Organizations that fail to comply with the European Union’s General Data Protection Regulation (GDPR) standards for data protection, data security, and data processing can face steep fines.

GDPR compliance means that every organization doing business with citizens of the European Union (EU) must adhere to strict rules to safeguard the personal data and privacy.

The GDPR’s goal is to offer a set of uniform data protection legislation across all member nations. This simplifies policies so that EU citizens can understand how businesses use their information, and so that they can file complaints about abuses, even if the EU citizen is not in the country where the data is stored.

Under GDPR enforcement, fines are administered by the data protection authorities of each EU country. In addition, these data protection authorities determine whether violations have occurred and the severity of possible GDPR penalties.

What Are the Fines for Not Complying with GDPR?

There are two tiers of administrative fines levied on data controllers and data processors as penalties for non-compliance.

A lower-level violation can warrant a fine of up to €10 million (U.S. $11.03 million) or 2 percent of the company’s global annual revenue, whichever is greater. For more egregious violations the maximum fine is up to €20 million (U.S. $22.07 million) or 4 percent of global annual revenue, whichever is greater.

Lower-tier fines are usually levied on companies that:

  • Don’t have data protection policies in place;
  • Don’t cooperate with data regulators;
  • Haven’t assigned data protection officers within their organization;
  • Don’t inform data subjects when their data is compromised;
  • Don’t keep adequate records of the information they process.

The higher-tier fines are typically imposed on organizations that commit the most severe GDPR violations, including:

  • Breaching the data and privacy rights of EU data subjects;
  • Not following the basic principles of data protection;
  • Refusing to comply with the demands and requests of data regulators, such as not complying with previous warnings or orders on processing data.

GDPR fines for non-compliance are discretionary, not mandatory. The regulators consider whether the GDPR violation was intentional, how many data subjects were affected, and whether the controller or processor had any previous violations.

A supervisory authority, such as Britain’s Information Commissioner’s Office, can also take other measures if it determines there has been or likely will be a data breach. These actions include warnings, reprimands, and ordering companies to take corrective actions to assure that they comply with the GDPR.

How Are GDPR Fines Calculated?

As described in the official GDPR.EU website, the data protection authority of each country decides whether an infringement has occurred and how severe the penalty should be. The regulator uses the following 10 criteria to determine if and how much of a fine will be imposed.

Gravity and Nature

The supervisory authority will consider the number of data subjects harmed, the extent of their harm, the nature of the infringement, why and how the violation happened, and how long it persisted.


The case’s details will be investigated to determine whether the incident was deliberate or unintentional.


The supervisory authority will review whether the company took any steps to alleviate the harm caused by the violation.

Precautionary Measures

Current security measures will be evaluated to determine whether the organization exercised due diligence in implementing relevant technical and organizational procedures in compliance with the GDPR.


Any prior infringements will be investigated. These include violations under the Data Protection Directive (Europe’s previous data protection rule), compliance with past administrative remedial measures under the GDPR, and other data protection laws outside the EU.


The level of cooperation displayed by the organization with the supervisory authority to repair the violation and to limit the potential consequences will be reviewed and examined.

Data Category

The types of personal and sensitive data that the infraction has involved will help determine the severity level.


The details of the incident will be evaluated to determine whether the organization made sufficient efforts to notify the supervisory authority and affected data subjects in a timely fashion about the breach.


If an organization was previously certified for its information security measures, the investigation should determine whether the business adhered to established standards and regulations.

Aggravating and Mitigating Factors

Other factors include any additional complexities arising from the case’s circumstances, such as financial gains earned or losses saved due to the infringement.

How ZenGRC Helps with GDPR Compliance

Understanding how to secure personal data properly is complex. This is especially true in the United States, where privacy is protected by a patchwork of state and federal laws. It is your organization’s obligation, however, to adhere to all of them.

With regulatory compliance and ever-changing data threats, the process of risk and compliance management can be daunting. Still, you can’t let that keep you from implementing the necessary data privacy controls. You can protect your company from harsh penalties by exhibiting due diligence over information security measures.

ZenGRC’s governance, risk management, and compliance software is intuitive and simple to use. It streamlines evidence management, workflows, and reporting for risk management and regulatory compliance.

Workflow management features offer easy tracking, automated reminders, and audit trails. The ZenConnect feature enables integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption within your enterprise.

Zen’s easy-to-use dashboard and templates provide a comprehensive picture of your compliance status for many frameworks, such as HIPAA, NIST, SOX, and the GDPR. Cross-mapping common requirements across these regulations simplifies evidence collection and reduces the workload on your team. In addition, it identifies where gaps exist and how to address them.

ZenGRC adapts to changing compliance standards in real-time, so you don’t have to. Schedule a demo today to see how ZenGRC can help you achieve compliance.