The General Data Protection Regulation (GDPR) is a global standard that gives data protection authorities more enforcement power than they had under the previous Data Protection Directive 95/46/EC (DPD), as well as the power to levy more substantial fines. While DPD did not specify the exact amount of administrative fines for compliance violations, the maximum fines for violations of the GDPR can reach €20 million or 4% of the organization’s global annual turnover from the preceding financial year. These penalties are substantially higher than those for any other current standard (e.g., HIPAA, GLBA or SOX).
Although the GPDR hasn’t come into effect yet, organizations already face problems due to their inability to demonstrate compliance with the standard. Recent examples include Flybe and Honda, which were fined by Information Commissioner’s Office for breaking the rules regarding marketing emails. Both companies tried to comply with the GDPR and get customers’ consent in advance by sending emails to ask whether people want to receive marketing information from them, but in doing so, they violated the UK’s Privacy and Electronic Communication Regulations (PECR), which forbids such emails without the right consent because they are considered to be marketing materials.
In this blog post, Netwrix provides answers to the most common questions about GDPR penalties to help you get more familiar with how fines will be determined and which requirements impose the biggest penalties.
How are fines determined?
According to Article 83 of the GDPR, Supervisory Authorities (SAs) or any independent public authorities responsible for protecting rights of natural persons have the right to issue fines to any organization that fails to prove its GDPR compliance. These fines have to be “effective, proportionate and dissuasive.” There are several criteria that help SAs determine whether an organization has to pay a fine or not, and how big this fine must be:
- Nature of infringement — The number of people affected and the damage they suffered; the nature, gravity and duration of the infringement; and the purpose of data processing
- Intention — Whether the infringement was intentional or negligent
- Mitigation — What actions were taken by the data controller or processor to mitigate damage to data subjects
- Preventative measures — The degree of responsibility by the controller and processor, as well as what technical and organizational measures the organization took to prevent non-compliance
- History — Any relevant prior infringements by the controller or processor
- Cooperation — How willing the company has been to cooperate with the SA to remedy the infringement and mitigate its potential effects
- Data type — What categories of personal data the infringement affects
- Notification — Whether controller or processor reported the infringement proactively
- Certification — Whether the firm had earned certifications or adhered to approved codes of conduct
- Other — Other aggravating or mitigating factors applicable to the circumstances of the case, e.g., financial benefits gained or losses avoided
What are the GDPR’s fine levels?
Article 83 also describes two levels of fines that organizations can face if they fail to prove compliance with the GDPR. The levels are based primarily on which requirement was violated.
Level One. At this level, organizations face penalties of up to 10 million euros, or 2% of their global annual turnover for the preceding financial year. Level one applies to violations of the following requirements:
- Obligations of the Controller and the Processor — One of the largest sections of the GDPR is devoted to the responsibilities of data controllers and processors for proper data processing and protection. This includes data protection by design and by default (Article 25), rules related to the security of processing (Article 32), and timely notification of a data breach to the SAs (Article 33) and data subjects (Article 34). Also, both controllers and processors are required to carry out data protection impact assessments (Article 35) to identify and mitigate security risks related to data processing.
- Data breach notification (Articles 33-34) — Article 33 of the GDPR requires data controllers to notify supervisory authorities in case of a personal data breach, without undue delay and within 72 hours after having become aware of the personal data breach, unless the breach is unlikely to put the rights and freedoms of natural persons at risk. Article 34 covers the notification of personal data breaches to data subjects and specifies the details that organizations have to provide (including the nature of the breach, a contact point and the likely consequences).
- Obligations of the monitoring body (Article 41) — Article 41 covers monitoring of approved codes of conduct that should be carried out by a body that has relevant expertise and that is accredited for that purpose by a competent supervisory authority.
- Obligations of the certification body (Articles 42 and 43) — According to Article 42, member states and supervisory authorities shall encourage the establishment of data protection certification mechanisms to help data controllers and processors demonstrate compliance with the GDPR. Certifications can be issued by either an accredited certification body or the European Data Protection Board. Article 43 says that accreditation is available to a certification body only under certain circumstances, e.g., if the body demonstrates certain independence and expertise, or establishes procedures to handle complaints about infringements.
Level Two. At this higher tier, fines are assessed for more serious infringements by controllers and processors, such as violation of a data subject’s rights or conditions of consent. Fines at this level are 20 million euros or 4% of the company’s global annual turnover for the preceding financial year. Level two includes violations of the following provisions of the GDPR:
- Basic principles for processing of data — This includes general rules for data processing (Article 5), lawfulness of processing (Article 6), conditions for consent (Article 7 and 8) and the processing of special categories of sensitive data (Articles 9–11).
- Data subjects’ rights (Articles 12–22) — The articles define multiple rights of data subjects that significantly affect the way organizations can store and process personal data. Examples include the right to confirm whether personal data is being processed (Article 15), the right to rectify inaccurate personal data (Article 16), the right to be forgotten (Article 17), the right to restriction of processing (Article 18), the right to easily transmit data to other controllers (Article 20) and the right to object to data processing activities (Article 21).
- Transfers of personal data (Articles 44–50) — Chapter 5 governs data transfers to third countries or international organizations. This includes the general principles of data transfers (Article 44), transfers or disclosures not authorized by EU law (Article 48), and rules about international cooperation for the protection of personal data (Article 50).
- Orders from supervisory authorities — Finally, organizations can face level two fines if they fail to comply with an order by a Supervisory Authority to limit or suspend the processing of data (Article 58).
