Are GDPR Fines Out of Control? Let’s Find Out

With record-breaking GDPR fines hitting headlines, it’s fair to ask—has enforcement gone too far? We dig into the data and trends to uncover what’s really driving the spike in penalties.

What is GDPR?

GDPR stands for General Data Protection Regulation. It’s a long, winding set of laws that essentially tighten data protection protocols for any business dealing with EU-citizen data. Plus, it gives those same citizens a whole bunch of new powers over their data, even if it’s on a faraway company’s server.

The GDPR was primarily designed for two purposes: to offer users more control over their data, and to provide more transparency in the data collection process. According to the European Union, the new set of laws “regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU.” The data protection requirements apply to any individual or company that uses another party's data “outside the personal sphere, (such as) for socio-cultural or financial activities”.

Our very own blog post, GDPR explained in five minutes, will guide you through the rest of the legislation.

The need for GDPR compliance

The impetus behind the call for GDPR compliance comes down to the one idea that, without it, no business transaction could ever take place: Trust. The GDPR seeks to ensure that customers can trust businesses to protect their sensitive data, maintain transparency about what they do with that data, and, in the event of a security breach, that the customers are informed of the breach in a timely manner.

GDPR fines: How much are we talking here?

Companies can be fined for GDPR violations on one of two levels.

Lower-level violations can merit a fine of €10 million or two percent of the violator's worldwide annual revenue, whichever is higher. That's revenue, as in income before expenses. A more serious violation can result in a fine of €20 million, or four percent of the violator's annual revenue — again, whichever is higher. Individuals can also face fines for GDPR violations if they use other parties' personal data for anything other than personal purposes.

The fines for GDPR violations promise to be among the harshest levied against any industry for any breach of the public trust. Here’s why:

How GDPR fines are calculated

Article 83 of the GDPR outlines how the fines will be calculated prior to assessing the penalties to violators. The ten major criteria that authorities will use to determine fines will include:

1. Did the offender meet the standards for data protection certifications?
2. Did the offender cooperate with authorities investigating the data breach?
3. What type of personal data was accessed due to the breach?
4. Did the offender have a history of allowing such data breaches?
5. Was the data breach due to the offender's negligence or intentional action?
6. What actions did the offender take to mitigate the damage?
7. What was the nature and extent of the damage caused by the data breach?
8. When did the offender notify the regulatory authorities and the affected parties about the data breach?
9. What preventative measures did the offender take prior to the data breach?
10. What other mitigating circumstances were involved in the data breach?

The true impact of GDPR fines

The impact that a significant GDPR fine can have on a firm's bottom line can be devastating, even for some of the world's biggest companies. In the case of a firm that commits the most egregious violations, as listed above, the effect of a fine totaling up to four percent of annual revenue can cause the company's profit numbers to go from black to red in an instant.

Gavin Millard, EMEA technical director of the data security firm Tenable, told InfoSecurity Magazine that the firms with the highest revenues face the possibility of the highest fines, as “the larger the revenue, the larger the risk, and the larger the fines”.

As an example of what these firms could face, an article in Digital Guardian examined what the impact would have been if GDPR had been in effect during the 2025 data breach of Hilton Hotels. In November 2017, the New York Attorney General's Office fined Hilton $700,000 for a breach involving data from 350,000 customers, an average of $2 per record. Under GDPR, the fine could have been as high as $420 million.

Preparing for GDPR compliance

With just a few months to go before these rules go into effect, companies that handle EU-based clients are scrambling to meet GDPR standards. The key to ensuring GDPR compliance lies in asking the right questions, such as:

• Do third parties have access to our customer data?
• If so, what preventative measures are they taking to protect that data?
• What protections do we have against data breaches?
• If a data breach occurs, can we detect it?
• What data protection training do we have for our employees?
• Can we process data deletion requests?
• How can we manage user consent in ways that are GDPR-compliant?

GDPR: Prevention is better (and cheaper) than cure

The prospect of facing stiff fines for failing to comply with such strict rules may cause companies to fear the new regulations. While the fines can have a serious impact of a firm's bottom line, many companies are looking at the new rules as an opportunity, rather than a threat. These companies see the chance to step up their data security methods as a means to protect both themselves and their customers.

Companies who comply with the new GDPR rules can earn higher levels of trust from their customers, their investors, and the market at large. While the efforts to remain in compliance can be stressful and expensive, the investment of time and effort into maintaining compliance will save companies from the damage of fines, lawsuits, and damage to their reputations.