What happens if a company does not comply with GDPR?

Asked by: Clarabelle Walter  |  Last update: May 3, 2026
Score: 4.7/5 (46 votes)

If a company doesn't comply with GDPR, they face significant penalties, including massive fines (up to €20 million or 4% of global annual revenue), official warnings, reprimands, and temporary bans on data processing, plus severe reputational damage, loss of customer trust, and potential lawsuits from affected individuals, leading to substantial financial losses and reduced sales.

What are the consequences of not complying with GDPR?

The most immediate risk of GDPR non-compliance is the substantial financial penalties. GDPR fines can reach up to €20 million or 4% of a business's global annual turnover, whichever is higher, depending on the severity of the violation.

What happens to a company if they breach GDPR?

Tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.

What happens if GDPR is violated?

83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.

Do US companies have to comply with GDPR?

Even if a US company does not have a physical presence in the EU, it will still be subject to the GDPR if it offers goods or services to individuals in the EU or monitors their behaviour. Therefore, US companies that interact with EU residents must ensure GDPR compliance to avoid legal ramifications.

What happens IF I DON'T COMPLY with the GDPR? | 60 Seconds of GDPR #02

39 related questions found

What are the consequences of non compliance?

Penalties, fees, or fines: Monetary penalties and fines are the most common consequences of non-compliance in business. Ceasing business operation: In extreme cases (often related to unsafe working conditions or violating environmental rules) your business could be forced to shut down some or all of its operations.

Is a GDPR breach serious?

As breaching section 170(1) is a criminal offence, your employer or the individuals whose data have been breached may report you to the police. This could lead to you being charged and prosecuted.

Am I entitled to compensation for a GDPR breach?

The Court noted that Article 82 (1) of the GDPR provides that a person who has suffered material or non-material damage as a result of an infringement of the regulation shall have the right to receive compensation for the damage suffered.

Are companies punished for data breaches?

When a data breach occurs, organizations face severe legal consequences that extend far beyond immediate financial losses. Companies must navigate complex regulations, potential lawsuits, and regulatory penalties while managing their breach response to protect affected individuals.

What are examples of GDPR violations?

Personal data breach examples

  • Case study 1: Failure to redact personal data. Reporting decision: Notifying the ICO and data subjects. ...
  • Case study 2: Emailing a file in error. ...
  • Case study 3: Working on an unencrypted laptop. ...
  • Case study 4: Sending medication to the wrong patient. ...
  • Case study 5: A phishing attack.

What are the possible penalties for non-compliance?

These include higher fines, civil action, or in some cases, criminal prosecution. In addition to the financial cost, non-compliance can damage a company's reputation and damage business operations.

Is GDPR compliance mandatory?

Compliance with the GDPR is mandatory for all in-scope organizations, and due to the sensitive nature of the information it covers, violations can result in corrective action or substantial financial penalties.

Is it worth suing over a data breach?

Yes, suing over a data breach can be worth it if you suffer actual, documented harm, like identity theft, financial losses (stolen funds, new loans), significant time spent fixing your credit, or severe emotional distress from constant worry, though individual payouts are often modest and often part of larger class-action lawsuits where payouts are smaller but hold companies accountable. The key is proving the company's negligence caused your specific damages, with highly sensitive data (SSNs, medical records) increasing claim value, making it a personal injury case rather than just a privacy violation. 

What is the average payout for a data breach?

Average compensation for data breaches varies widely, from modest payouts (e.g., $100-$500) in large class actions for time spent or basic credit monitoring, to thousands of dollars for proven financial losses like identity theft, fraud, and documented out-of-pocket costs, with some high-profile cases reaching significant sums for severe damages or emotional distress. The amount hinges on the type of data exposed (SSN/financial details pay more), documented harm (fraud, identity theft), time spent, and the specific settlement terms. 

Why aren't companies punished for data breaches?

As Ronald Allen learned, plaintiffs have to prove they have been harmed by the incursion. With so many different attacks, it's almost impossible to know which one caused a customer's problems. As a result, few companies can be held financially accountable for data breaches.

Can I sue a company if my data is breached?

You can't sue just because your email got leaked. But when a company's negligence causes measurable harm, it crosses into personal injury territory. You may have a case if you experience: Identity theft or credit fraud linked directly to the breach.

How much money do the data breaches give you?

Data breach payouts come from class-action settlements, offering compensation for documented losses (often up to $5,000 or more) or smaller alternative payments (e.g., $85) for simply being affected, plus services like dark web monitoring, with final amounts depending on claim volume, but specific payouts vary by breach (e.g., AT&T, Equifax) and require filing claims through settlement websites by deadlines. 

Can you lose your job over a data breach?

For dismissal to be legally “fair,” your employer should have: Reasonable belief, based on evidence, that a breach occurred. Followed a proper investigation and hearing process. Considered whether dismissal is a proportionate response (especially if it was a first-time, genuine mistake)

What are 10 examples of sensitive personal information?

Definition of Sensitive Personal Information

  • Racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade union membership.
  • Genetic data.
  • Biometric data.
  • Health data.
  • Sexual orientation or sex life.

How do you prove a GDPR breach?

Potential Evidence That Could Help You Make A Data Protection Breach Claim

  1. Correspondence from the organisation relating to the data breach incident.
  2. Medical reports or records that illustrate how the breach has affected your mental health.
  3. Bills, receipts and invoices that prove financial losses were caused by the breach.

Which are the punishments for non-compliance?

While non-compliance attracts penalties like fines, disqualifications, and termination of licenses, they can also lead to criminal charges if the offence is intentional. To ensure that your business complies with all the rules and regulations, you should implement compliance assurance in your company.

What are two consequences of non-compliance?

Non-compliance with laws and regulations can lead to serious issues for businesses and individuals. It may result in heavy fines, legal action, or damage to your reputation. Ignoring rules can also disrupt daily operations and create unnecessary stress.

Are there penalties for noncompliance?

Non-compliance fines and sanctions are penalties imposed on businesses or individuals who fail to adhere to regulatory requirements.

What is the average settlement for a data breach?

Average compensation for data breaches varies widely, from modest payouts (e.g., $100-$500) in large class actions for time spent or basic credit monitoring, to thousands of dollars for proven financial losses like identity theft, fraud, and documented out-of-pocket costs, with some high-profile cases reaching significant sums for severe damages or emotional distress. The amount hinges on the type of data exposed (SSN/financial details pay more), documented harm (fraud, identity theft), time spent, and the specific settlement terms.