GDPR Compliance: Breach Notification and Fines

GDPR Compliance: Breach Notification and Fines

June 27

The importance of data security is now multi-fold. Not only must you protect business data to avoid the loss of revenue and reputation damage that might follow a security breach. You also have to satisfy stringent laws and regulations that heavily penalize non-compliant organizations. That’s the current situation for companies in the European Union (yes, that still means UK businesses as well) that need to comply with the General Data Protection Regulation. 

court gavel and coin jar, on white - lawsuit concept - gdpr fines

In our GDPR compliance guide, we outlined the key components of the upcoming legislation. Among them is the notification rule that requires a breach be reported to the appropriate supervisory authority no later than 72 hours after the incident. The notification must be accompanied by the following elements:

  • Details of the breach, including the nature of the incident and the approximate number of individuals or data records affected;
  • The likely repercussions of the breach;
  • Measures to resolve or mitigate the effects of the breach;
  • Name and contact information of the organization’s data protection officer or contact person.

When there is a great chance that a security breach could put consumer privacy at risk, the organization must immediately notify each consumer affected of the incident. Companies must provide notifications in a language that the consumers can easily understand. There are, however, scenarios in which notifying data subjects is not required.

For instance, take the situation where an attacker breached the network but no further harm was caused because your data was encrypted. In this case, there is no need to give notification beyond the supervisory authority.

The Cost of Non-compliance

The consequences of failing to meet the breach notification rule or other GDPR requirements are extortionate fines. What do those fines amount to in actual euro amounts? In order to answer this question, we’ll have to dive into the GDPR fine structure for a more realistic idea of what to expect in the way of monetary penalties.

According to Article 83 of the GDPR, the maximum fine for breaching the most important provisions is up to €20 million or 4 percent of the total worldwide turnover of the preceding financial year – whichever is greater. Fines for breaches deemed less serious can be as high as €10m or 2 percent or the annual turnover. Breach severity is generally distinguished by two factors:

  • whether an organization fails to meet their data protection obligations;
  • or if the incident directly compromises consumer privacy.

Under this two-tiered structure, fines are levied in accordance to specific articles of the GDPR and the role of the individual guilty of non-compliance. For example, if you’re tasked with storing, transferring, or disposing of the data affected in a breach, you can only be fined a maximum of €10m or 2% of global annual turnover. If you’re responsible for managing and protecting said data, you can be fined the highest possible amount. In other words, fines for data controllers can be far more severe than data processors.

Read More: Compliance Training Resources for MSP’s

GDPR Fines, Now Determined by the European Union

Whether or not GDPR fines will be administered is determined by EU supervisory authorities (SAs) such as the Information Commissioners Office (ICO). These regulatory enforcers take a number of factors into consideration when investigating non-compliant organizations, including:

  • Nature of the breach and resulting implications
  • Class of data affected in the breach
  • Length of time between discovery and mitigation
  • Manner in which the authority is notified about the breach
  • Organizational measures implemented to prevent the breach from occurring

Those are the basics. Infringement history, willingness to cooperate with the investigation process, financial losses averted, and other instances that may arise as a direct or indirect result of a breach will also be taken into account.


In the past, individual EU states could determine their own sanctions for compliance penalties. The GDPR marks the first time fines have been explicitly written into EU regulations. Supervisory Authorities are taking full advantage by exercising the maximum monetary limits at their disposal.

The best way avoid potentially crippling fines is to simply create an IT environment that prioritizes cybersecurity and data protection. There are no compromises. Make sure you partner with the absolute best in data protection and recovery to avoid the fines.