GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.
GDPR penalties and fines
Now the Brexit transition period has ended, there are two versions of the GDPR (General Data Protection Regulation) that UK organisations might need to comply with:
- The UK GDPR, which, with the DPA (Data Protection Act) 2018, applies to the processing of UK residents’ personal data; and
- The EU GDPR, which continues to apply to the processing of EU residents’ personal data.
Learn more about the differences between the UK GDPR and EU GDPR >>
The UK GDPR and DPA 2026 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.
Th EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements.
However, not all GDPR infringements lead to data protection fines. Supervisory authorities such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions, including:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.