In the European Union (EU) and European Economic Area (EEA), the General Data Protection Regulation (GDPR) has been in effect since May 2018. Its goal is to protect EU residents’ privacy and personal data and give them control over how that data is used.
Since its implementation, the GDPR has become the world’s most influential data privacy law, impacting legislation in other countries and significantly affecting how companies do business in Europe.
One of the most newsworthy aspects of GDPR enforcement is the fines levied against companies found to have violated the law.
Organizations of any size can be fined for violations, but the news stories that make headlines often involve tech giants with global reach and billions of users. Fines for misusing personal data in those cases have risen into the billions.
Who is responsible for GDPR compliance?
There are several levels of responsibility for General Data Protection Regulation compliance, and their degree of responsibility varies based on various factors.
These can include the type of data processing or whether they’re an entity requesting personal data and using it for stated purposes, or a third-party entity working for someone else.
At a more granular level, there are often privacy experts within organizations who are responsible for data privacy operations. In some cases, appointing a Data Protection Officer is a legal requirement.
Data controllers and data processors
Data controllers and data processors are people or organizations actually collecting and processing the personal data of EU residents. This processing can include using, sharing, or selling data.
Those entities have day-to-day responsibility for data privacy and security. They must have a viable legal basis for collecting data, use that data per GDPR guidelines, and only for the purpose(s) they communicate, maintain reasonable security, and inform data subjects about their rights and the use of their data.
Data controllers’ responsibilities require them to:
- Securely maintain records of consent preferences
- Maintain data accuracy
- Respond to data-related requests, including requests for correction or deletion (with exceptions)
- Implement and maintain reasonable organizational and technical measures for data protection
Data processors, on the other hand, typically work for data controllers. An example would be a third-party vendor handling advertising or communications for a company. Data processors’ responsibilities include:
- Implementing appropriate technical and organizational measures to protect data
- Notifying the data controller of any data breaches
- Keeping records of their processing activities
- Complying with opt-out or data deletion requests after processing has started
While both controllers and processors have responsibilities under the GDPR, ultimately, data security and privacy compliance responsibilities belong to the controller.
Data protection authorities
Each EU member state has its own authoritative body to investigate alleged violations and enforce compliance with the GDPR. These independent public agencies are known as data protection authorities (DPAs). These organizations also enforce other local or regional privacy-related laws.
Read more about who is responsible for GDPR compliance within your company.
What is considered a violation under the GDPR?
A violation of the GDPR occurs when a data controller or processor fails to meet one or more of the regulation’s requirements. Violations range from administrative oversights to serious breaches of data protection principles. Examples include:
- Failing to obtain valid consent before collecting or processing personal data
- Not notifying data protection authorities and affected individuals of a data breach within the required timeframe
- Collecting or using personal data for purposes not disclosed to the user, including if the original purposes change
- Failing to implement appropriate security measures to protect data
- Not providing users with access to their personal data or the ability to delete it
Even well-meaning companies can be fined if they neglect basic privacy practices or are unaware of their compliance obligations. These kinds of oversights — intentional or not — are exactly what regulators look for when deciding whether a fine is warranted.
Small oversights in privacy practices can trigger scrutiny, especially if they are repeated or ongoing. This is why it’s crucial to understand your organization’s responsibilities, especially when violations lead to financial penalties and reputational damage.
What are the criteria for imposing GDPR fines?
When a breach is identified, data protection authorities evaluate certain criteria to determine the appropriate fine. These include:
- Nature, gravity, and duration of the infringement
- Whether the violation was intentional, negligent, or repeated
- Any action taken by the organization to mitigate the damage
- Degree of cooperation with authorities during investigations
- Categories of personal data affected
- Any previous infringements by the organization
- How the supervisory authority became aware of the infringement
- Whether the company followed approved codes of conduct or certification mechanisms
This framework seeks to make fines proportionate to the offense and consider each case’s unique circumstances.
What are fines and penalties under GDPR?
If an organization that processes personal data belonging to EU residents is found to have violated the GDPR, there are several types of potential penalties, outlined in Art. 83 GDPR.