Is there any additional compensation for data subjects?
Similar to the DPD, the GDPR allows data subjects to seek monetary damages in court from controllers and processors who violate their rights. This includes cases when organizations are liable for a data breach, violate the processor-specific provisions of the GDPR, or act outside a controller’s lawful instruction (Articles 79 and 82).
Summary
Apart from imposing fines, supervisory authorities have other corrective powers in case of non-compliance, which include issuing warnings and reprimands, and — in extreme cases — banning the organization from processing personal data (Article 58). Therefore, organizations need to ensure that they have effective policies and procedures in place to ensure explicit consent, identify and report breaches, and comply with other GDPR provisions. It’s wise to start by paying attention to the areas that impose the highest penalties, by following basic rules for proper data processing and making sure that they do not violate the rights of data subjects.
FAQ
How are GDPR fines calculated?
GDPR fines follow a two-tier structure that can hit hard: administrative fines of up to €10 million or 2% of global annual turnover for lesser violations, and up to €20 million or 4% of global turnover for more serious breaches. But here’s what matters more than the maximums – regulators consider ten specific factors when calculating your actual penalty, including the nature and severity of the infringement, whether it was intentional or negligent, and most importantly, the technical and organizational measures you had in place to prevent it.
The calculation isn’t arbitrary. Authorities evaluate your cooperation during the investigation, whether you’ve notified them promptly about breaches, and if you’ve taken steps to mitigate damage to affected individuals. Companies that demonstrate robust identity and access controls, proper data classification, and clear breach response procedures typically see significantly reduced penalties. Data security that starts with identity isn’t just good practice – it’s your best defense against maximum fines when things go wrong.
What is the maximum GDPR fine?
The maximum GDPR fine is €20 million or 4% of your organization’s total global annual turnover from the preceding financial year, whichever is higher. This tier applies to the most serious violations like inadequate legal basis for processing, violating data protection principles, or failing to implement proper technical and organizational security measures.
The €10 million or 2% threshold applies to “lesser” violations such as not maintaining proper records, failing to conduct impact assessments, or not appointing a Data Protection Officer when required. But don’t let the word “lesser” fool you – these fines can still devastate most organizations. The key insight? Regulators consistently reduce penalties for companies that can demonstrate proactive security measures, especially identity-based controls that show you’re serious about preventing unauthorized access to personal data.
How to avoid GDPR fines?
Avoiding GDPR fines starts with getting identity right. Most penalties stem from unauthorized access to personal data, which means your first line of defense is implementing least privilege access controls and maintaining clear visibility into who can access what data, when, and why. You can’t secure what you can’t see, and you can’t control what you don’t monitor.
Build your defense strategy around three pillars: technical security measures (encryption, access controls, monitoring), organizational processes (staff training, incident response plans, regular audits), and documentation that proves compliance. When breaches happen – and they will – having automated breach detection and response capabilities can mean the difference between a minor penalty and a maximum fine. Regulators look favorably on organizations that can demonstrate they’ve invested in proper security infrastructure and can respond quickly to contain damage.
The most effective approach connects identity management to data protection. Implement role-based access controls, regular access reviews, and automated provisioning that ensures people only have access to the personal data they need for their job. This isn’t just about compliance – it’s about building security that actually works in practice, not just on paper.
What fines can be imposed under GDPR?
GDPR allows regulators to impose administrative fines across two tiers, but the regulation gives them significant discretion in how they apply penalties. Tier 1 violations can result in fines up to €10 million or 2% of global annual turnover and typically involve procedural failures like inadequate record-keeping, missing privacy notices, or failure to conduct required impact assessments.
Tier 2 violations carry the headline-grabbing penalties of up to €20 million or 4% of global turnover and focus on fundamental data protection failures: processing without legal basis, violating core data protection principles, or implementing inadequate technical and organizational security measures. But here’s what the headlines miss – regulators also consider corrective measures like temporary processing bans, audit requirements, and certification mandates that can be just as disruptive to your business.
The real enforcement trend shows regulators increasingly focus on technical security failures, particularly around access controls and breach response. Organizations that can demonstrate comprehensive identity and access management programs, with clear audit trails and automated response capabilities, consistently receive lower penalties even when violations occur. The message is clear: invest in proper security infrastructure that starts with identity, and regulators will notice.
What is the fine for not complying with GDPR?
Non-compliance with GDPR can trigger the full range of penalties: fines up to €20 million or 4% of global turnover, processing bans that shut down business operations, mandatory audits that consume resources for months, and corrective orders that force expensive system overhauls. But the financial penalty is often just the beginning – the real cost comes from business disruption, reputation damage, and the operational overhead of remediation.
Recent enforcement data shows that “non-compliance” isn’t binary. Regulators distinguish between organizations that make good-faith efforts to comply and those that ignore their obligations entirely. Companies with documented security programs, even imperfect ones, typically face corrective measures rather than maximum fines. Those without basic technical safeguards – proper access controls, breach detection, or incident response capabilities – get hit with the full penalty structure.
The practical reality is that compliance isn’t about perfection; it’s about demonstrating systematic effort to protect personal data through appropriate technical and organizational measures. Regulators consistently reward organizations that can show they’ve implemented identity-based security controls, maintain proper audit trails, and respond quickly when issues arise. Data security that starts with identity isn’t just compliance theater – it’s the foundation of a defensible GDPR program.