GDPR data breach fines & penalties

Published on : 29 Jan 2021

GDPR Data Breach


The General Data Protection Regulation Act is a law that was introduced to protect the Personal Data of citizens of the EU. It is a data protection law designed and applied to businesses across Europe, and beyond. The law aims to secure the environment and benefit both the citizens and businesses in the European Union. In order to ensure the enforcement of the regulation, the enforcement directorate has imposed heavy fines and penalties for non-compliance to GDPR Regulation.

The GDPR fines and penalties imposed under Article 83 are flexible and scale with the firm. So, any organization that is found non-compliant to the GDPR, regardless of its size, faces significant penalties. However, it is also important to note that these fines and penalties are as per the size of the company and the amount of data. GDPR fines and penalties are designed to make non-compliance a costly mistake for businesses.

In today’s article, we have covered in detail the administrative fines laid out by the regulation and how the GDPR fines and penalties are assessed, and infringements that can incur penalties for the organization. The article also talks about how regulators determine the figure and criteria for deciding the GDPR maximum fine for breach.

GDPR fines and penalties for non-compliance

Data breaches are inevitable, especially when security measures are not in place. Since the enforcement of the GDPR Regulation, it has been a hot topic of discussion among businesses for its growing administrative fines for non-compliance.

In the past few years, there have been incidents of record-breaking GDPR fines issued to high-profile organizations for Noncompliance to GDPR. The biggest incident so far recorded is that of Google who was levied with £44m GDPR fine.( Read more about it on this link

The Regulation requires organizations to ensure that the Personal Data is collected legally, and further processed and managed securely, ensuring no misuse and exploitation of personal data. This is to ensure that organizations secure their environment and also respect the rights of data owners or face penalties for non-compliance.

Today, the GDPR Regulation is said to be the world’s most stringent data protection law with the harshest fines and penalties levied on organizations for breach of data or for being noncompliant. While not all infringements of the GDPR will lead to serious fines, given below are some of the administrative fines that can be levied on organizations. Typically there are two levels of fines charged, based on the different GDPR criteria’s drawn out by the regulation and they are as follows-

  • The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
  • The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.

The fines levied are substantial and good reasons for companies to abide by the regulation and ensure compliance. However, it is important to note that the fines for infringements will be considered on a case-to-case basis, taking into consideration several criteria.


Criteria for determining GDPR fines and penalties

The GDPR fines and penalties are administered by the Data Protection Regulator in each EU country. So, the concerned authority will determine whether an infringement has occurred, the severity of the incident, and the penalty to be levied. The following criteria’s are considered to determine whether the fine amount:

  • Nature and Gravity of Infringement — Depending on the nature of the infringement, the severity of the incident, and the duration of non-compliance, the Data protection office will decide the fine.
  • Intentional or Non-intentional- Whether the infringement was intentional or the result of negligence, the fine shall accordingly be determined.
  • Subjects Affected- Based on the number of subjects affected and the nature of infringement the GDPR maximum fines are levied.
  • Mitigation Strategy — Depending on whether or not the firm took any actions to mitigate the damage suffered by people affected by the infringement.
  • Precautionary Measures — Based on the technical measures implemented and organizational preparation to be compliant with the GDPR, the decisions are determined. This is where the entire process and due diligence is done as a part of BaU which is  most important.
  • Previous Infringement History — Whether or not there have been any relevant previous infringements, including infringements under the Data Protection Directive which may not necessarily be relating to GDPR but other compliance and past administrative corrective actions under the GDPR will determine the fines.
  • Co-operation with the Authority— Depending on whether the firm co-operated with the supervisory authority to discover and remediate the infringement.
  • Data category- Based on the type of personal data affected due to infringement determines the fine.
  • Notification– Whether the organization or the designated third party proactively reported the infringement to the supervisory authority.
  • Adherence to Approved Code of Conduct– Whether or not the firm followed the code of conduct for achieving compliance or was previously certified.

If regulators determine that an organization has multiple GDPR violations, it will most definitely be penalized severely for infringements.

What is the punishment for breaking the GDPR Data Protection Act?

1. GDPR Minimum fines-

The lower level of GDPR fines and penalties may range up to €10 million or 2% of the company’s global annual turnover, whichever is higher. The lower level fines determined for infringements listed in Article 83(4) of the General Data Protection Regulation may include infringements relating to:

  • Integrating data protection ‘by design and by default’.
  • Records of Processing Activities.
  • Cooperation with the supervising authority.
  • Security of processing data.
  • Notification of a Personal Data breach to the supervisory authority.
  • Communication of a Personal Data breach to the data subject.
  • Data Protection Impact Assessment.
  • Prior consultation.
  • Designation, position, or tasks of the Data Protection Officer.
  • Certification.

2. GDPR Maximum fines-

A higher level of GDPR fines and penalties may range up to €20 million or 4% of the company’s global annual turnover whichever is higher. The higher level fines determined for infringements listed in Article 83(5) of the General Data Protection Regulation may include infringements relating to:

  • The basic principle for processing, including conditions for consent, the lawfulness of processing, and processing of special categories of Personal Data.
  • Rights of the data subject.
  • Transfer of Personal Data to a third country or an international organization.

3. GDPR fines and penalties for Individuals/employees

It is important to note that the GDPR has clearly stated that in a situation where an individual/ employee uses data subject’s information for anything other than for which consent was obtained shall be personally liable for fines for disregard for data privacy. The employee will in no way be shielded by the company in that situation.

4. Right to Compensation

The administrative GDPR fines are not where the financial liability ends in case of an incident of Data Breach. Under the GDPR Regulation, the data subjects are empowered with rights to seek compensation when an organization’s non-compliance to GDPR has caused material or non-material damage to them. In some cases, not-for-profit bodies can take representative action on behalf of individuals for Personal Data Breach. So, with this, it even opens doors to mass claims in cases of large-scale infringements.


Stringent data protection law backed by heavy fines and penalty aims to ensure that organizations adopt industry best practices to secure their environment and protect the Personal Data of citizens of the EU. The possible GDPR fines and penalties resulting from non-compliance with the Regulation highlights how essential it is for organizations to take the GDPR Regulation seriously and prepare organizations for achieving Compliance. The fines stated in the GDPR Regulation are applicable for any organization big or small, national or international, non-compliant to GDPR.

Contact our compliance experts for any guidance and assistance in GDPR. We can handhold you through the entire journey and make the compliance process easy for you. You can even get the latest updates and insights relevant to GDPR Compliance and be updated on the regulation.

GDPR Compliance Auditor

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.