What happens if you break GDPR law?

What happens if you break GDPR law?

GDPR, or the General Data Protection Regulation put in place by the EU, created sweeping changes in the world of data privacy and consumers’ rights. Between the time it was officially adopted in 2016 and took full effect in 2018, businesses worldwide were sinking time and money into getting their ducks in a row and making sure they are GDPR compliant.

Why has it become so critical for companies to be GDPR compliant? The answer can be found in the consequences of GDPR non-compliance, which are severe enough to deal a major blow to any business. Let’s take a closer look at those consequences and the factors that determine them.

What are the GDPR penalties for violating the law?

GDPR is enforced with monetary fines rather than criminal charges or other legal consequences. Those GDPR fines for non-compliance are nothing to scoff at though.

The regulation lays out two tiers of fines depending on the seriousness of the offense. The lower tier can elicit fines of up to €10 million or 2% of your global turnover for the year, whichever is higher. The higher tier of offenses can lead to fines of 4% of your global turnover for the year or €20 million, whichever is higher.

The circumstances of your GDPR violation will determine whether you fall into the lower tier or upper tier of fines. The upper tier is generally reserved for the most severe of violations, but if you have a history of multiple violations or if you have refused to become compliant despite numerous warnings, that could raise a less serious offense to the upper tier.

Who enforces the GDPR?

The European Union is an interesting organization from a legal perspective because it has its own government in a way but it also collaborates with the government of each EU member state. So whose job is it to enforce GDPR?

While the legislation applies to all of the EU, it’s enforced by each individual member state or country within the union. If a business violates GDPR, their GDPR non-compliance penalty is generally enforced by the country where the business is based or, for non-EU companies, the country where their EU representative is based.

There is, however, some guidance that keeps all these countries on the same page. The European Data Protection Board or EDPB is a body for all of the EU which helps to guide member states in enforcing GDPR.

Who chooses and issues fines for a GDPR violation?

As we noted, there are two tiers of potential penalties for any GDPR non-compliance fine. But it’s a matter of discretion whether your violation falls into the upper tier or lower tier. On top of that, those tiers only outline maximum penalties. Who actually decides what the penalty of a GDPR violation will be?

Your fine will be determined and enforced by the supervisory agency in your EU member state. Each country or member state has its own agency to enforce GDPR, and that is who you will answer to if you are not GDPR compliant.

How does Brexit affect the GDPR?

Does the UK’s departure from the EU mean that the GDPR no longer applies to people in the UK? Technically, yes, but the UK has taken other measures to protect its citizens.

As we noted, each country has its own supervisory agency to enforce GDPR. The UK GDPR supervisory authority is the Information Commissioner’s Office, or the ICO. This office enforces other legislation related to data privacy too.

In 2018, the UK implemented the GDPR by adopting its own Data Protection Act 2018. Because this act is now part of UK law, it’s still in place and enforceable even as the UK is no longer part of the EU. ICO penalties and ICO fines for GDPR violations like a privacy breach in the UK are just as enforceable as GDPR penalties in other countries.

Are GDPR fines different for individuals compared to businesses?

GDPR is primarily a concern for businesses because they’re more likely than individuals to be collecting data from users online. But individuals can have sites or apps that do this too. If businesses’ fines are based on their global turnover, how are individuals’ EU GDPR fines determined?

GDPR personal fines carry the same maximum amount as company fines, but they’re typically based on the individual’s income rather than revenue. Of course, the fine is still up to the discretion of the supervisory authority in their EU member state.

How many GDPR fines have been issued?

The fines for GDPR violations sound shockingly high, so it’s left many businesses to wonder how often they’re actually put into practice. How many GDPR fines have been issued?

There is no official number, and unsurprisingly, the number of fines issued can change on a daily basis. As of the time of publishing this article, in the fall of 2021, some enforcement trackers have over 800 fines and violations listed since the law took effect in 2018.

Many of these fines are far below the maximum amount for even the lower tier of violations, but some fines have reached overwhelming heights. As of September 2021, the highest known GDPR fine since the law’s implementation was issued to Google for the sum of €746 million.

How to protect yourself from GDPR fines

GDPR penalties are high enough to bankrupt many companies and individuals or at least cause severe financial hardship. How can you make sure you’re meeting all the criteria to be GDPR compliant?

The best way to do this is with the help of a GDPR compliance tool. This tool scans your system and identifies GDPR criteria that you already meet while giving you a clear report on what you may be missing so you’ll know exactly what to do to reach full compliance.

More about GDPR

Get GDPR compliant

Your GDPR compliance checklist

How can GDPR compliance software help your business?

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.

Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes