What happens if you break GDPR law? Penalties, enforcement, and how fines work

What happens if you break GDPR law? Penalties, enforcement, and how fines work

GDPR (the General Data Protection Regulation) reshaped data privacy expectations across Europe and beyond. Between its adoption in 2016 and its full enforcement in 2018, many organizations invested heavily to “get compliant”—because the consequences of GDPR non-compliance can be financially and operationally severe.

If you’re asking what happens if you break GDPR law, the short answer is: GDPR is primarily enforced through administrative action and monetary fines (not criminal charges in most cases), plus corrective measures that can materially disrupt how your business operates.

This guide covers:

• The two tiers of GDPR fines (and what triggers each)
• Who enforces GDPR and who issues fines
• How UK GDPR works post-Brexit (and the ICO’s role)
• What typically influences the size of a fine
• A practical way to reduce your risk (with owners + evidence)

GIF via GIPHY

Related guides:

• GDPR basics: everything you need to know to keep your business compliant
• Preparing for GDPR compliance: your essential 10-step GDPR compliance checklist
• How to make your website GDPR compliant in 8 steps
• GDPR compliance for U.S. companies: a step-by-step guide

---

Key takeaways

• GDPR penalties can be large—and scale with your business. Fines can be based on global annual turnover, not just EU revenue.
• There are two fine tiers, but real outcomes depend on facts. Regulators consider severity, intent, history, and whether you acted quickly to remediate.
• Enforcement is local (by member state), with EU-level guidance. Supervisory authorities lead investigations, while the EDPB helps align approaches.
• UK GDPR is still enforceable after Brexit. The ICO can investigate and issue penalties under the UK’s data protection regime.
• The best defense is operational, not cosmetic. Clear ownership, evidence, and repeatable workflows (DSARs, incident response, vendor control) reduce risk.

---

What are the GDPR penalties for violating the law?

GDPR is enforced with administrative measures and monetary penalties rather than “GDPR criminal charges” as a default enforcement path. The fines, however, can be significant.

GDPR defines two tiers of maximum administrative fines, depending on the nature and severity of the violation:

• Lower tier: up to €10 million or 2% of global annual turnover (whichever is higher)
• Higher tier: up to €20 million or 4% of global annual turnover (whichever is higher)

Here’s a simplified way to think about it:

Fine tier	Maximum fine	What it’s commonly associated with (high-level)
Lower tier	€10M or 2% global turnover	Control/process failures, insufficient organizational measures, certain obligations not met
Higher tier	€20M or 4% global turnover	More severe violations (often tied to core processing principles, rights, or lawful basis issues)

Important nuance: these are maximums. Many published fines are below the maximum—especially when organizations demonstrate good-faith remediation and cooperation.

---

What determines the amount of a GDPR fine?

Not every GDPR violation results in the same outcome. Regulators typically weigh factors like:

• Severity and scope: what happened, how many people were impacted, and for how long
• Nature of the data: whether the incident involved more sensitive categories of personal data
• Intent and negligence: whether the issue appears accidental, reckless, or deliberate
• Mitigation and response: how quickly you contained impact, notified where required, and fixed root causes
• History: previous violations or ignored warnings can increase regulatory SecureSlateiny
• Cooperation: transparency and responsiveness during an inquiry often matter

Practically, this is why “paper compliance” breaks down: during a real incident, you need to prove what you did and when you did it.

---

Who enforces the GDPR?

GDPR applies across the EU, but enforcement is typically handled by each EU member state’s supervisory authority.

For cross-border processing, regulators coordinate (and a “lead supervisory authority” model may apply). To keep approaches aligned, the European Data Protection Board (EDPB) provides guidance and helps promote consistent enforcement across the EU.

For non-EU organizations, enforcement often routes through the country where the organization’s EU representative (or main establishment) is located—depending on the organization’s structure and activities.

---

Who chooses and issues fines for a GDPR violation?

The supervisory authority in the relevant EU member state typically determines whether a fine is appropriate and, if so, what amount to issue (within the regulation’s upper limits).

