GDPR Fine Estimator 2026
What Could Non-Compliance Cost You?
GDPR fines are not theoretical. In 2023 alone, EU and UK data protection authorities issued over €2.1 billion in fines. Use this reference guide to understand your maximum fine exposure by violation type, company size, and sector — and the factors that reduce it.
How GDPR fines are calculated
GDPR fines are capped at the higher of the flat maximum (€20M / £17.5M) or the percentage of global annual turnover (4%). For most companies, the percentage cap is the effective maximum. Supervisory authorities consider the specific circumstances — they never automatically apply the maximum. The listed maximums are ceilings, not starting points. First-time violations by cooperative, small organisations are typically resolved with reprimands or much smaller fines.
GDPR Fine Tiers — EU and UK
GDPR uses a two-tier fine structure. The tier is determined by which articles were violated, not by the harm caused.
Tier 2 — Most Serious
Violations in this tier
- Unlawful processing — no lawful basis, no consent where required
- Violation of the core data protection principles (Article 5)
- Violation of data subjects' rights (access, erasure, portability, etc.)
- Unlawful international transfers without adequate safeguards
- Violation of special category data rules (health, biometrics, etc.)
Real enforcement examples
Unlawful EU-US data transfers without adequate safeguards
Cookie consent and behavioural advertising without lawful basis
Transparency failures — inadequate privacy notice
Tier 1 — Less Serious
Violations in this tier
- Failure to implement Privacy by Design and by Default (Article 25)
- Data breach notification failures — not notifying the supervisory authority within 72 hours (Article 33)
- Failure to appoint a Data Protection Officer when required (Article 37)
- Failure to maintain Records of Processing Activities — RoPA (Article 30)
- Failure to comply with a supervisory authority order or investigation (Article 58)
Real enforcement examples
Data breach notification failure — breach not detected for 4 years
Insufficient security measures leading to a data breach affecting 400,000 customers
Unlawful employee monitoring and data processing
Fine Exposure by Company Size
Maximum fine = the higher of the flat cap or the percentage of global annual turnover. The flat cap only applies to very large companies.
| Company Size | Tier 2 Max (UK GDPR) | Tier 1 Max (UK GDPR) | Practical Note |
|---|---|---|---|
| Micro (< £2M turnover) | £17.5M or 4% | £8.75M or 2% | Fine typically proportionate — often £5K–£200K range for first offences |
| Small (£2M–£10M) | £17.5M or 4% | £8.75M or 2% | 4% of £5M = £200K maximum under turnover cap |
| Medium (£10M–£50M) | £17.5M or 4% | £8.75M or 2% | 4% of £30M = £1.2M; flat cap only kicks in above £437.5M turnover |
| Large (£50M–£500M) | £17.5M or 4% | £8.75M or 2% | 4% of £250M = £10M; higher end of range |
| Enterprise (> £500M) | Flat £17.5M cap (UK) / €20M (EU) | Flat £8.75M cap (UK) / €10M (EU) | For very large companies, the % cap exceeds the flat cap — flat cap applies |
Factors That Reduce Your Fine
GDPR Article 83 lists the factors supervisory authorities must consider. These cut both ways — they can increase or decrease fines from the starting point.
Duration of the violation
First-time, short-duration violations attract significantly lower fines than repeated or ongoing breaches
Nature and gravity
Negligence is treated more leniently than intentional violations; technical failures less severely than deliberate circumvention
Cooperation with the authority
Proactive engagement, swift notification, and providing all requested information reduces fines materially
Categories of data affected
Violations involving special category data (health, biometric, children's data) attract higher fines
Number of data subjects affected
Scale matters — a breach affecting 10 customers is treated very differently from one affecting 10 million
Actions to mitigate damage
Prompt notification to affected individuals, offering credit monitoring, and other remediation steps reduce fines
Prior violations
Repeat offenders receive significantly higher fines — the ICO considers your entire enforcement history
Voluntary certification / codes of conduct
Demonstrating adherence to approved codes of conduct or certification schemes (ISO 27001, Cyber Essentials+) mitigates fines
GDPR Fine Risk by Industry Sector
Some sectors face disproportionately higher enforcement due to the sensitivity of data processed and the ICO / DPA enforcement focus.
