EU has a proper definition of what a small business is:
> SMEs are defined by the European Commission as having less than 250 persons employed. They should also have an annual turnover of up to EUR 50 million, or a balance sheet total of no more than EUR 43 million (Commission Recommendation of 6 May 2003). These definitions are important when assessing which enterprises may benefit from EU funding programmes aimed at promoting SMEs, as well as in relation to certain policies such as SME-specific competition rules.
Am on mobile and I’m too lazy to link, but I’ve found stories about Reddit having already reached $100 million in yearly turnover, which means that they’re no longer seen as a SME based on the second part of your post.
If you're tiny you get out of a few GDPR regulations, like having a data protection officer. Also the GDPR mostly calls for reasonable and appropriate measures, which are terms that scale with company size (measures reasonable for a hairdressing salon are not appropriate for a fortune 500).
Making even further cutouts for SMEs seems unreasonable, after all the individual citzen has similar impact from a data breach in a medium sized company compared to a data breach in a large enterprise.
> SMEs are defined by the European Commission as having less than 250 persons employed. They should also have an annual turnover of up to EUR 50 million, or a balance sheet total of no more than EUR 43 million (Commission Recommendation of 6 May 2003). These definitions are important when assessing which enterprises may benefit from EU funding programmes aimed at promoting SMEs, as well as in relation to certain policies such as SME-specific competition rules.
https://ec.europa.eu/eurostat/web/structural-business-statis...