GDPR Penalties & Fines | What's the Maximum Fine in 2023?

Administrative fines and other penalties for non-compliance with the UK General Data Protection Regulation and Data Protection Act 2018, and EU General Data Protection Regulation

GDPR penalties and fines

Now that the Brexit transition period has ended, there are two versions of the GDPR (General Data Protection Regulation) that UK organisations might need to comply with: 

  • The UK GDPR, which, with the DPA (Data Protection Act) 2018, applies to the processing of UK residents’ personal data; and 
  • The EU GDPR, which continues to apply to the processing of EU residents’ personal data. 

Learn more about the differences between the UK GDPR and EU GDPR

The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.

The EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements.

However, not all GDPR infringements lead to data protection fines. Supervisory authorities such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions, including:

  • Issuing warnings and reprimands;
  • Imposing a temporary or permanent ban on data processing;
  • Ordering the rectification, restriction or erasure of data; and
  • Suspending data transfers to third countries.

For comprehensive guidance and practical advice on complying with the GDPR, read our bestselling EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide.

UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information (No.2) Bill through parliament and will keep you updated on how it might affect your data processing obligations.

GDPR and Data Protection Act 2018 Staff Awareness E-learning Course

GDPR and Data Protection Act 2018 Staff Awareness E-learning Course

This GDPR staff awareness training course will help you comply with Article 39 of the GDPR by demonstrating that you’re continually training your staff on their responsibilities.

  • An introduction to data protection and the GDPR.
  • What data confidentiality, integrity and availability are and how to maintain them.
  • Examples of personal data and best practices for protecting it.
  • How your organisation should meet its obligations.

An overview of the fundamental data protection principles and how to adhere to them.

Buy now

What is the maximum fine for a GDPR breach?

Who gets the money from GDPR fines in the UK?

How are GDPR fines calculated?

Can an individual be fined under the GDPR?

How to avoid GDPR fines and penalties

GDPR fines so far

Useful external links

Free GDPR resources

Achieve GDPR compliance with our all-in-one solutions

 

What is the maximum fine for a GDPR breach?

There are two levels of GDPR fine:

Lower level of GDPR penalties

Fines of up to £8.7 million under the UK GDPR, €10 million under the EU GDPR or 2% of annual global turnover can be issued for infringements of articles:

  • 8 (conditions for children’s consent);
  • 11 (processing that doesn’t require identification);
  • 25 – 39 (general obligations of processors and controllers);
  • 42 (certification); and
  • 43 (certification bodies).

Higher level of GDPR penalties

Fines of up to £17.5 million under the UK GDPR, €20 million under the EU GDPR or 4% of annual global turnover can be issued for infringements of articles:

 

Who gets the money from GDPR fines in the UK?

All fines collected by the ICO go to HM Treasury’s Consolidated Fund to be spent on health and social care, education, policing and justice, and the like.

The money collected from the annual data protection fee that data controllers must pay is used to fund the ICO’s work.

 

How are GDPR fines calculated?

GDPR fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.

Any fine you might receive will depend on:

  • The type of infringement, how severe it was and how long it lasted;
  • Whether it was deliberate or accidental;
  • The action you took to reduce the damage to individuals (data subjects);
  • Your security measures;
  • Whether this is your first GDPR infringement;
  • How cooperative you were when fixing the issue;
  • The types of personal data involved;
  • Whether you notified the supervisory authority yourself; and
  • Whether you adhere to any approved codes of conduct or certification schemes.
 

Can an individual be fined under the GDPR?

Yes. The GDPR applies to the processing of personal data “wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.

It does not apply to processing carried out by individuals “in the course of a purely personal or household activity”.

 

How to avoid GDPR fines and penalties

How personal data is processed and secured is the very essence of the GDPR. This is reflected in the action that the ICO and the European regulators have taken since the Regulation took effect.

The vast majority of GDPR fines have related to violations of Articles 5, 6 and 32.

  • Article 5 (data processing principles) states that personal data must be:
    • Processed lawfully, fairly and transparently.
    • Collected only for specific legitimate purposes.
    • Adequate, relevant and limited to what is necessary.
    • Accurate and, where necessary, kept up to date.
    • Stored only as long as necessary.
    • Processed in a manner that ensures appropriate security.
  • Article 6 (lawfulness of processing) states that personal data can only be processed:
    • If the data subject has given their consent.
    • To meet contractual obligations.
    • To comply with legal obligations.
    • To protect the data subject’s vital interests.
    • For tasks in the public interest.
    • For the legitimate interests of the organisation.
  • Article 32 (security of processing) requires data controllers and processors to implement “appropriate technical and organisational measures” to secure the personal data they process.

IT Governance has everything you need to help ensure your GDPR compliance, including:

  • Demonstrating that you have a lawful basis for processing;
  • Following the six data processing principles; and
  • Implementing appropriate technical and organisational measures to keep personal data protected.
 

GDPR fines so far

Since the Regulation took effect in 2018, supervisory authorities in the EEA and the UK have issued at least 865 administrative fines totalling over €1.4 billion (approximately £1.14 billion).

(Totals are approximate owing due to currency fluctuations, and the fact that not all supervisory authorities publish information about the action they have taken.)

You can learn about GDPR fines issued in the UK and across the EEA in our free 2021 GDPR Fines Report.

Find out:

  • The number and value of GDPR fines issued across the EEA and in the UK since the Regulation took effect;
  • The value of the fines issued each year since the GDPR took effect;
  • The most common types of breach that resulted in fines;
  • A full list of known GDPR fines issued in 2021; and
  • Information about the organisations that have been fined.

Download now

 
 

Free GDPR resources

GDPR – A compliance guide - free pdf download

Ensuring your organisation is GDPR compliant will reduce your risk of incurring an administrative fine.

Learn what you need to do to avoid GDPR breach fines with our free green paper – EU General Data Protection Regulation – A compliance guide.

Download now


Free download: 2021 GDPR Fines Report

In our free report, you can learn about GDPR fines issued in the UK and across the EEA.

Find out:

  • The number and value of GDPR fines issued across the EEA and in the UK in 2021;
  • The value of the fines issued each year since the GDPR took effect;
  • The most common types of breach that resulted in fines;
  • A full list of known GDPR fines; and
  • Information about the organisations that have been fined.

Download now

 

Achieve GDPR compliance with our all-in-one solutions

Whether you’ve just started your implementation project or are already on the way to compliance, our cost-effective solutions will help streamline your GDPR project.

Find out more

Suffered a data breach? The clock is ticking

The GDPR requires you to notify the ICO without undue delay and within 72 hours of discovering a data breach.
Act fast with our Data Breach Management Service to ensure you fulfil the Regulation’s breach notification requirements quickly and efficiently.

Find out more

Don’t get caught out: meet your compliance objectives today

As well as risking regulatory action for breaches, organisations face reputational damage and remediation costs. There is also the possibility of legal action from data subjects.

Don’t take the risk. Whether you need an outsourced DPO (data protection officer), help creating GDPR-compliant documentation, or staff awareness training, our range of products and services can help you meet your GDPR compliance objectives.

PROTECT YOUR
BUSINESS
THIS WINTER