People underestimate the cost of a spreadsheet incident because they think of GDPR fines as something that happens to Meta and Google. The big headline-grabbing fines (€1.2 billion for Meta, €746 million for Amazon) make it easy to think "that won't happen to us, we're not a tech giant."
But the ICO fines small and mid-sized companies too. They just don't make the news.
In 2024, the ICO issued enforcement actions against companies you've never heard of. Estate agents. Healthcare providers. Local councils. Charities. The fines were smaller (£10,000 to £200,000), but for a 50-person company, a £100,000 fine is devastating. And that's before legal costs, which typically run 2-5x the fine amount.
What a Spreadsheet Incident Actually Looks Like
Here's a scenario that plays out regularly:
- Marketing exports a customer list for a campaign vendor (10,000 rows, names, emails, purchase history)
- The CSV is sent via email or uploaded to the vendor's portal
- The vendor's systems are breached, or the email is sent to the wrong address
- 10,000 customers' personal data is exposed
- Mandatory breach notification to the ICO within 72 hours
- Mandatory notification to all 10,000 affected individuals
The Real Cost Breakdown
Direct fine: £20,000–200,000 for a mid-market company (based on ICO precedent for data sharing incidents)
Legal costs: Engaging a data protection lawyer for incident response, ICO correspondence, and individual notifications. Budget £15,000–50,000.
Breach notification costs: Contacting 10,000 individuals with a compliant notification. Staff time, communication platform, customer service capacity for incoming queries. Budget £5,000–20,000.
Customer churn: Some percentage of those 10,000 customers will leave. If your average customer is worth £500/year and 2% churn, that's £100,000 in lost revenue.
Reputation cost: Hard to quantify but real. A breach notification email is the worst marketing your company will ever send.
Total realistic cost: £140,000–370,000 for what started as someone emailing a CSV.
Prevention Cost
ComplyTech Pro plan: £99/month. £1,188/year.
Running every outbound CSV through the API before it leaves your organisation adds 30 seconds to the process. The annual cost is less than 1% of the minimum realistic cost of a single spreadsheet incident.
I'm not suggesting that an API subscription makes you GDPR-compliant. It doesn't, and anyone who tells you a single tool achieves compliance is selling you something. But it eliminates one of the most common and most preventable breach vectors.
The Specific Numbers
On the Pro plan (150,000 fields/month), you can process:
- ~21,000 rows of a 7-column CSV every month
- Or ~4 exports of 5,000 rows per month
- Or one large export per week
For most companies doing regular vendor data sharing, that covers the typical volume comfortably.
Try It
curl -X POST https://api.comply-tech.co.uk/api/v1/anonymise \
-H "X-Api-Key: demo-key-complytech" \
-H "Content-Type: application/json" \
-d '{
"content": "Name,Email,Spend,JoinDate\nSarah Jones,sarah@gmail.com,£2500,2023-01-15\nTom Wilson,tom@co.uk,£890,2023-06-20",
"contentType": "csv",
"strategy": "Redact",
"frameworks": ["GDPR"]
}'£99/mo vs £140,000+ incident cost
Anonymise every outbound CSV before it leaves your organisation.