GDPR fines and penalties: What are the risks? | DMA

Filter By

Show All

Connect to


GDPR fines and penalties: What are the risks?


The General Data Protection Regulation (GDPR) is the biggest update to personal data rights ever. As well as, giving European citizens far greater control over the personal data held by organisations worldwide, the new regulation outlines some particularly stringent penalties for breaches.

Article 83 of the GDPR outlines the conditions for imposing administrative fines on parties found to have misused or exposed personal data.

GDPR Fines

When defining penalties for personal data infringements, European lawmakers had two goals. First, fines need to be suitably harsh to underscore how serious the issue of personal data protection is, and to disincentivise firms from “cutting corners”. Second, the financial penalties reflect the increasing value of personal data in the information economy.

According to Article 83, Chapters 4 and 5 of the regulation, fines are calculated on a case-by-case basis and are split into two tiers depending on the size of the company involved. At the lower tier, the GDPR maximum fine is €10 million or 2% of global turnover. Breaches at the higher tier could attract administrative fines of €20 million or 4% of global turnover – whichever is higher. For a FTSE 100 company, that may be as much as £5 billion.

The exact size of the fine will depend on a number of mitigating factors. When investigating a breach, the Information Commissioner’s Office (ICO) will need to look at:

  • The nature, gravity and duration of the breach. The more people affected, the more serious the incident.
  • The intentional or negligent character of the infringement. Has the company been actively working to protect personal data?
  • Technical and organisational measures that have been implemented by the organisation. Is the company applying security best practice principles to protect data?
  • Have there been any previous infringements by the organisation or data processor. Is this an indication that the company is consistently failing to take personal data security seriously?
  • The types of personal data involved. The ICO considers some personal details to be more sensitive than others.
  • The way the regulator found out about the infringement. Was the issue reported by the organisation (a legal requirement), or by a third party whistleblower?

Essentially, data regulators will want to know what was exposed/lost, how the breach happened, and whether the organisation was following actively working to improve security. They will then use these insights to define an appropriate GDPR sanction.

Discover More

Hear more from the DMA

Please login to comment.