๐ Compliance & Risk
What Is GDPR? Fines and Compliance Basics
By Justin Le
ยท 7 min read ยท Updated June 27, 2026 GDPR is one of the most influential privacy laws in the world, and it affects far more organisations than just European ones. This guide gives a plain-English overview of what it is, what it requires, and how the fines work. It's educational background, not legal advice โ for your specific situation, consult a qualified professional.
What is GDPR?
The General Data Protection Regulation (GDPR) is the European Union's data protection law, in force since 2018. It governs how organisations collect, use and protect the personal data of people in the EU โ any information relating to an identifiable person, from names and emails to IP addresses and location data.
Who does it apply to?
This is the part that surprises people: GDPR has extraterritorial reach. It applies to any organisation, anywhere in the world, that processes the personal data of people in the EU โ for example by selling to them or tracking their behaviour. A company with no EU office can still fall under GDPR if it has EU users.
The core principles
GDPR is built on a set of principles for handling personal data:
- Lawfulness & transparency โ have a legal basis and be clear about what you do.
- Purpose limitation โ collect data for specified purposes, not "just in case."
- Data minimisation โ collect only what you actually need.
- Accuracy โ keep data correct and up to date.
- Storage limitation โ don't keep data longer than necessary.
- Integrity & confidentiality โ protect data with appropriate security.
- Accountability โ be able to demonstrate compliance.
Rights for individuals
GDPR grants people meaningful rights over their data, including the right to access a copy of it, to have it corrected or erased ("right to be forgotten"), to restrict or object to processing, and to data portability. Organisations must have processes to honour these requests within set timeframes.
The two fine tiers
Penalties are split into two levels, each "whichever is higher" of a fixed cap or a percentage of global annual turnover:
- Lower tier โ up to โฌ10 million or 2% of global annual turnover, for issues like inadequate records or security failings.
- Upper tier โ up to โฌ20 million or 4% of global annual turnover, for breaching core principles or ignoring data subject rights.
These are maximums. Regulators set the actual fine based on factors like severity, intent, and cooperation. The percentage-of-turnover clause is what makes GDPR fines so significant for large companies. You can explore the ceilings with our GDPR fine calculator.
Beyond the fine
The headline penalty is only part of the cost. Serious breaches bring mandatory remediation, audits, reputational damage and breach-response costs โ which you can estimate with our data breach cost estimator. There's also a duty to report many breaches to regulators within 72 hours.
Practical first steps
- Map what personal data you hold, where it lives, and why.
- Identify a lawful basis for each processing activity.
- Write a clear privacy policy and obtain consent where required.
- Minimise data and set retention periods.
- Secure the data and have a breach-response plan ready.
- Build processes to handle data subject requests.
Not legal advice
GDPR is complex and fact-specific, and this overview can't assess your actual obligations. For a real compliance position, consult a qualified data protection lawyer or your DPO. Strong privacy practices are far cheaper than enforcement โ frame the investment with our security ROI calculator.
Frequently asked questions
Who does GDPR apply to?
Any organisation, anywhere, that processes the personal data of people in the EU โ for example by selling to them or tracking them. It applies even to companies with no EU office.
What is the maximum GDPR fine?
Up to โฌ20 million or 4% of global annual turnover, whichever is higher, for the most serious infringements. Lesser violations are capped at โฌ10 million or 2%. These are maximums, not automatic penalties.
Is this article legal advice?
No. It's an educational overview. GDPR is complex and situation-specific, so consult a qualified data protection lawyer or your DPO for your actual obligations.
Try the related tools
- GDPR Fine Calculator Estimate the maximum GDPR penalty from annual turnover and infringement tier.
- Data Breach Cost Estimator Estimate the financial impact of a data breach from records exposed and per-record cost.
- Security ROI (ROSI) Calculator Compute the return on a security investment from expected loss and mitigation effectiveness.
Related guides
- What Is Ransomware? How Attacks Work and What They Cost How ransomware actually works, why the ransom is often the smallest cost, and the handful of defenses that make the biggest difference.
- What Is a Data Breach? Causes, Costs and Response What counts as a data breach, the causes behind most of them, why the true cost dwarfs the headline fine, and how to prepare before one happens.
- Security ROI: How to Justify a Security Budget How to turn 'we should invest in security' into a number leadership respects โ the ROSI model, with the inputs and pitfalls explained.