Skip to content
Go to GoCardless homepage
Pricing
LoginSign up

Maximum Fine for a GDPR Breach

GoCardless
Written by

Last editedSep 20212 min read

With GDPR now in full effect, many businesses across the EU and beyond are waking up to the reality that they can and will be fined for data protection breaches. But despite the prominence of GDPR, many are still unsure about the extent and potential impact of penalties. What is the maximum fine for a GDPR breach in the UK, and is there any way to appeal? Find out everything you need to know with our simple guide.

Does every breach of GDPR result in a fine?

No, every breach of GDPR does not result in a fine. GDPR’s supervisory authorities, such as the UK’s ICO or France’s CNIL, can take a range of actions. These include:

  • Warnings and reprimands

  • Permanent or temporary bans on data processing

  • Suspending data transfer to third countries

  • Restriction, rectification, or erasure of data

Of course, if your organisation has committed a serious breach of GDPR standards, then fines will be levied by supervisory authorities.

What is the maximum fine for breaking GDPR?

There are two main tiers of fines resulting from GDPR non-compliance:

  1. 2% of annual global turnover from the preceding year, or up to €10 million (whichever is greater)

  2. 4% of annual global turnover from the preceding year, or up to €20 million (whichever is greater)

So, as the maximum fine for a GDPR breach can be up to 4% of your business’s annual global turnover, penalties imposed on large corporations can run to hundreds of millions of euros.

What GDPR fines have been levied so far?

Hundreds of fines have already been levied against businesses. These fines are mostly for minor infractions, and as a result, don’t often rise above a few thousand euros. However, there have been a couple of instances where significant penalties have been issued. In July 2019, ICO announced their intention to fine British Airways £183.39 million (the largest GDPR fine to date) for breaches of the data protection law. This stemmed from an attack on BA’s website, where around 500,000 customer records were leaked to a malicious third-party as a result of substandard cyber security procedures.

How are GDPR fines determined?

Numerous factors are considered when determining whether a fine should be imposed and to what extent. Article 83 of the GDPR data protection rules indicates that the following factors should be taken into account:

  • Severity, nature, and duration of the infringement

  • Whether the infringement was intentional or caused by negligence

  • Whether the organisation has committed any previous infringement

  • Whether any action was taken by the organisation to mitigate the damage

  • The organisational and technical measures that have been implemented by the organisation

  • Whether the organisation cooperated with regulators to remedy the infringement

  • The type of personal data that was involved

  • How the infringement became known to regulators (i.e. whether the organisation notified them)

  • Adherence to approved certification schemes or codes of conduct

If an organisation is found to be negligent, there’s a chance that the maximum fine for a GDPR data breach will be levied.

Can GDPR fines be appealed?

Appealing GDPR fines is a complex process, but it is possible. If your business has been hit with the maximum fine for breaking GDPR, then appealing is probably a good idea, as it may result in a decreased fine, or at least a longer amount of time to pay back the fine. In the UK, the Data Protection Act (DPA) provides rights of appeal against decisions made by ICO. You can appeal the amount of the fine or the fact that the penalty was issued in the first place.

The appeals process is relatively simple. You’ll need to make your appeal within 28 days of receiving the penalty notice. ICO will have 28 days to respond, and you’ll then have a further 14 days to provide further evidence or arguments. Your hearing will be attended by a judge, and if you’re not satisfied with the result of the hearing, you can appeal the decision to an Upper Tribunal.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.

Over 70,000 businesses use GoCardless to get paid on time. Learn more about how you can improve payment processing at your business today.

Get StartedLearn More

Interested in automating the way you get paid? GoCardless can help

Contact sales