Due to our firm’s annual update, our offices will be closing early today at 4:15pm. We will be open as usual from 9am Friday morning.

Get in Touch Menu

GDPR fines explained

07 November 2019

We often hear of businesses lamenting the cost of GDPR compliance, but as the bedding-in period passes and national supervisory authorities such as the UK’s Information Commissioner’s Office (ICO) tighten up their stance, the cost of non-compliance can be much greater.

The introduction of the EU GDPR (General Data Protection Regulation) in May 2018 gave individuals much more control over the extent of business’s usage of their personal data, and more power to authorities such as the ICO to enforce these tougher data protection rules.

What are the penalties for non-compliance with GDPR?

Since the GDPR took effect, the authorities’ extended powers have enabled them to levy the following GDPR fines:

  • Violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default – up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater)
  • Violations relating to breaches of the data protection principles, conditions for consent, data subjects’ rights and international data transfers – up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater)

GDPR fines and penalties infographic

What is the minimum fine for GDPR?

In the early post-GDPR stages, the ICO was more lenient than it is now, understanding that GDPR compliance has been labour-intensive and sometimes costly for businesses (particularly SMEs). However, now we’re two years into the regime, the ICO’s stance is understandably stricter. Fellow businesses and individuals are now more informed and aware of their own data protection rights, too; The Guardian reported that data protection complaints surged from 21,019 to 41,661 in July this year, compared with the same period in 2018.

There is no minimum GDPR fine; rather, the ICO decides the appropriate fine for a breach in each case. They say, “any penalty that we issue is intended to be effective, proportionate and dissuasive, and will be decided on a case by case basis”.

Are there any other sanctions?

What is potentially more worrying than financial penalties is that national supervisory authorities have the power to restrict or suspend your data processing activities altogether if you are not complying with the GDPR. In a worst case scenario, this could prevent you from trading altogether. 

Is there a list of GDPR fines and penalties?

The ICO publishes a great deal of information, from decision notices, audit and monitoring reports of how long businesses take to reply to freedom of information requests and data security incident trends, on its website.

These fines make for a concerning read, but prevention is better than a cure. For peace of mind that your organisation’s data processing practices are GDPR compliant, get in touch with our specialist team.

Matthew leads our employment law and business immigration team. He is also a director of our affiliated company, Willans Data Protection Services, which provides organisations operating on a multi-national basis with UK and Article 27 Representative solutions, Data Protection Officer services and GDPR training solutions. Matthew has over 20 years’ experience in the employment law field and is qualified as CIPP/E with the International Association of Privacy Professionals.

We're here to help
Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
Matthew Clayton MA LLM (Cantab), CIPP/E
View profile
Mathew Clayton
Related services
Share this article
Resources to help

Related articles

ICO’s new guidance on responding to data subject access requests

GDPR & data protection

On 24 May, the ICO published its updated guidance for businesses and employers on responding to data subject access requests (commonly referred to as ‘SARs’ or ‘DSARs’). Based on the…

Klára Grmelová MGR (LLM Czech)

New UK data protection regime – what to expect

GDPR & data protection

Less paperwork for organisations, fewer data collection pop-ups for the wider public, and more than £4 billion saved over next 10 years – these are just a few outcomes that…

Matthew Clayton MA LLM (Cantab), CIPP/E

SCCs: New rules governing cross-border data transfers and data exchanges from the EU and EEA

GDPR & data protection

This September brings change to the use of standard contractual clauses (SCCs) governing data transfers from the EU and EEA. In June this year, the European Commission published two sets…

Kym Fletcher LLB (Hons) Euro
Consultant, solicitor
Contact us