How Much Do GDPR Violations Cost?
How Much Do GDPR Violations Cost?
GDPR compliance has many benefits of its own: access to European markets, increased consumer trust, and an overall decrease in anxiety and uncertainty. It can also be a requirement for receiving funding from investors. For many organizations, however, GDPR compliance is not so much about enjoying the positive benefits as it is about avoiding the negative consequences of non-compliance, i.e., fines.
For those organizations weighing the risks and benefits of non-compliance, it’s important to understand the potential costs of GDPR fines, how those fines are calculated, and how prevalent enforcement is.
Administrative Fines
Article 83 of the GDPR gives member states the authority to enforce the privacy law through administrative fines. The fines are “administrative” because they are imposed directly by the supervisory authority (commonly called a data protection authority, or “DPA”) without any requirement to prosecute the case before a court. This makes for quicker, more efficient enforcement, though organizations are still entitled to appeal their cases to a traditional court.
The fines can be broken into two tiers: standard maximum fines and higher maximum fines.
Standard Maximum Fines
The standard maximum fine for GDPR violations is €10 million or 2% of the organization’s total annual worldwide turnover, whichever is higher. For the most part, this level of fines is imposed for failures to abide by the general responsibilities of controllers and processors, including:
- Data protection by design and default
- Having proper contractual arrangements with processors
- Keeping records of processing activities
- Providing notification to the DPA in case of a data breach
- Having a designated data protection officer (DPO)
Higher Maximum Fines
The higher tier of penalties allows for doubled maximum fines—€20 million or 4% of the organization’s total annual worldwide turnover, whichever is higher. These fines can be imposed for violations of:
- The basic principles of data processing under the GDPR, including conditions for consent
- Data subjects’ privacy rights
- Rules regarding international transfers of personal data
- Orders given by data protection authorities
How GDPR Fines Are Calculated
While the GDPR does not have a specific formula for calculating fines, it does identify a number of criteria that DPAs should take into consideration.
- The nature, gravity, and duration of the violation, taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them
- The intentional or negligent character of the violation
- Any action taken by the controller or processor to mitigate the damage suffered by data subjects
- The degree of responsibility of the controller or processor, taking into account technical and organizational measures they’ve implemented
- Any relevant previous violations by the controller or processor
- The degree of cooperation with the supervisory authority
- The categories of personal data affected by the violation
- The manner in which the violation became known to the supervisory authority, in particular whether the controller or processor notified the authority of the violation
- Compliance with previous orders from the DPA
- Adherence to approved codes of conduct certification mechanisms
- Any other aggravating or mitigating factor applicable to the circumstances of the case
How Aggressive Is GDPR Enforcement?
A GDPR violation only has a cost if data protection authorities are actually enforcing it. Though it may come as a surprise, GDPR enforcement is quite robust. Each member nation’s DPA enforces the privacy law within their borders, and they are targeting organizations of all sizes, from small websites to municipal governments to giant tech companies. The fines themselves range from tiny (as little as €50) to massive (Amazon Europe was fined €746 million in 2021). Though they vary based on the country and the organization, most fines fall somewhere between 1000–100,000 Euros. You can see an up-to-date list of fines across Europe here.
Plan for Compliance, Not Fines
Planning for GDPR compliance is a far better solution than bracing for an expensive fine in the future. Even a €1000 fine likely involves thousands in legal fees and many hours of lost time—and in the end you still have to get your business compliant afterward or else face even steeper fines.
Many smaller organizations avoid GDPR compliance because they don’t have the expertise to tackle it on their own or the resources to hire a specialist compliance firm.TrueVault Polaris combines the cost savings of in-house compliance with the reliable expertise of hiring outside experts. With an interface similar to online tax software, you can follow the guided questions and onboard your business in as little as a few hours. Polaris also provides tools like privacy request workflows and automations to make ongoing compliance a simple task. Contact us today to see a demo.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get compliant today
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo