Now the first law of the internet is GDPR.

Maximum fines per violation are set at 4 percent of a company’s global turnover (or $20 million, whichever is larger).

That’s a lot more than the fines allowed by the Data Protection Directive, and it signals how serious the EU is taking data privacy.

Google and Facebook could withstand a fine like that (they have before), but it would be enough to sink a smaller firm.