ToolSec

๐Ÿ“Š Compliance & Risk

What Is GDPR? Fines and Compliance Basics

ยท 7 min read ยท Updated June 27, 2026

GDPR is one of the most influential privacy laws in the world, and it affects far more organisations than just European ones. This guide gives a plain-English overview of what it is, what it requires, and how the fines work. It's educational background, not legal advice โ€” for your specific situation, consult a qualified professional.

What is GDPR?

The General Data Protection Regulation (GDPR) is the European Union's data protection law, in force since 2018. It governs how organisations collect, use and protect the personal data of people in the EU โ€” any information relating to an identifiable person, from names and emails to IP addresses and location data.

Who does it apply to?

This is the part that surprises people: GDPR has extraterritorial reach. It applies to any organisation, anywhere in the world, that processes the personal data of people in the EU โ€” for example by selling to them or tracking their behaviour. A company with no EU office can still fall under GDPR if it has EU users.

The core principles

GDPR is built on a set of principles for handling personal data:

  • Lawfulness & transparency โ€” have a legal basis and be clear about what you do.
  • Purpose limitation โ€” collect data for specified purposes, not "just in case."
  • Data minimisation โ€” collect only what you actually need.
  • Accuracy โ€” keep data correct and up to date.
  • Storage limitation โ€” don't keep data longer than necessary.
  • Integrity & confidentiality โ€” protect data with appropriate security.
  • Accountability โ€” be able to demonstrate compliance.

Rights for individuals

GDPR grants people meaningful rights over their data, including the right to access a copy of it, to have it corrected or erased ("right to be forgotten"), to restrict or object to processing, and to data portability. Organisations must have processes to honour these requests within set timeframes.

The two fine tiers

Penalties are split into two levels, each "whichever is higher" of a fixed cap or a percentage of global annual turnover:

  • Lower tier โ€” up to โ‚ฌ10 million or 2% of global annual turnover, for issues like inadequate records or security failings.
  • Upper tier โ€” up to โ‚ฌ20 million or 4% of global annual turnover, for breaching core principles or ignoring data subject rights.

These are maximums. Regulators set the actual fine based on factors like severity, intent, and cooperation. The percentage-of-turnover clause is what makes GDPR fines so significant for large companies. You can explore the ceilings with our GDPR fine calculator.

Beyond the fine

The headline penalty is only part of the cost. Serious breaches bring mandatory remediation, audits, reputational damage and breach-response costs โ€” which you can estimate with our data breach cost estimator. There's also a duty to report many breaches to regulators within 72 hours.

Practical first steps

  1. Map what personal data you hold, where it lives, and why.
  2. Identify a lawful basis for each processing activity.
  3. Write a clear privacy policy and obtain consent where required.
  4. Minimise data and set retention periods.
  5. Secure the data and have a breach-response plan ready.
  6. Build processes to handle data subject requests.

Not legal advice

GDPR is complex and fact-specific, and this overview can't assess your actual obligations. For a real compliance position, consult a qualified data protection lawyer or your DPO. Strong privacy practices are far cheaper than enforcement โ€” frame the investment with our security ROI calculator.

Frequently asked questions

Who does GDPR apply to?

Any organisation, anywhere, that processes the personal data of people in the EU โ€” for example by selling to them or tracking them. It applies even to companies with no EU office.

What is the maximum GDPR fine?

Up to โ‚ฌ20 million or 4% of global annual turnover, whichever is higher, for the most serious infringements. Lesser violations are capped at โ‚ฌ10 million or 2%. These are maximums, not automatic penalties.

Is this article legal advice?

No. It's an educational overview. GDPR is complex and situation-specific, so consult a qualified data protection lawyer or your DPO for your actual obligations.

Try the related tools

Related guides