Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
In the digital age, nearly every UK business - whether you're running an online shop, a tech start-up, or a local café - handles personal data. That means you need to understand the General Data Protection Regulation (GDPR).
GDPR fines can be substantial and, for many small businesses, potentially business-ending. The good news is that penalties are entirely avoidable if you know the rules and build good data protection practices from the start. This guide breaks down how GDPR fines work, what triggers them, how they’re calculated, and how to keep your business compliant.Why GDPR compliance matters
The GDPR protects the privacy rights of anyone whose data your business collects, stores, or uses - customers, suppliers, and employees alike. It applies to any UK or EU organisation (and many overseas ones) that processes personal data. If you breach the law through poor security, mishandling information, or lack of transparency, the Information Commissioner’s Office (ICO) can fine you heavily. Reputational damage, customer loss, and business disruption often cost even more than the fine itself.How GDPR fines are structured
Fines are based on a two-tier system that reflects the seriousness of the infringement.Lower-tier fines
- Up to €10 million or 2% of annual global turnover (whichever is higher).
- Typically applied to less serious breaches, such as incomplete records or failure to meet some data obligations.
Higher-tier fines
- Up to €20 million or 4% of annual global turnover (whichever is higher).
- Used for serious offences like unlawful processing, violating fundamental data subject rights, or breaking core GDPR principles.
What triggers a GDPR fine
- Invalid consent - collecting or using data without proper, explicit consent.
- Poor security - failing to protect personal data from loss or unauthorised access.
- Ignoring data rights - not responding to access, deletion, or correction requests.
- Slow breach reporting - not notifying the ICO and affected individuals within required timeframes.
- Unlawful processing - using data in ways that are unfair, opaque, or outside lawful bases.
How fines are calculated
The ICO assesses each case individually, considering factors such as:- Severity and duration of the breach.
- Nature of the data involved (sensitive or high-risk data attracts higher fines).
- Whether the breach was deliberate, negligent, or accidental.
- Steps taken to mitigate harm once discovered.
- Past compliance history and cooperation with the ICO.
Real-world GDPR fine examples
- British Airways - fined £20 million in 2020 after a data breach exposed over 400,000 customers’ details. The ICO found poor security and a slow breach response.
- Marriott International - fined £18.4 million for failing to protect guest data during a long-running cyberattack.
- SMEs - many small businesses and charities have faced smaller but still significant fines for poor marketing practices or inadequate security controls.
Practical steps to avoid GDPR fines
- Draft a proper Privacy Policy - it must explain what data you collect, why, and how it’s used or shared.
- Conduct data audits - map what data you hold, where it’s stored, and who can access it.
- Minimise collection - only collect what you genuinely need.
- Appoint a Data Protection Officer - mandatory for some, advisable for many SMEs handling sensitive data.
- Train your staff - ensure everyone who handles personal data knows the basics of GDPR.
- Document compliance efforts - records are vital if the ICO ever investigates.
- Prepare a breach response plan - you must notify the ICO within 72 hours of a serious breach.
- Seek professional advice early - legal experts can identify gaps and build compliance frameworks tailored to your business.
Beyond financial penalties
- Reputation damage - customers may lose trust overnight.
- Operational disruption - investigations can slow business to a halt.
- Loss of clients or partners - data protection failures harm credibility.
- Legal action - individuals can claim compensation for data misuse.
If your business suffers a data breach
Act quickly and transparently. Notify the ICO within 72 hours and affected individuals if there is a high risk to their rights or freedoms. Never attempt to hide or delay reporting - it worsens penalties. Having a clear plan and professional legal support can help you respond effectively and limit damage.Key takeaways
- The UK GDPR applies to all businesses that process personal data.
- Fines range up to €20m or 4% of annual turnover for serious breaches.
- Reputational harm often exceeds the fine itself.
- Regular audits, good policies, and staff training are your best protection.
- Seek legal advice promptly if you suspect a breach or gap in compliance.
Need help?
If you want to make sure your business is compliant and protected, Sprintlaw can help. Call 0808 134 7754 or email team@sprintlaw.co.uk for a free, no-obligations chat about GDPR compliance, privacy policies, and data protection support.
Alex SoloCo-Founder
