Vanta automates security compliance.
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

What happens if you break GDPR law?

November 9, 2021

GDPR, or the General Data Protection Regulation put in place by the EU, created sweeping changes in the world of data privacy and consumers’ rights. Between the time it was officially adopted in 2016 and took full effect in 2018, businesses worldwide were sinking time and money into getting their ducks in a row and making sure they are GDPR compliant.

Why has it become so critical for companies to be GDPR compliant? The answer can be found in the consequences of GDPR non-compliance, which are severe enough to deal a major blow to any business. Let’s take a closer look at those consequences and the factors that determine them.

What are the GDPR penalties for violating the law?

GDPR is enforced with monetary fines rather than criminal charges or other legal consequences. Those GDPR fines for non-compliance are nothing to scoff at though.

The regulation lays out two tiers of fines depending on the seriousness of the offense. The lower tier can elicit fines of up to €10 million or 2% of your global turnover for the year, whichever is higher. The higher tier of offenses can lead to fines of 4% of your global turnover for the year or €20 million, whichever is higher.

The circumstances of your GDPR violation will determine whether you fall into the lower tier or upper tier of fines. The upper tier is generally reserved for the most severe of violations, but if you have a history of multiple violations or if you have refused to become compliant despite numerous warnings, that could raise a less serious offense to the upper tier.

Who enforces the GDPR?

The European Union is an interesting organization from a legal perspective because it has its own government in a way but it also collaborates with the government of each EU member state. So whose job is it to enforce GDPR?

While the legislation applies to all of the EU, it’s enforced by each individual member state or country within the union. If a business violates GDPR, their GDPR non-compliance penalty is generally enforced by the country where the business is based or, for non-EU companies, the country where their EU representative is based.

There is, however, some guidance that keeps all these countries on the same page. The European Data Protection Board or EDPB is a body for all of the EU which helps to guide member states in enforcing GDPR.

Who chooses and issues fines for a GDPR violation?

As we noted, there are two tiers of potential penalties for any GDPR non-compliance fine. But it’s a matter of discretion whether your violation falls into the upper tier or lower tier. On top of that, those tiers only outline maximum penalties. Who actually decides what the penalty of a GDPR violation will be?

Your fine will be determined and enforced by the supervisory agency in your EU member state. Each country or member state has its own agency to enforce GDPR, and that is who you will answer to if you are not GDPR compliant.

How does Brexit affect the GDPR?

Does the UK’s departure from the EU mean that the GDPR no longer applies to people in the UK? Technically, yes, but the UK has taken other measures to protect its citizens.

As we noted, each country has its own supervisory agency to enforce GDPR. The UK GDPR supervisory authority is the Information Commissioner’s Office, or the ICO. This office enforces other legislation related to data privacy too.

In 2018, the UK implemented the GDPR by adopting its own Data Protection Act 2018. Because this act is now part of UK law, it’s still in place and enforceable even as the UK is no longer part of the EU. ICO penalties and ICO fines for GDPR violations like a privacy breach in the UK are just as enforceable as GDPR penalties in other countries.

Are GDPR fines different for individuals compared to businesses?

GDPR is primarily a concern for businesses because they’re more likely than individuals to be collecting data from users online. But individuals can have sites or apps that do this too. If businesses’ fines are based on their global turnover, how are individuals’ EU GDPR fines determined?

GDPR personal fines carry the same maximum amount as company fines, but they’re typically based on the individual’s income rather than revenue. Of course, the fine is still up to the discretion of the supervisory authority in their EU member state.

How many GDPR fines have been issued?

The fines for GDPR violations sound shockingly high, so it’s left many businesses to wonder how often they’re actually put into practice. How many GDPR fines have been issued?

There is no official number, and unsurprisingly, the number of fines issued can change on a daily basis. As of the time of publishing this article, in the fall of 2021, some enforcement trackers have over 800 fines and violations listed since the law took effect in 2018.

Many of these fines are far below the maximum amount for even the lower tier of violations, but some fines have reached overwhelming heights. As of September 2021, the highest known GDPR fine since the law’s implementation was issued to Google for the sum of €746 million.

How to protect yourself from GDPR fines

GDPR penalties are high enough to bankrupt many companies and individuals or at least cause severe financial hardship. How can you make sure you’re meeting all the criteria to be GDPR compliant?

The best way to do this is with the help of a GDPR compliance tool. This tool scans your system and identifies GDPR criteria that you already meet while giving you a clear report on what you may be missing so you’ll know exactly what to do to reach full compliance.

More about GDPR

Get GDPR compliant

Your GDPR compliance checklist

How can GDPR compliance software help your business?