Few aspects of GDPR get as much attention as the fines — and for good reason. The penalties are large enough to affect even the biggest companies, and they shape how seriously organisations treat data protection. Understanding how they work helps you weigh risk and prioritise your GDPR compliance sensibly rather than fearfully.
This guide explains the two fine tiers, how regulators decide an amount, and the penalties beyond fines that often cost a business even more.
How big can GDPR fines get?
GDPR backs its rules with some of the largest penalties in data protection law. Fines come in two tiers, and in both the cap is set as a fixed euro amount or a percentage of global annual turnover — whichever is higher. That “whichever is higher” wording is what makes the penalties bite for the world’s biggest companies, because a percentage of global revenue can dwarf the fixed figure.
The largest fines issued so far have reached into the hundreds of millions of euros, so this is not a theoretical risk for organisations that handle personal data at scale.
The two fine tiers
The table summarises the structure before we look at how regulators actually decide an amount.
| Tier | Maximum fine | Typical breaches |
|---|---|---|
| Lower tier (Art 83(4)) | €10m or 2% of global turnover | Records of processing, security, breach notification, DPO and certification failures |
| Higher tier (Art 83(5)) | €20m or 4% of global turnover | Breaching the principles, lawful basis, consent, data subject rights and transfer rules |
Free resource
The Ultimate Guide to GDPR
Reduce your fine exposure with the controls and records regulators reward.
The lower tier explained
The lower tier — up to €10 million or 2% of global annual turnover — applies to more administrative or procedural failings. These include not keeping proper records of processing, inadequate security, failing to notify a breach in time, not appointing a Data Protection Officer where required, and certification or monitoring-body failures.
These are serious, but they are generally about how you run your data protection programme rather than the core rights of individuals.
The higher tier explained
The higher tier — up to €20 million or 4% of global annual turnover — is reserved for breaches that strike at the heart of the regulation. These include violating the core principles, processing without a lawful basis, mishandling consent, ignoring data subject rights, and unlawful international transfers.
In short, if you undermine the fundamental rights GDPR exists to protect, you face the top tier. This is where most headline fines sit.
How regulators decide the amount
A fine is never automatic. Article 83(2) sets out factors authorities must weigh to make penalties effective, proportionate and dissuasive. They consider the nature, gravity and duration of the breach, how many people were affected, and the damage suffered.
They also look at whether the breach was intentional or negligent, what you did to mitigate harm, and how mature your controls were — meaning two organisations with the same incident can receive very different penalties.
Factors that increase a fine
Several things push a penalty upward: clear intent or reckless negligence, a large number of affected individuals, sensitive (special category) data, a long-running breach, ignoring previous warnings, and any attempt to conceal what happened.
A history of prior infringements is particularly damaging, because it suggests the organisation has not learned from earlier failures.
Factors that reduce a fine
Equally, several things pull a penalty down: discovering and reporting the breach yourself, cooperating fully with the regulator, taking swift action to limit harm, having strong controls and documentation in place, and adhering to approved codes of conduct or certification schemes.
This is why accountability pays off so directly — the evidence that you took data protection seriously is exactly what a regulator weighs in your favour.
Fines are not the only penalty
Focusing only on fines understates the risk. Supervisory authorities also have corrective powers: they can order you to change or stop a processing activity, suspend data flows, or impose a temporary or permanent ban on processing.
For many businesses, being ordered to halt a core activity is more damaging than any fine, because it strikes directly at how the business operates.
Reputational and commercial damage
Beyond regulators, a serious breach or public fine carries reputational cost. Customers lose trust, enterprise deals stall during security reviews, and partners ask hard questions. For a B2B business, the loss of a single major contract can exceed the fine itself.
These second-order costs are harder to quantify but frequently outweigh the direct penalty, and they linger long after the regulator’s decision.
Compensation claims from individuals
GDPR also gives individuals the right to compensation for material or non-material damage caused by a breach of the regulation. This can be pursued individually or, increasingly, through collective and representative actions.
So a single incident can trigger a regulatory fine and civil claims from the people affected — a double exposure that is growing as privacy litigation matures.
Criminal penalties under national law
GDPR itself focuses on administrative fines, but it allows member states to add their own penalties, including criminal ones, for certain offences such as unlawfully obtaining or selling personal data.
The details vary by country, so the total exposure for a given act can include national criminal sanctions on top of the GDPR fine.
How to reduce your exposure
The most effective way to limit fine risk is to take the factors regulators reward and build them in: maintain strong, documented security and governance; keep accurate records of processing; have a tested breach-response plan that meets the 72-hour deadline; and respond to rights requests reliably.
If an incident does occur, self-report promptly, cooperate fully, and act quickly to limit harm. That combination consistently produces materially lower penalties.
Why prevention beats penalties
Every euro spent on a credible data protection programme reduces both the likelihood of a breach and the size of any resulting fine. Regulators explicitly reward organisations that can show they took reasonable steps, so the investment protects you twice over.
Viewed this way, compliance is not a cost centre but insurance — and one of the few kinds of insurance that also wins you customer trust.
How ISpectra helps
ISpectra Technologies helps organisations reduce fine exposure by building the controls, records and response capabilities that regulators look for — and by demonstrating the good-faith GDPR compliance that turns a potential disaster into a manageable incident.
A short assessment will show you where your biggest penalty risks lie and how to close them efficiently.
In one paragraph
GDPR fines run in two tiers — up to €10 million or 2% of global turnover for administrative failings, and up to €20 million or 4% for breaching the core principles, lawful basis, rights or transfer rules — always “whichever is higher”. Regulators weigh the gravity of the breach, intent, mitigation and your controls, so strong, documented compliance and a prompt, cooperative response materially reduce any penalty. And fines are only part of the picture: corrective orders, reputational harm and compensation claims often cost more, which is why prevention always beats penalties.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Enforcement trends to watch
Two trends are clear in how GDPR is enforced. First, regulators increasingly target foundational failures — processing without a valid lawful basis, weak consent, and unlawful international transfers — rather than just security lapses, which pushes more cases into the higher fine tier.
Second, enforcement is becoming more coordinated and ambitious, with national authorities and the EDPB aligning on big cross-border cases and showing willingness to issue very large penalties. The practical lesson is to make sure your privacy fundamentals — not only your security — are demonstrably sound, because that is where scrutiny is heading.