That means the “who” is usually a national data protection authority, not a single centralized EU enforcement agency.

---

How does Brexit affect the GDPR?

Brexit changed how the GDPR applies in the UK, but it did not remove the UK’s data privacy obligations.

• The UK has its own regime commonly referred to as UK GDPR.
• The UK’s supervisory authority is the Information Commissioner’s Office (ICO).
• In 2018, the UK implemented GDPR principles via the Data Protection Act 2018, which continues to be enforceable as part of UK law.

In practice: if you process personal data in or about the UK, you should treat UK GDPR and ICO enforcement as real operational constraints, not theoretical ones.

---

Are GDPR fines different for individuals compared to businesses?

GDPR is most often discussed in the context of organizations, but individuals can also be subject to enforcement depending on their activities and the facts of the case.

The regulation’s maximum fine amounts are the same in principle, but for individuals, supervisory authorities may consider personal income and circumstances rather than business turnover when assessing proportionality.

---

How many GDPR fines have been issued?

There isn’t one official “live total” that stays current everywhere, and the number changes frequently as new decisions are published.

Historically, public enforcement trackers and regulator announcements have shown that:

• Many fines are well below the maximum tiers
• Some fines have reached very large amounts, typically tied to high-profile cases and large organizations

Instead of focusing only on “the biggest fine,” it’s more useful to focus on the pattern: recurring failures around lawful basis, transparency, security measures, data subject rights handling, and vendor oversight tend to drive enforcement outcomes.

---

How to protect yourself from GDPR fines (practical steps)

The most reliable way to reduce GDPR penalty risk is to build a program you can execute under stress: clear owners, repeatable workflows, and evidence that stays current.

Here’s a practical, operations-first checklist:

1. Map your personal data flows (systems, subprocessors, support channels, exports, analytics).
2. Document your lawful basis per processing activity (and verify it matches actual product behavior).
3. Harden your DSAR workflow (requests, identity verification, timelines, exceptions, evidence).
4. Set vendor and subprocessor governance (inventory, due diligence, DPAs, and review cadence).
5. Implement security controls with proof (access control, MFA, logging, encryption where appropriate, backups).
6. Rehearse incident response + breach assessment (decision logs, timelines, notification templates).
7. Create a “change trigger” process (new product features, new vendors, new regions → revisit risk and notices).

If you want a structured “start here” approach, use:

• Preparing for GDPR compliance: your essential 10-step GDPR compliance checklist

---

Make GDPR compliance easier with SecureSlate

GDPR compliance gets dramatically easier when it’s treated like an operating system: defined control owners, recurring workflows, and audit-ready evidence that stays current as your stack and vendors change.

SecureSlate helps teams:

• Centralize policies, control ownership, and compliance evidence in one place
• Track vendors/subprocessors with review cadences and accountability
• Run repeatable workflows (access reviews, policy acknowledgements, DSAR checklists)
• Maintain a clear proof trail for audits, customer reviews, and regulator questions

Get started for free to see how SecureSlate turns GDPR requirements into clear, repeatable execution.

---

FAQ

Is breaking GDPR a criminal offense?

GDPR enforcement is typically administrative (regulator investigations, corrective measures, and monetary fines). Criminal enforcement—when it occurs—usually comes from separate national laws and specific facts (not GDPR as the default mechanism).

What is the maximum GDPR fine?

There are two tiers: up to €10M or 2% of global annual turnover, or up to €20M or 4% of global annual turnover (whichever is higher).

Who enforces GDPR?

Each EU member state has a supervisory authority that enforces GDPR. The EDPB provides EU-level guidance to help align enforcement.

Does GDPR apply to U.S. companies?

Often, yes—if you offer goods/services to people in the EU/EEA or monitor their behavior. For a practical walkthrough, see: GDPR compliance for U.S. companies: a step-by-step guide.

---

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to GDPR, UK GDPR, and related regulations, you should consult a licensed attorney.