• United States




GDPR fines: How much will non-compliance cost you?

Oct 23, 20174 mins
Data and Information SecurityPrivacyRegulation

Any breach of the General Data Protection Regulation or failure to meet GDPR compliance could lead to severe fines.

The General Data Protection Regulation (GDPR) went through four years of preparation and debate before being passed by the EU parliament last year. Strict GDPR requirements lay out how companies should process, store, and secure the personal data of EU citizens. The enforcement date is May 25, 2018, and any company not in compliance by that date could be in for a very nasty shock indeed.

The short answer to our question can be found in paragraph 5 of Article 83, which dictates that infringements can lead to fines of up to 20 million euros ($23.6 million at the time of writing) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Little wonder then, that 92% of US multinationals surveyed by PwC named GDPR as a top priority, and 77% plan to spend $1 million or more on compliance.

Sky high fines?

The high ceiling on fines that will come in with GDPR will give data regulators much greater punitive power, in theory. In practice, we simply don’t know how fines will be levied.

Maximum fines are rare, but there’s currently a great deal of variance from country to country. For example, in the U.K. the Information Commissioner’s Office can issue fines up to 500,000 GBP, but the highest fine to date was 400,000 GBP ($532,158) for telecoms company TalkTalk, after a major data breach that exposed the names, addresses, dates of birth, phone numbers and email addresses of more than 150,000 customers, and bank account details and sort codes for thousands.

There’s some debate about whether high fines will be levied, and in what circumstances, but it’s possible that some data regulators will want to send a clear message by making an example of a company for non-compliance. Apparently, the European Data Protection Board (EDPB) will offer guidance on fines, but that guidance is not yet available and the first few cases are liable to set a precedent.

Reputational damage

The risk of GDPR fines isn’t just the fine amount, but also the fact that your company name will appear in headlines associated with a lack of security. The lasting damage to your brand is hard to quantify, but it seems likely that people concerned about privacy will avoid the brand if an association is made. In the aftermath of TalkTalk’s breach, for example, the company lost more than 100,000 customers.

A severe fine for non-compliance will generate a lot of news stories and any potential customer researching their options may find those stories and be influenced by them for years to come. The way companies collect and use data is coming under increasing scrutiny as privacy concerns among consumers grow, and that trend is only going to increase. Why take the risk?

Sensible security

With uncertainty about the level of fines that will be imposed, businesses need to invest some time and resources into researching GDPR. When Vanson Bourne surveyed 1,600 organizations, it found that 37% of respondents don’t know whether their organization needs to comply with GDPR, while 28% believe they don’t need to comply at all. Ignorance will not provide any protection from fines.

Compliance is a smart move, not just to avoid fines, but to safeguard your customer data. For the most part, the requirements are formalizing a set of principles that you should already be applying. Assess your privacy, hire or appoint a data protection officer, create a data breach plan that includes clear notification within 72 hours, and make sure you know where your data is at all times. Preparing for GDPR compliance is hardly an insurmountable task.

If this prompts companies to review the data they collect and assess whether they need to store it, then that’s a good thing. Too many companies have a data hoarding attitude and it creates unnecessary risk. There’s also no excuse for neglecting to create clear consent forms and privacy policies. Ultimately, companies should not be treating data protection as optional.

We can’t say for sure what non-compliance with GDPR will cost you, but there’s a good chance it will prove more expensive than compliance, and that’s the point.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.