The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec and will come into force on 25 May 2018. Compared to its predecessor, the GDPR gives authorities the power to levy more substantial fines; organisations will face hefty fines in case of non-compliance.

What are the sanctions for non-compliance?

The number of companies fined for data breaches almost doubled in the UK last year. The Information Commissioner’s Office fined 35 companies totalling almost £3.3m against 18 firms in 2015. With just few months to go until the biggest change in privacy laws for over 20 years, organisations risk even larger penalties in case of non-compliance with the GDPR.

Fines would be 79 times higher under GDPR

In October 2016, Information Commissioner’s Officer fined TalkTalk £400,000 for security failings that allowed hackers to access customers’ data.
Currently, the ICO can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. Once GDPR comes into force on 25 May there will be a two-tiered sanction regime; lesser incidents subject to a maximum fine of either €10m or 2% of the organisation’s global turnover. Most serious breaches could result in fines of up to €20m or 4% of the organisation’s global turnover.
Under this regulation, TalkTalk’s 2016 fine would have raised to almost £59 million, according to analysis from NCC Group.

fines with the GDPR and without the GDPR

Under the GDPR, Talk Talk would have been fined £59 million for security breaches.


The regulation imposes two levels of administrative fines in the case of non-compliance:

  • €10 million or 2% of global annual turnover from the prior year, whichever is greater
  • €20 million or 4% of global annual turnover from the prior year, whichever is greater

Fines for infringements will be considered on a case-by-case basis according to Article 83 of the General Data Protection Regulation.

The higher level of fine will be applied in the case of non-compliance with the key provisions of the GDPR. For example; infringement of the rights of data subjects and the transfer of personal data to organisations that don’t ensure an adequate level of data protection or non-adherence to the core principles of processing personal data.

Other sanctions can be imposed in conjunction with administrative fines. The ICO may conduct audits, review certifications, issue warnings and reprimands to data controllers and data processors and impose limitations and restrictions around the breaching party’s ability to process data. 

Jeanne Bossi Malafosse, GDPR expert

« Data protection authorities are becoming harsher. Beyond the sanctions for non-compliance, reputational damage can also be significant for organizations. »

Jeanne Bossi Malafosse, head of the Data Protection department at DELSOL Avocats.