← All articles

Blog

Compliance for SMBs: GDPR, CCPA, and SOC 2 Explained

GDPR, CCPA, and SOC 2 in plain English — which ones apply to your business, what they actually require in 2026, and where to start without overpaying.

5 min read
  • mid

For most growing businesses, compliance feels like a tax — abstract, expensive, and someone else’s problem, right up until a six-figure deal stalls because you can’t answer a customer’s security questionnaire. By then it’s a fire drill, and you’re negotiating from the back foot.

The good news: three frameworks cover the large majority of what US and EU customers will ever ask of an SMB — GDPR, CCPA, and SOC 2. You don’t need a compliance department to get a grip on them. You need to know which ones apply to you and what each actually demands.

GDPR: if you touch EU or UK personal data

The General Data Protection Regulation applies if you process the personal data of people in the EU or UK — regardless of where your company is based. A company in Texas with a handful of customers in Germany is in scope.

This is not a paper tiger. Cumulative GDPR fines passed €7.1 billion by early 2026, with roughly €1.2 billion issued in 2025 alone, and nine of the ten largest penalties have landed on technology companies — Meta (€1.2B), Amazon (€746M), and TikTok (€530M) among them (Kiteworks, 2026). Enforcement has also widened well beyond Big Tech into finance, healthcare, and the public sector (CMS Enforcement Tracker).

Stripped of the legalese, GDPR requires:

  • A lawful basis for each piece of data you collect — consent, a contract, or a legitimate interest you can articulate.
  • The ability to honor requests — access, correction, deletion (“the right to be forgotten”), and portability — within one month.
  • A record of what you collect, why, and where it lives. This is the part most teams skip and most come to regret.
  • Breach notification to regulators within 72 hours.

The maximum penalty is the higher of €20 million or 4% of global annual revenue, but enforcement against small companies is mostly about good-faith effort. A documented process you actually follow beats a perfect one you can’t prove exists.

CCPA: the California baseline for US data

The California Consumer Privacy Act, strengthened by the CPRA, is the closest thing the US has to GDPR. As of 1 January 2025 it applies to for-profit businesses handling Californians’ data that meet any one of these thresholds (California Privacy Protection Agency, CA Attorney General):

  • $26.625 million or more in gross annual revenue (CPI-adjusted from the original $25M) — and note this counts your total global revenue, not just California sales;
  • buying, selling, or sharing the personal information of 100,000+ California residents or households; or
  • deriving 50%+ of revenue from selling or sharing personal information.

It’s lighter than GDPR but rhymes with it: consumers can see what you’ve collected, request deletion, and opt out of having their data “sold” or “shared” (which, read carefully, includes some common ad-tech). Penalties run up to $2,663 per unintentional violation and $7,988 per intentional violation or one involving minors (CPPA). Even if you’re under the thresholds today, building to CCPA is cheap insurance — roughly twenty other states have passed similar laws that mostly converge on the same shape.

SOC 2: the one your customers will actually ask for

GDPR and CCPA are laws. SOC 2 is different — a voluntary audit that has become the de facto password for selling software to mid-market and enterprise buyers. Industry surveys put SOC 2 (or an equivalent like ISO 27001) in 60–80% of enterprise B2B SaaS RFPs, and ISC2’s 2025 Supply Chain Risk Survey found 77% of organizations name a security-standard certification as their top vendor requirement (Secureframe). If you sell B2B software, this is the one that unblocks revenue.

Reports come in two types: Type I confirms your controls are well-designed at a single point in time (faster, cheaper), while Type II confirms they actually operated over a period of 3–12 months — and that’s what serious buyers want to see.

Budget honestly. The audit fee alone is modest, but the all-in first-year cost — readiness work, tooling, remediation, and internal time — typically runs $25,000 for a small startup to $150,000+ for a larger company (Secureframe). Set against a single enterprise deal it usually blocks, the math is straightforward. The audit covers five “trust criteria,” but security is the only mandatory one; in practice, getting ready means documented access controls, MFA everywhere, logging and monitoring, a vendor-risk process, and an incident-response plan — hygiene you should have regardless.

Which ones actually apply to you

A quick filter:

  • Serve anyone in the EU or UK? GDPR.
  • Handle data on US consumers at any real scale? Build to CCPA, and you’ll likely be covered for the other state laws too.
  • Sell software B2B to US or EU companies? SOC 2 Type II — ideally before your buyers ask.

Most B2B software companies serving both markets end up needing all three. A purely domestic services firm might need none of them in a formal sense — but the underlying hygiene still protects you the day something goes wrong.

Where to start without overpaying

The classic mistake is buying a $30k-a-year compliance platform before you understand your own data. The cheaper, better order:

  1. Map your data. What you collect, where it flows, who can touch it. An afternoon with a whiteboard beats any tool.
  2. Fix the obvious gaps. MFA, least-privilege access, encrypted backups, a written incident plan.
  3. Write down what you do. Auditors and enterprise buyers grade documented processes, not good intentions.
  4. Then, and only then, automate. Platforms like Vanta or Drata earn their cost once you have processes worth monitoring — not as a substitute for having them.

Compliance done right isn’t a cost center; it’s a sales enabler. The companies that treat it that way close enterprise deals their competitors simply can’t.

If you’re staring at a security questionnaire and not sure where you stand, we’re happy to walk through it with you — an hour, no charge, and we’ll tell you the shortest path to “yes” for the deal in front of you.


Sources: Kiteworks — GDPR fines & enforcement, 2026; CMS GDPR Enforcement Tracker; California Privacy Protection Agency — threshold & penalty adjustments; California Attorney General — CCPA; Secureframe — SOC 2 audit cost & buyer requirements. Figures current as of mid-2026; verify thresholds against primary sources before acting.