| Sector | Risk Level | Why | Typical Fine Range (UK) |
|---|---|---|---|
| Healthcare | Very High | Special category health data; DPA / ICO enforce strictly; patient harm possible | £100K–£5M |
| Financial Services | High | Large volume of sensitive financial data; regulatory overlap with FCA | £50K–£20M |
| Recruitment / HR | High | Employee data + automated decisions; EU AI Act overlap | £20K–£500K |
| E-Commerce / Retail | Medium–High | Cookie consent, marketing, payment data; ICO actively investigates | £10K–£250K |
| SaaS / Technology | Medium | Processor liability; international transfers; API security | £5K–£5M |
| Marketing Agencies | Medium | Third-party data, profiling, email marketing; PECR overlap | £5K–£150K |
| Charities / Non-profit | Medium | Donor data, fundraising calls; ICO Fundraising Code enforcement | £5K–£100K |
| Professional Services | Low–Medium | Client confidentiality; mostly internal processing | £2K–£50K |
Note: Fine ranges are indicative based on published ICO enforcement notices. Actual fines depend on all Article 83 factors.
How to Reduce Your Fine Exposure
GDPR Audit
Identify and fix compliance gaps before they become enforceable violations. A clean audit trail demonstrates good faith.
Staff Training
Most breaches are caused by human error. Regular training on phishing, data handling, and breach reporting significantly reduces risk.
Breach Response Plan
A tested 72-hour notification process and a documented incident response plan are material mitigants when a breach occurs.
Privacy by Design
Embedding data minimisation and security into product development reduces the scale and likelihood of violations.
ICO Engagement
Proactive engagement with the ICO — voluntary reporting, prompt responses to investigations — consistently reduces final fine amounts.
Certification
ISO 27001, Cyber Essentials+, and ICO-approved certification schemes are explicitly listed as mitigating factors in GDPR Article 83.
GDPR Fines FAQ
Does the ICO automatically fine the maximum amount?
No. The ICO considers all Article 83 factors before issuing a fine. Most first-time violations by cooperative organisations result in reprimands, undertakings, or much lower fines than the maximum. The maximum fines are reserved for serious, wilful, or repeated violations by large organisations.
Can I be fined for a data breach even if I reported it?
Yes, but self-reporting is a significant mitigating factor. The ICO can fine you for the underlying security failure that enabled the breach, even if you reported it correctly. However, failure to report within 72 hours is itself a separate violation that can increase the fine.
What is the difference between EU GDPR and UK GDPR fines?
The structures are identical but the currency and flat caps differ: EU GDPR — €20M / 4% turnover (Tier 2) and €10M / 2% (Tier 1). UK GDPR — £17.5M / 4% turnover (Tier 2) and £8.75M / 2% (Tier 1). The ICO enforces UK GDPR; EU data protection authorities enforce EU GDPR. If you operate in both jurisdictions, both authorities can investigate the same incident.
Can individuals claim compensation from me for GDPR violations?
Yes. GDPR Article 82 gives individuals the right to claim compensation for material or non-material damage caused by a GDPR violation. In the UK, this can be pursued in the County Court. Class actions are increasingly common for data breaches affecting large numbers of individuals.
How long does an ICO investigation take?
ICO investigations typically take 12–24 months from notification to final decision. Complex cases involving large organisations can take longer. During this period, the ICO may issue information notices, conduct audits, and request interviews. Legal costs during an investigation can exceed the eventual fine for small organisations.
Find and Fix Your GDPR Gaps
GeraCompliance audits your data processing activities, identifies compliance gaps, and generates a prioritised remediation plan. Reduce your fine exposure before an incident occurs.