Data protection authorities can impose administrative fines, including the maximum penalty for a GDPR breach, depending on the severity. Beyond fines, the DPA can:
- Issue warnings or reprimands
- Temporarily or permanently impose restrictions on data processing
- Order the erasure of personal data
- Suspend international data transfers to third countries
- Impose administrative fines
- Impose criminal penalties
Administrative fines are probably the most well-known penalty of the GDPR. There are two levels of administrative fines, depending on the severity of the infraction.
Tier one administrative fines
First-tier GDPR fines are generally for first-time or less severe infractions. They can be up to EUR 10 million per infraction or two percent of global annual revenue for the preceding financial year, whichever is greater.
Tier two administration fines
Second-tier GDPR fines are generally for repeat violators or more severe infractions. They can be up to EUR 20 million per infraction or four percent of global annual revenue for the preceding financial year, whichever is higher. These maximum GDPR fines are high because they are reserved for serious or repeat offenses.
Who can be fined under the GDPR?
Any organization that processes the data of EU residents and fails to comply with GDPR requirements can be fined, whether or not the entity is also located in the EU.
This includes data controllers and processors or joint controllers, applicable when two or more entities jointly determine the purposes and means of processing personal data.
While violations tend to affect commercial entities, other types of organizations can be fined for data privacy violations under the GDPR as well. This includes nonprofit organizations and charities. Few are exempt from GDPR penalties.
Enforcement action against smaller entities is also more common than many people think, largely because only massive fines levied against big tech companies tend to garner headlines.
However, even a fine of less than a billion dollars can be a substantial financial hit for a small business.
Can data processors be fined under GDPR?
In short, yes. Data processors process personal data on behalf of and under the instruction and authority of data controllers, but are not immune from penalties.
GDPR compliance failures for data processors could include not implementing appropriate security measures, processing data for purposes not stated or for which there is not a valid legal basis, or failing to work with the data controller to fulfill obligations under the GDPR.
Can employees be fined under the GDPR?
Generally, employees of organizations would not be fined under the GDPR, as responsibility tends to fall on the company (controller) or the data processor(s), not individuals.
Employees certainly play a role in GDPR compliance, and can be partly responsible for a violation, like a data breach. Where there is a deliberate or recklessly damaging action that results in a GDPR violation, an employee could be subject to disciplinary action by their employer, and could be penalized by other relevant laws.
Organizations are expected to provide employees with appropriate training and guidelines for data security and handling, and companies should have clear, accessible policies in place around data access, security, and related concerns.
Can individuals be fined under GDPR?
Private persons cannot be fined under the GDPR, but can be held liable for actions or negligence regarding data protection. Many countries have additional data privacy and security laws, and individuals involved in a data breach, for example, could face criminal or civil legal consequences.
How many companies have been fined for GDPR?
There have been hundreds of thousands of breach notifications sent to organizations under GDPR rules. Enforcement activity has been increasing each year since the law came into effect in 2018.
According to the GDPR Enforcement Tracker, authorities continue to issue GDPR fines at a steady rate. More than 2,200 fines have been recorded, and the total number of fines is growing.
Spain has issued the most GDPR fines to date, with at least 899 fines totaling over EUR 82 million. However, Ireland leads in the total value of fines, having imposed approximately EUR 3.5 billion in penalties across about 25 cases, mostly targeting major technology companies with EU headquarters located there.
What is the biggest GDPR fine to date?
To date, the maximum fine for a data breach was issued on May 22, 2023. Ireland’s Data Protection Commission issued a new record-largest GDPR fine of EUR 1.2 billion (USD 1.3 billion) to Meta (Meta Platforms, Inc.), parent company of social platforms Facebook, Instagram, WhatsApp, Threads, and other services. This fine exceeds the previous maximum GDPR fine issued to Amazon Europe in 2021 by EUR 454 million.
Meta was also ordered to stop transferring data from Facebook users in Europe to the United States.
The reason for the ruling was that Meta’s transfers of Facebook users’ data to the US violated the GDPR’s international data transfer guidelines.
