GDPR penalties and fines
The GDPR (General Data Protection Regulation) sets a maximum fine of €20 million (about £17.5 million) or 4% of annual global turnover – whichever is greater – for infringements.
However, not all GDPR infringements lead to data protection fines. Supervisory authorities such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions, including:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.
What is the maximum GDPR fine?
There are two tiers of administrative fine for non-compliance with the GDPR:
- Up to €10 million, or, in the case of an undertaking, 2% of annual global turnover – whichever is greater; or
- Up to €20 million, or, in the case of an undertaking, 4% of annual global turnover – whichever is greater.
GDPR breach fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.
The two tiers of GDPR fine
Lower level of GDPR penalties
Fines of up to €10 million or 2% of annual global turnover can be issued for infringements of articles:
- 8 (conditions for children’s consent);
- 11 (processing that doesn’t require identification);
- 25 – 39 (general obligations of processors and controllers);
- 42 (certification); and
- 43 (certification bodies).
Higher level of GDPR penalties
Fines of up to €20 million or 4% of annual global turnover can be issued for infringements of articles:
Who gets the money from GDPR fines?
All fines collected by the ICO go to HM Treasury’s Consolidated Fund to be spent on health and social care, education, policing and justice, and the like.
The money collected from the annual data protection fee that data controllers must pay is used to fund the ICO’s work.
Suffered a data breach? The clock is ticking
The GDPR requires you to notify the ICO within 72 hours of discovering a data breach.
Act fast with our GDPR Data Breach Support Service, to ensure you fulfil the Regulation's breach notification requirements quickly and efficiently.
Find out more
How are GDPR fines applied?
GDPR fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.
Any fine you might receive will depend on:
- The type of infringement, how severe it was and how long it lasted;
- Whether it was deliberate or accidental;
- The action you took to reduce the damage to individuals (data subjects);
- Your security measures;
- Whether this is your first GDPR infringement;
- How cooperative you were when fixing the issue;
- The types of personal data involved;
- Whether you notified the supervisory authority yourself; and
- Whether you adhere to any approved codes of conduct or certification schemes.
How to avoid GDPR fines and penalties
How personal data is processed and secured is the very essence of the GDPR. This is reflected in the action that the European regulators have taken since the Regulation took effect.
The vast majority of GDPR fines have related to violations of articles 5, 6 and 32.
- Article 5 (data processing principles) states that personal data must be:
- Processed lawfully, fairly and transparently.
- Collected only for specific legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and, where necessary, kept up to date.
- Stored only as long as is necessary.
- Processed in a manner that ensures appropriate security.
- Article 6 (lawfulness of processing) states that personal data can only be processed:
- If the data subject has given their consent.
- To meet contractual obligations.
- To comply with legal obligations.
- To protect the data subject’s vital interests.
- For tasks in the public interest.
- For the legitimate interests of the organisation.
- Article 32 (security of processing) requires data controllers and processors to implement “appropriate technical and organisational measures” to secure the personal data they process.
IT Governance has everything you need to help ensure your GDPR compliance, including:
- Demonstrating that you have a lawful basis for processing;
- Following the six data processing principles; and
- Implementing appropriate technical and organisational measures.
Achieve GDPR compliance with our all-in-one solutions
Whether you’ve just started your implementation project or are already on the way to compliance, our packages are a cost effect solution that will help you streamline your implementation project.
Find out more
GDPR fines so far
In the first quarter of 2020, European supervisory authorities issued at least 68 administrative fines totalling nearly €50 million. (The total is approximate owing to currency fluctuations and the fact that not all supervisory authorities publish information about the action they have taken.)
The fines for January to March 2020 break down as follows:
Monthly total (€)
2020 cumulative total (€)
Free download: GDPR Fines Quarterly Report
You can learn more about the GDPR fines issued since May 2018 in our free quarterly reports.
- The number of fines issued by month since 2018 per country;
- The value of the fines issued by month since 2018;
- The most common types of breach that resulted in fines;
- A breakdown of fines issued per country; and
- Information about the organisations that have been fined.
Useful external links
- ICO enforcement action Read
- European Commission Enforcement and sanctions Read
- EDPB (European Data Protection Board) Read
- EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects Read
- EDPB Guidelines on the application and setting of administrative fines (wp253) Read
- Handbook on European data protection law Read
Don't get caught out: meet your compliance objectives today
As well as risking regulatory action for breaches, organisations face reputational damage and remediation costs. There is also the possibility of legal action from data subjects.
Don’t take the risk. See how our range of products and services can help you meet your GDPR compliance objectives.