Home Data Security What Are The Penalties For Breaking The GDPR

What Are The Penalties For Breaking The GDPR


The General Data Protection Regulation (GDPR) will become fully enforceable on 25th May. This will introduce new laws for Europe regarding data protection, replacing the current Directive 95/46 (‘The Data Protection Directive’). Non-compliance with the new legislation will result in stringent penalties.

Firstly, supervisory authorities will be given greater measures with which to enforce compliance, including investigative, corrective, authorisation and advisory powers. In correlation with the continuously growing notion of globalisation, investigations into border crossings have become notably more common. As such, tools have been given to supervisory authorities to encourage cooperation between these authorities, in order to enforce the GDPR effectively across all member states.

Serious penalties are to be served to anyone who fails to comply, with the intention of guaranteeing effective enforcement and high level of compliance in order to protect the data subjects, namely civilians, as well as to promote general awareness.

The penalties for non-compliance will depend on the nature of infringement, rising up to €20 000 000 or 4% of the total worldwide annual turnover, whichever is higher. Each case will be considered individually when deciding on the amount of a fine which is to be charged. Below is a list of parameters which will be taken into account when deciding whether or not a penalty should be imposed and calculating the amount of a potential fine (article 83 GDPR).

  • Nature, gravity and duration of the infringement. The scope of the processing, the number of data subjects and the consequential damage is also taken into account;
  • Whether the infringement has an intentional or negligent character;
  • Whether the data controller or processor have taken mitigating measures;
  • Whether sufficient technical and organizational measures have been implemented;
  • Whether there is a history of infringements;
  • The degree of cooperation with the supervisory authority;
  • The categories of personal data involved in the infringement;

  • How the supervisory authority became aware of the infringement;
  • Whether thereis a history of correcting measures;
  • Whether thereis adherence to codes of conduct of approved certification mechanisms;
  • Whether there are any other aggravating or mitigating factors applicable.

With such serious fines being handed out, organisations are now taking seriously the need to handle personal data flow with a great deal of care. To avoid such high penalties, ensure privacy governance has an important and permanent place in your organisation’s strategy.

PrivacyPerfect are a privacy governance and data mapping tool providers with thorough knowledge of European and national privacy legislation.