Avoid costly data breaches and fines by building a practical, defensible data protection setup.
Most mid-market companies did something about GDPR in 2018. They appointed a data protection contact, updated their privacy policy, sent a consent email to their mailing list, and considered it done.
Six years later, enforcement data tells a different story. Fines are no longer reserved for large enterprises. The Norwegian data protection authority — Datatilsynet — and its European counterparts are increasingly investigating mid-market companies. And the most common finding is not that companies ignored GDPR — it is that they completed a one-time project and never built the ongoing governance that the regulation actually requires.
Here is what mid-market companies need to revisit.
Why GDPR Enforcement Is Now a Mid-Market Problem
Three things have changed since 2018:
Enforcement has matured. Data protection authorities across the EEA spent the first few years after GDPR building enforcement capacity and focusing on large, high-profile violations. That phase is over. Authorities including Datatilsynet are now investigating complaints against companies of all sizes, conducting proactive audits, and issuing fines proportionate to company size rather than limiting enforcement to enterprise cases.
Data processing has expanded. In 2018 most companies were thinking about their marketing database and customer records. Today the same companies are using AI tools that process employee and customer data, cloud platforms with complex data transfer arrangements, marketing automation systems with extensive profiling, and third-party integrations that share personal data with dozens of processors. The data map from 2018 does not reflect what is actually happening in 2024.
The bar for what constitutes compliance has risen. Early GDPR guidance focused on the basics — lawful basis, privacy notices, consent. Regulators and courts have since clarified obligations around data subject rights responses, legitimate interests assessments, data transfer mechanisms, and processor due diligence in ways that most mid-market companies have not kept up with.
What GDPR Actually Requires — Ongoing, Not Once
This is the fundamental misunderstanding in most mid-market GDPR programmes. GDPR is not a project. It is an operational obligation that requires continuous governance.
The governance layer comes down to the same three workflows:
1. Sign-offs. Lawful basis decisions for each processing activity. Legitimate interests assessments where LIA is relied upon. Data Protection Impact Assessments for high-risk processing. Processor agreements reviewed and approved. These require documented approval trails — not decisions made once in 2018 and never revisited.
2. Disclosures. Privacy notices kept current as processing activities change. Data breach notifications to Datatilsynet within 72 hours of becoming aware. Records of Processing Activities maintained and accurate. These need to be version-controlled and retrievable — not a privacy policy last updated in 2019.
3. Information requests. Data subject access requests responded to within one month. Erasure requests, restriction requests, and portability requests handled within statutory timeframes. Regulatory information requests from Datatilsynet responded to accurately and completely. The ability to respond quickly determines whether a request becomes a complaint and whether a complaint becomes an investigation.
The Five Areas Where Mid-Market Companies Are Most Exposed
1. Records of Processing Activities are out of date
Article 30 requires a documented record of all processing activities. Most companies created one in 2018 and have not updated it since. New SaaS tools, new marketing platforms, AI integrations, and changed business processes mean the actual processing landscape looks nothing like the documented one. An out-of-date ROPA is an immediate finding in any Datatilsynet audit.
2. Processor agreements are incomplete or outdated
Every third-party tool that processes personal data on your behalf requires a Data Processing Agreement that meets Article 28 requirements. Most mid-market companies have signed DPAs for their main processors but have accumulated dozens of tools — marketing automation, analytics, HR systems, AI tools — without proper agreements in place. SCCs for international data transfers must be current and reflect the post-Schrems II requirements.
3. Legitimate interests assessments are not documented
Most mid-market companies rely on legitimate interests as a lawful basis for B2B marketing, fraud prevention, and other processing activities. LIA requires a three-part documented test — purpose test, necessity test, balancing test — with a named executive sign-off. Most companies that rely on LIA have never produced this documentation.
4. Data subject rights requests are not handled systematically
One month is not a long time when a subject access request requires input from multiple systems, departments, and processors. Most mid-market companies handle these requests ad hoc when they arrive. A single poorly handled DSAR is the most common trigger for an individual complaint to Datatilsynet — which can lead to a broader audit.
5. Data breach response is not prepared in advance
72 hours is an extremely short window to assess a breach, determine whether it meets the notification threshold, identify affected data subjects, and submit an accurate notification to Datatilsynet. Companies that have not built and tested their breach response procedure in advance consistently miss the deadline or submit inaccurate notifications — both of which are enforcement findings in their own right.
What the Penalties Look Like
GDPR has a two-tier penalty structure:
- Violation Type
- Maximum Penalty
More severe violations include processing without a lawful basis, violating data subject rights, and transferring data internationally without adequate safeguards — all common gaps in mid-market GDPR programmes.
Datatilsynet has issued fines against Norwegian companies including Grindr (NOK 65 million), Disqus (NOK 25 million), and Bergen municipality (NOK 5 million). The direction of travel is clear — enforcement is active, proportionate, and not limited to large organisations.
How Long a Proper GDPR Audit and Remediation Takes
What It Costs
With governance automation tooling: €5,000–12,000 first year for a mid-market company with moderate processing complexity.
Traditional consultant route: €15,000–50,000 depending on the complexity of processing activities and the number of processors requiring agreements.
Annual ongoing with tooling: €4,000–8,000. GDPR is a continuous obligation — processing activities change, new tools are adopted, regulations are updated, and data subject rights requests arrive at any time.
For companies managing GDPR alongside ISO 27001, NIS2, or Åpenhetsloven, the governance workflows overlap significantly. Data governance, processor due diligence, incident response, and management review infrastructure are shared across frameworks.
Want the GDPR compliance checklist, the ROPA template, and the data subject rights response framework?
Download: GDPR for Mid-Market Companies — What Leadership Needs to Know →
