The maximum fine a business can receive for a GDPR breach is 4% of their annual turnover or £17.5m, whichever is higher. Financial penalties are decided by the Information Commissioner’s Office (ICO), which also investigates the breach and decides on a fair financial penalty following an assessment.
The severity of the fine depends on a number of factors such as how serious the breach is and its impact on the individual. It’s interesting to note that some of the biggest fines in recent years have been levelled at global tech companies, which process vast amounts of user data every day.
8 factors that influence GDPR fines
Some businesses may be fined based on their annual turnover if it’s higher than £17.5m. For example, the biggest GDPR fine to date is €.1.2bn (equivalent to £1.035.9bn), which was issued to Meta after Ireland’s Data Protection Commission (DPC) found it mishandled personal data when transferring it between Europe and the US.
1. Gravity, nature & duration of breach
According to the ICO, the penalty can be higher depending on the gravity, nature and duration of the breach, including the number of people affected and the level of damage they experienced.
In the case of Meta, it made international transfers of data that violated GDPR, repeatedly and over a continuous period. It also impacted millions of Facebook users, although the exact amount is unconfirmed. Meta felt “singled out” with this penalty because other businesses use the same process. Regardless, this has created a precedent for other businesses in how they transfer data internationally.
2. Personal data categories affected
The type of personal data compromised also has an impact on the fine businesses receive. The ICO states personal data is something that directly or indirectly makes a person identifiable, such as:
- Name
- Date of birth and age
- Address
- Phone number
- Identification number
- Location data
- Online identifier such as IP address
- Financial details
There is also special category data to consider – the ICO calls for higher levels of protection for information, so if it is compromised, businesses could risk higher fines.
Special category data includes:
- Race
- Ethnicity
- Political opinions
- Religion
- Trade union membership
- Genetics
- Biometric data (i.e. fingerprints or facial ID)
- Health
- Sex life
- Sexual orientation
- Criminal convictions and offences
3. Negligent or intentional infringement
If the breach is found to be "intentional or negligent” businesses could face a higher fine. For example, this may include a business who has failed to act after being informed of a breach. It could also include businesses who haven’t taken the appropriate security measures such as passwords for sensitive data, which has inevitably led to a breach.
For example, British Airways was fined €22m in 2020 because it didn’t have the right security measures in place, which led to a cyber attack. What made matters worse is the fact that it didn’t realise the breach for more than two months.
4. Actions taken to mitigate the damage
Businesses that have violated GDPR need to react quickly, otherwise they could risk a higher fine. As a minimum, they should have an incident response plan in place to protect remaining customers’ data from being compromised.
Businesses should also self-report to the ICO within 72 hours and demonstrate they have taken adequate steps to mitigate the breach (such as their incident response plan). This is all taken into account by the ICO when deciding how much the fine will be.
5. Degree of responsibility of data controller/processor
The “degree of responsibility of the controller or processor” also impacts the level of penalty, including any “technical and organisational measures implemented by them”. If you can demonstrate accountability and responsibility, as well as mitigating the breach, it can help your case.
6. Previous data breach infringements
If a business has multiple data breach infringements, they may receive a higher fine as they aren’t demonstrating consistent data protection. For example, Meta has had multiple GDPR breaches and fines over the years, including a £193m fine for WhatsApp because it wasn’t transparent with customers about how their data was collected, managed and processed.
7. Cooperation with supervisory authorities
Businesses need to show cooperation with the ICO once a breach has been reported, including taking measures to mitigate the breach and impacts.
Back in 2018, German chat platform Knuddels was fined €20,000 for a GDPR breach – but this could have been substantially higher had the company not reacted the way they did. It took immediate action and contacted the relevant organisations, and implemented the regulator’s suggestions, including improving security
8. Aggravating or mitigating factors
The ICO also takes into account any aggravating or mitigating factors. British Airways was fined £20m following a cyber attack in 2018, when payment card details were stolen. The fine was initially valued at £183m but the ICO took into account the impact of the Covid-19 pandemic at the time, so it was reduced significantly.
Summary
There are a number of factors that influence how big or small a GDPR fine is – and there have been cases where regulators have been more lenient if a business has responded quickly and cooperated.
Here’s a quick recap:
- The severity of the breach, including number of people impacted and level of damage
- The type of data stolen, including sensitive category data
- An intentional or negligent breach
- A businesses actions following the breach
- The degree of responsibility a business owner demonstrates
- Any previous breaches
- Cooperation with the ICO or relevant organisation
- Any mitigating factors
For a full list of factors influencing the amount of penalty, visit the ICO’s website.
How to report a breach
If a business in the UK suspects a GDPR breach, it has to self-report to the ICO as soon as possible or within 72 hours, which it can do using its online form.
You will be asked details such as:
- What has happened
- When and how you found out
- People impacted
- Your actions following the breach
- A primary contact and people who know
It’s best to answer honestly to demonstrate cooperation and reduce risk for your customers.
Want to learn more about GDPR?
To avoid a serious financial penalty, you need to ensure your customer’s personal data is protected and your business is GDPR compliant. A breach isn’t always your fault, for example, if it’s caused by a cyber incident – but how you react also influences whether you will receive a penalty and the amount.
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have additional free resources such as e-learning modules, microlearning modules and more.
Written by: Lynne Callister
Lynne is an instructional designer with over 20 years' storyboarding experience. Her current areas of interest are mobile learning and exploring how cognitive theories of learning can create better learner experiences.
