Obviously they can't literally apply it everywhere, but it's absolutely not true that they just go after large players. I've had complaints against very small players for relatively minor violations[1] enforced by my national privacy commission.
The GDPR opened the floodgates, but the wheels are in motion, and I know of multiple SMBs who got warnings to cut out their practices.
[1] The part-time manager of a three story building posted a "list of debtors" on the lobby (which contained false information, though that wasn't relevant for the commission, which focuses on the privacy aspect)
The GDPR opened the floodgates, but the wheels are in motion, and I know of multiple SMBs who got warnings to cut out their practices.
[1] The part-time manager of a three story building posted a "list of debtors" on the lobby (which contained false information, though that wasn't relevant for the commission, which focuses on the privacy aspect)