Understanding GDPR Fines

Breaking down the Penalties, Fines and Liabilities


Secure data processing concept with motherboard and virtual processor.

There has been a lot of focus on the substantially large fines that come with the General Data Protection Regulation for non-compliance. A fine of €20 million or 4% of annual turnover will be a significant amount for any company to have to pay. It is important to note that these figures are the maximum figures. Supervisory authorities will have the scope to impose fines of a lower amount, or take a range of actions such as:

  • Issue warnings
  • Issue reprimands
  • Order compliance with Data Subject requests
  • Communicate the Personal Data breach directly to the Data Subject

Administrative fines should be effective, proportionate and dissuasive, leaving the opportunity for early cases of non-compliance to be fined high amounts to set an example for other companies to pay more attention to ensuring compliance.

A number of criteria will be considered when determining any fine, including the nature, gravity, duration and character of the infringement. Supervising authorities may also take into account the types of personal data affected, any previous infringements and level of co-operation.

Article 83 of the General Data Protection Regulation provides details of the administrative fines. There are two tiers of fines. The first is up to €10 million or 2% of annual global turnover of the previous year, whichever is higher. The second is up to €20 million or 4% of annual turnover of the previous year, whichever is higher. Generally speaking, breaches of controller or processor obligations will be fined within the first tier, and breaches of data subjects’ rights and freedoms will result in the higher level fine.

The value of the fine to be imposed is not clear-cut and the behaviour of the organisation will be taken into account when determining the value of the fine. This means that organisations certainly have the opportunity to influence the reduction of any fines by acting to fully comply with the Regulation. This includes promoting a culture of data protection and being able to show the steps taken to comply. Organisations that proactively report breaches will be given more credit, showing that the intention and attitude of a company will be considered.

Reducing the likelihood of a maximum fine


Organisations should ensure they have adequate procedures in place for identifying and reporting breaches, as well as all aspects of data protection. An attitude of doing all you can to comply will be much more favourable than a blatant disregard towards the General Data Protection Regulation obligations. With such large potential fines, this could make a large difference to the actual fine imposed. Of course, the aim is to be fully compliant and not make any infringements. This requires prioritising the requirements and ensuring the best systems are in place to avoid any breaches.