GDPR monetary fines are potentially severe; how likely are they?

Pile of money to pay GDPR monetary fines

Virtually every discussion about the GDPR emphasizes that violators will be subject to severe GDPR monetary fines. Severity, however, is only one dimension of business risk. To better evaluate the risk of GDPR monetary fines, one must also consider how likely such fines will be imposed. The regulation makes clear that monetary fines will only be levied for the most serious violations.

gdpr monetary fines will issue for only the most serious violations.

As a general matter, the GDPR requires regulators to take into account eleven factors when deciding whether to impose monetary fines. The factors to be considered are typical of enforcement actions generally, and include:

  • the nature, gravity and duration of infringement, including the number of data subjects affected and the level of damage they suffered
  • whether the infringement was negligent or intentional
  • the processor’s compliance history
  • the extent the violator has cooperated with the supervisory authority to remedy the infringement and mitigate possible adverse effects
  • the kind of personal data involved
  • whether the enforcement authority learned about the infringement from the processor or by data subject complaints
  • the degree to which the processor complies with approved codes of conduct or approved certification mechanisms
  • other aggravating or mitigating factors, like whether the processor profited from the infringement or avoided the cost of compliance

Thus, first-time violators that have made good faith efforts to comply with the GDPR and minimize the harm to data subjects and the cost to enforcement authorities are as a practical matter unlikely to face the imposition of any monetary fine. On the other hand, repeat offenders, or businesses that consciously decided to not incur the expense of compliance are far more likely to face substantial monetary fines.


Reporting to date has focused on the possibility of fines up to the greater of 4% of annual global revenue or 20,000,000 Euros. While this reporting is accurate, it is also incomplete: The 4% fine can only apply to violations that involve:

  • the basic processing principles set out in Article 5 (e.g., lawfulness, fairness and transparency; use, purpose and storage limitations; accuracy; data minimization; integrity and confidentiality; and processor accountability)
  • the conditions underlying consent
  • special categories of personal data (processing that would reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic or biometric data processed to uniquely identify a person; health data; or data concerning sex life or sexual orientation)
  • data subjects’ rights to: transparency, access, correction, erasure, data portability, prevent further processing, etc.
  • the transfer of personal data to third countries or international organizations

On the other hand, the GDPR imposes a limit of 2% of annual revenue or 10,000,000 Euros for violating less-essential provisions, including failures to:

  • implement measures for data protection by design and by default
  • obtain sufficient processor guarantees to protect personal data
  • keep adequate processing records
  • cooperate with GDPR regulatory authorities
  • provide compliant notification of breaches
  • carry out a required data protection impact assessment (DPIA)
  • consult with the regulatory authority prior to processing data that a DPIA indicates a high risk in the absence of mitigation measures

Finally, regulatory inquiries are likely to occur only in response to data breaches or data-subject complaints. It is fair to conclude that the threat of substantial monetary fines — while very real — is not imminent. Personal data processors should not expect to see substantial monetary fines imposed in the months after the GDPR goes into effect.