This article is an exploratory study of the Czech response to the General Data Protection Regulation (GDPR). It employs the perspective of the small state literature to analyse the activities of a small European Union (EU) member state’s government that had to face a mismatch between its policy priorities and policy framing at the EU and domestic level. The article focuses on the arguably common situation of a small state’s government failing to shape a policy internationally and facing a backlash at home. On the basis of a qualitative study of primary and secondary sources as well as semi-structured interviews, the article explores how the Czech debate on GDPR prioritised the bureaucratic burden and costs resulting from the GDPR implementation over the need for privacy as an integral part of human dignity highlighted at the EU level. The article identifies two crucial factors as the basis of the popular backlash against GDPR in Czechia, the lack of prioritisation and the insufficient bureaucratic capacity. These two factors, widely identified in the literature as factors influencing small states’ performance, contributed to the Czech inability to shape GDPR at the European level, as well as the lacking information campaign and implementation domestically.