How Much Will Your Company Pay in GDPR Penalties in 2018?

Posted by Laura Mauersberger on August 30, 2017



The General Data Protection Regulation will be enforced globally on May 6, 2018. Technically, your enterprise has until then to comply with the strict regulations. We’ve outlined the 6 major changes that the GDPR will bring to your company in this previous blogpost. Even if your company is not located within the European Union, if you process the personal data of European citizens, your company must comply (see Art. 3 GDPR).

The focus of today’s blog is on GDPR penalties for failure to comply.

The projected penalties for noncompliance are very steep. Here is the penalty breakdown within the regulation:

Fine: 10,000,000 Euros or 2% of your company's Global Turnover, for offenses related to:

  • Child consent;
  • Data processing, security, storage, breach, breach notification;
  • Transfers related to appropriate safeguards and binding corporate rules; and
  • Transparency of information and communication.

Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:

  • Consent;
  • Data processing;
  • Data subject rights;
  • Non-compliance with GDPR order; and
  • Transfer of data to a third party.

    Mastering the GDPR with Enterprise Architecture

Which penalty applies to my organization?

If you fail to comply with any of the GDPR regulations, the penalty will be whichever number is greater - the base fine or the percentage of global turnover. The Global turnover applies to all sales of the company, net of taxes. Also, the GDPR authorizes penalties in the event of both material and nonmaterial damages.

Security fines before and after GDPR

Just to give a comparison, here are two cases of fines sanctioned by the Information Commissioner's Office (ICO) upon companies that failed to protect the data of their customers:

TalkTalk's 2016 fine of €435,000 for security failings that allowed hackers to access customer data would rocket to €64m under GDPR in 2018. Pharmacy2U's fine of €140,000 would balloon to €47.8m under the new regulation.

Fines given to SMEs could be hefty enough to permanently close down operations. It will be much cheaper to prepare your company of the impending regulation than it would be to pay millions of fines for each offense.

GDPR is coming. Is your company ready? Take our GDPR readiness quiz