The US and EU were without an adequate agreement for data transfers for a couple of years following the court ruling invalidating the EU/US Privacy Shield. However, a new agreement was finalized in 2023, and the EU-U.S. Data Privacy Framework came into effect on July 10.
There are new concerns in light of changes made by the current US government administration, however, which once again put adequacy agreements between the EU and US into question.
What happens when the GDPR is breached?
When a GDPR breach occurs, the affected organization must act quickly. Under the regulation, any personal data breach that may pose a risk to individuals’ rights and freedoms must be reported to the relevant data protection authority within 72 hours.
In some cases, the organization must also inform affected individuals without undue delay.
The breach response process typically includes:
- Investigating the cause and scope of the breach
- Notifying the appropriate authorities and individuals if necessary
- Taking steps to contain and mitigate the breach’s impact
- Documenting all details of the incident and the response
The supervisory authority may launch an investigation. If the organization is found to have failed in its data protection duties, fines or corrective measures may follow.
These can include warnings, orders to change data processing practices, temporary data restrictions, or the fines up to the maximum financial penalty for a GDPR breach.
Beyond financial penalties, a breach can have serious reputational, operational, and legal consequences. A swift, transparent, and effective response can help minimize damage and maintain trust.
UK GDPR fines and penalties
GDPR enforcement doesn’t stop at EU borders. Post-Brexit, the UK enforces its own version of the regulation with similar consequences.
Upon leaving the European Union on January 31, 2020, the United Kingdom adopted a near-identical version of the GDPR, commonly referred to as the UK GDPR.
Fines and penalties for noncompliance remain aligned with the original EU regulation. UK GDPR enforcement is the responsibility of the Information Commissioner’s Office (ICO).
As with the EU GDPR, there are two tiers of fines.
Tier one administrative fines
First-tier UK GDPR fines are for first time or less severe infractions. They can be up to GBP 8.7 million or two percent of global annual revenue for the preceding financial year, whichever is greater.
Tier two administration fines
Second-tier UK GDPR fines are for repeat violators or more severe infractions. They can be up to GBP 17.5 million or four percent of global annual revenue for the preceding financial year, whichever is greater.
How to avoid GDPR fines
Whether you’re processing data belonging to residents in the EU or the UK, the most effective strategy is the same: avoid fines by prioritizing compliance from the start. Your company must understand its responsibilities to achieve and maintain compliance with the law’s requirements.
To get ahead of GDPR compliance, implement data protection and privacy best practices. In addition, consider regularly consulting with a privacy expert like a Data Protection Officer (required under the GDPR in many cases) or qualified legal counsel.
Some compliance actions are required in certain countries, but are just recommendations elsewhere. It is important to verify which requirements are applicable to your business.
There are a number of recommendations for organizations to achieve and maintain GDPR compliance and avoid fines:
- Conduct regular data audits to fully understand data collection and processing activities
- Conduct data protection impact assessments (DPIA)
- Implement data protection policies and procedures
- Train employees on GDPR compliance and data security practices
- Appoint a qualified and well-informed DPO when required, which can be an internal or external hire, as long as they have sufficient GDPR expertise
- Work with trusted third-party vendors and service providers that are GDPR-compliant, and implement contracts prior to starting data processing operations
- Use a comprehensive consent management solution to collect and store valid user consent on websites, apps, connected TV, etc.
How Usercentrics consent management can help your company
The maximum fine for a GDPR breach can be financially devastating. In the UK, the maximum financial penalty for breaching the UK GDPR is just as serious.
These aren’t rare occurrences. The large GDPR fines issued to companies like Meta and Amazon might seem unrelatable to smaller businesses, but they are not immune to consequences for violating the law.
Here’s the good news: compliance doesn’t have to be overwhelming.
Usercentrics Consent Management Platform (CMP) helps companies like yours simplify GDPR compliance. With our robust and scalable consent management solution, we make it easy to manage user consent, understand what data your website is collecting, and prove compliance when it matters most.
No legal jargon or guesswork, just clear, practical solutions to reduce your risk and support your data strategy.
Whether you’re trying to avoid the maximum penalty for a GDPR breach, prepare for audits, or simply build user trust, we give you the visibility and control you need to manage data responsibly.
