GDPR compliance has many benefits of its own: access to European markets, increased consumer trust, and an overall decrease in anxiety and uncertainty. It can also be a requirement for receiving funding from investors. For many organizations, however, GDPR compliance is not so much about enjoying the positive benefits as it is about avoiding the negative consequences of non-compliance, i.e., fines.

For those organizations weighing the risks and benefits of non-compliance, it’s important to understand the potential costs of GDPR fines, how those fines are calculated, and how prevalent enforcement is.

Administrative Fines

Article 83 of the GDPR gives member states the authority to enforce the privacy law through administrative fines. The fines are “administrative” because they are imposed directly by the supervisory authority (commonly called a data protection authority, or “DPA”) without any requirement to prosecute the case before a court. This makes for quicker, more efficient enforcement, though organizations are still entitled to appeal their cases to a traditional court.

The fines can be broken into two tiers: standard maximum fines and higher maximum fines.

Standard Maximum Fines

The standard maximum fine for GDPR violations is €10 million or 2% of the organization’s total annual worldwide turnover, whichever is higher. For the most part, this level of fines is imposed for failures to abide by the general responsibilities of controllers and processors, including:

• Data protection by design and default
• Having proper contractual arrangements with processors
• Keeping records of processing activities
• Providing notification to the DPA in case of a data breach
• Having a designated data protection officer (DPO)

Higher Maximum Fines

The higher tier of penalties allows for doubled maximum fines—€20 million or 4% of the organization’s total annual worldwide turnover, whichever is higher. These fines can be imposed for violations of:

• The basic principles of data processing under the GDPR, including conditions for consent
• Data subjects’ privacy rights
• Rules regarding international transfers of personal data
• Orders given by data protection authorities

How GDPR Fines Are Calculated

While the GDPR does not have a specific formula for calculating fines, it does identify a number of criteria that DPAs should take into consideration.

• The nature, gravity, and duration of the violation, taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them
• The intentional or negligent character of the violation
• Any action taken by the controller or processor to mitigate the damage suffered by data subjects
• The degree of responsibility of the controller or processor, taking into account technical and organizational measures they’ve implemented
• Any relevant previous violations by the controller or processor
• The degree of cooperation with the supervisory authority
• The categories of personal data affected by the violation
• The manner in which the violation became known to the supervisory authority, in particular whether the controller or processor notified the authority of the violation
• Compliance with previous orders from the DPA
• Adherence to approved codes of conduct certification mechanisms
• Any other aggravating or mitigating factor applicable to the circumstances of the case

How Aggressive Is GDPR Enforcement?

A GDPR violation only has a cost if data protection authorities are actually enforcing it. Though it may come as a surprise, GDPR enforcement is quite robust. Each member nation’s DPA enforces the privacy law within their borders, and they are targeting organizations of all sizes, from small websites to municipal governments to giant tech companies. The fines themselves range from tiny (as little as €50) to massive (Amazon Europe was fined €746 million in 2021). Though they vary based on the country and the organization, most fines fall somewhere between 1000–100,000 Euros. You can see an up-to-date list of fines across Europe here.

‍