Breadcrumb

Maximum Fine for a GDPR Breach

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedApr 20232 min read

With GDPR now in full effect, many businesses across the EU and beyond are waking up to the reality that they can and will be fined for data protection breaches. But despite the prominence of GDPR, many are still unsure about the extent and potential impact of penalties. What is the maximum fine for a GDPR breach in the UK, and is there any way to appeal? Find out everything you need to know with our simple guide.

No, every breach of GDPR does not result in a fine. GDPR’s supervisory authorities, such as the UK’s ICO or France’s CNIL, can take a range of actions. These include:

Warnings and reprimands
Permanent or temporary bans on data processing
Suspending data transfer to third countries
Restriction, rectification, or erasure of data

Of course, if your organisation has committed a serious breach of GDPR standards, then fines will be levied by supervisory authorities.

There are two main tiers of fines resulting from GDPR non-compliance:

2% of annual global turnover from the preceding year, or up to €10 million (whichever is greater)
4% of annual global turnover from the preceding year, or up to €20 million (whichever is greater)

So, as the maximum fine for a GDPR breach can be up to 4% of your business’s annual global turnover, penalties imposed on large corporations can run to hundreds of millions of euros.

Hundreds of fines have already been levied against businesses. These fines are mostly for minor infractions, and as a result, don’t often rise above a few thousand euros. However, there have been a couple of instances where significant penalties have been issued. In July 2019, ICO announced their intention to fine British Airways £183.39 million (the largest GDPR fine to date) for breaches of the data protection law. This stemmed from an attack on BA’s website, where around 500,000 customer records were leaked to a malicious third-party as a result of substandard cyber security procedures.

Numerous factors are considered when determining whether a fine should be imposed and to what extent. Article 83 of the GDPR data protection rules indicates that the following factors should be taken into account:

Severity, nature, and duration of the infringement
Whether the infringement was intentional or caused by negligence
Whether the organisation has committed any previous infringement
Whether any action was taken by the organisation to mitigate the damage
The organisational and technical measures that have been implemented by the organisation
Whether the organisation cooperated with regulators to remedy the infringement
The type of personal data that was involved
How the infringement became known to regulators (i.e. whether the organisation notified them)
Adherence to approved certification schemes or codes of conduct

If an organisation is found to be negligent, there’s a chance that the maximum fine for a GDPR data breach will be levied.

Appealing GDPR fines is a complex process, but it is possible. If your business has been hit with the maximum fine for breaking GDPR, then appealing is probably a good idea, as it may result in a decreased fine, or at least a longer amount of time to pay back the fine. In the UK, the Data Protection Act (DPA) provides rights of appeal against decisions made by ICO. You can appeal the amount of the fine or the fact that the penalty was issued in the first place.

The appeals process is relatively simple. You’ll need to make your appeal within 28 days of receiving the penalty notice. ICO will have 28 days to respond, and you’ll then have a further 14 days to provide further evidence or arguments. Your hearing will be attended by a judge, and if you’re not satisfied with the result of the hearing, you can appeal the decision to an Upper Tribunal.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.