documented processes, not good intentions.
- Then, and only then, automate. Platforms like Vanta or Drata earn their cost once you have processes worth monitoring — not as a substitute for having them.
Compliance done right isn’t a cost center; it’s a sales enabler. The companies that treat it that way close enterprise deals their competitors simply can’t.
If you’re staring at a security questionnaire and not sure where you stand, we’re happy to walk through it with you — an hour, no charge, and we’ll tell you the shortest path to “yes” for the deal in front of you.
Sources: Kiteworks — GDPR fines & enforcement, 2026; CMS GDPR Enforcement Tracker; California Privacy Protection Agency — threshold & penalty adjustments; California Attorney General — CCPA; Secureframe — SOC 2 audit cost & buyer requirements. Figures current as of mid-2026; verify thresholds against primary sources before acting.