Short answer: A breach of the UK GDPR can have serious consequences, including fines of up to €10 million or 4% of the organisation’s global annual turnover, whichever is higher. In addition, organisations may be required to change their data processing practices, receive official warnings, and face potential public criticism.
What happens if you breach GDPR?
Violation of privacy legislation can lead to serious consequences for a company. This includes administrative fines, depending on your business and the degree of violation. In addition to financial penalties, a company can also suffer damage to its reputation and trust among customers and partners. If you are found to be acting in breach of the GDPR, there are some things you can do to reduce the consequences.
This blog is about what happens if you violate the GDPR after a data breach, how fines are set and what you can do as a company to reduce your liability.
Did you know that data leaks that include personal data lead to customer loss and impact on business sustainability?
Ponemon Institute
What is the financial penalty for breaching the GDPR?
The GDPR makes some violations more severe than others, with two tiers of fines:
- Minor GDPR offences are fined of up to €10 million, or 2% of your company’s worldwide annual revenue from the last fiscal year, whichever is higher.
- Serious GDPR offences are fined of up to €20 million, or 4% of your company’s worldwide annual revenue from the preceding financial year, whichever is higher.
Let’s look what types of violations fit into each of these categories, with references to relevant GDPR articles so you can check your compliance.
What factors influence the size of a GDPR fine?
According to Article 83, potential fines can increase or decrease based on the following factors:
Your fines may increase based on:
- The nature, gravity, and duration of the infringement
- The intentional or negligent character of the infringement
- Previous infringements
- The categories of personal data affected by the infringement
- Any other aggravating factor
Your fines may decrease based on:
- Any actions you take to mitigate damage suffered by data subjects
- Any preventitive technical and organisational measures measures you set up
- Whether you notified the supervisory authority of the infringement on time
- Wherther you followed codes of conduct listed in Article 40
- Any other mitigating factor
Start your privacy cleanup with the big picture
A GDPR Risk report gives you a complete overview of the privacy risk in your company. The report is based on a scan with DataMapper.
Minor GDPR offences
This is for minor offences, including:
- Violating the rules of data protection, lawful basis for processing, etc., for data controllers (that’s your company!) and processors. So, monitor your own processes and vet any third-party services you use Articles 8, 11, 25-39, 42, and 43
- Violations of the rules for certifying organisations to execute their evaluations and assessments with transparency and without bias. (Articles 42 and 43)
- Violations of the rules for monitoring bodies to handle complaints or reported infringements in an impartial and transparent manner. (Article 41)
These offences are fined for of up to €10 million, or 2% of your company’s worldwide annual revenue from the last fiscal year, depending og which is higher.
Serious GDPR infringements
These higher fines apply to:
- Violations of the basic principles for data processing. For example, collecting or keeping data for purposes other then you specified, storing inaccurate or out-of-date information about someone, keeping data too long, or processing sensitive data at all (except in special circumstances) could lead to major fines. (Articles 5, 6 and 9)
- Violations of the rules for consent. Make sure your consents are clear, explicit and freely given, then log them to prove it! Article 7
- Violations of data subject rights. This includes failure to respond to Data Subject Access Requests (DSARs) on time Articles 12-22
- Transferring data outside of the EEA without first getting the approval of the European Commision, or without proper protection in transit. Articles 44-49
These offences are fined for of up to €20 million, or 4% of your company’s worldwide annual revenue from the last fiscal year, depending og which is higher.
Individual EU member states have the right to pass additional data protection laws if they are in accordance with GDPR principles –Chapter IX. Local supervisory authorities may also give orders to a company specifically. Violating either of these local laws or direct orders from supervisory authorities is a major offense with a huge fine.
On top of administrative fines, individuals can sue for additional damages if the GDPR violation caused them material or non-material harm. Article 82
GDPR fine examples
Let’s look at two real-life examples of GDPR fines and how you can avoid similar fines.
Example #1: Capio St. Göran’s Hospital €2.9 million
A Swedish healthcare provider received a €2.9 million GDPR fine following an audit of one of its hospitals by the Swedish DPA. The company had neglected to carry out appropriate risk assessments and implement effective access controls, leading to too many employees having access to sensitive personal data.
How you can avoid GDPR fines like this one:
- Conduct a data protection impact assessment (DPIA) if you begin new and risky data collection/processing activities.
- Make sure you know which of your employees/departments have access to sensitive data.
- Restrict access to only those employees/departments who really need it.
Example #2: BBVA (Banco Bilbao Vizcaya Argentaria, S.A.) €5 million
A Spanish financial services company was fined €5 million. €3 million for sending SMS messages without obtaining consumers’ consent, and €2 million for a lack of transparency in their privacy policy, which failed to properly explain they collect and use customers’ personal data.
How you can avoid GDPR fines like this one:
- Make sure you get clear, explicit, and freely given consent (then log it!) before using customer data for marketing activities, or anything else.
- Link your privacy policy to your consent pop-ups or any other time people give you their email address or other personal data on your website.
- Review your privacy policy and make sure it includes all the details required by GDPR Articles 13 and 14. Use our free privacy policy template to help you get started.
Get our Newsletter!
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Distrust after GDPR breach
When a company breaks privacy rules, it can result in significant damage to its reputation and trust among both customers and business partners. Customers expect their personal data to be handled securely and responsibly, and any breach of this trust can lead to loss of customer relationships and negative publicity on social media and other platforms. In addition, partners and suppliers may be reluctant to cooperate with a company that shows a lack of respect for data protection, which can limit the company’s opportunities for growth and cooperation in the long term. In reality, the distrust resulting from a GDPR breach can have greater consequences for a company than a financial fine.
FAQ about GDPR fines
What are the most common causes of GDPR violations?
Lack of valid consent, inadequate data security, and failure to report data breaches are among the most common reasons.
How can organisations avoid GDPR breaches?
By implementing strong data protection policies, minimising the amount of GDPR-sensitive data, training staff, and regularly reviewing data processing practices.
What happens if an organisation doesn’t pay a GDPR fine?
Failure to pay can lead to further legal action and potentially more severe penalties.
How to reduce GDPR fines and distrust
To avoid fines, you must comply with the GDPR – that’s the fundamental requirement. It may sound simple, but in practice it can be complex, as the rules are extensive and constantly evolving.
That’s why many organisations choose to use software to make the job easier and more secure. At Safe Online, we’ve developed solutions that help you do just that – from secure sharing of personal data and automated consent management to efficient handling of data subject requests and mapping of sensitive information.
Our tools support the most critical processes involved in GDPR data handling:
DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily
Read more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
