StorageCraft Technology Corporation

GDPR Compliance: Breach Notification and Fines

The importance of data security is now multi-fold. Not only must you protect business data to avoid the loss of revenue and reputation damage that might follow a security breach. You also have to satisfy stringent laws and regulations that heavily penalize non-compliant organizations. That’s the current situation for companies in the European Union (yes, that still means UK businesses as well) that need to comply with the General Data Protection Regulation. 

In our GDPR compliance guide, we outlined the key components of the upcoming legislation. Among them is the notification rule that requires a breach be reported to the appropriate supervisory authority no later than 72 hours after the incident. The notification must be accompanied by the following elements:

When there is a great chance that a security breach could put consumer privacy at risk, the organization must immediately notify each consumer affected of the incident. Companies must provide notifications in a language that the consumers can easily understand. There are, however, scenarios in which notifying data subjects is not required.

For instance, take the situation where an attacker breached the network but no further harm was caused because your data was encrypted. In this case, there is no need to give notification beyond the supervisory authority.

The Cost of Non-compliance

The consequences of failing to meet the breach notification rule or other GDPR requirements are extortionate fines. What do those fines amount to in actual euro amounts? In order to answer this question, we’ll have to dive into the GDPR fine structure for a more realistic idea of what to expect in the way of monetary penalties.

According to Article 83 of the GDPR, the maximum fine for breaching the most important provisions is up to €20 million or 4 percent of the total worldwide turnover of the preceding financial year – whichever is greater. Fines for breaches deemed less serious can be as high as €10m or 2 percent or the annual turnover. Breach severity is generally distinguished by two factors:

Under this two-tiered structure, fines are levied in accordance to specific articles of the GDPR and the role of the individual guilty of non-compliance. For example, if you’re tasked with storing, transferring, or disposing of the data affected in a breach, you can only be fined a maximum of €10m or 2% of global annual turnover. If you’re responsible for managing and protecting said data, you can be fined the highest possible amount. In other words, fines for data controllers can be far more severe than data processors.

Read More: Compliance Training Resources for MSP’s

GDPR Fines, Now Determined by the European Union

Whether or not GDPR fines will be administered is determined by EU supervisory authorities (SAs) such as the Information Commissioners Office (ICO). These regulatory enforcers take a number of factors into consideration when investigating non-compliant organizations, including:

Those are the basics. Infringement history, willingness to cooperate with the investigation process, financial losses averted, and other instances that may arise as a direct or indirect result of a breach will also be taken into account.


In the past, individual EU states could determine their own sanctions for compliance penalties. The GDPR marks the first time fines have been explicitly written into EU regulations. Supervisory Authorities are taking full advantage by exercising the maximum monetary limits at their disposal.

The best way avoid potentially crippling fines is to simply create an IT environment that prioritizes cybersecurity and data protection. There are no compromises. Make sure you partner with the absolute best in data protection and recovery to avoid the fines.

Categories: Uncategorized
Tags: GDPR compliance
Contel Bradford: Contel Bradford is a professional of many trades-- aspiring screenwriter, affiliate marketer in training, published author. He excels at writing articles about internet technology, specializing in topics that range from email marketing and web hosting to social media and SEO. Learn more about this multi-talented man of mystery at