The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million (or equivalent in sterling) for organisations that infringe its requirements. Nevertheless, not all GDPR infringements lead to data protection fines. Supervisory authorities, such as the UK’s ICO (Information Commissioner’s Office), can take a range of other actions, including warnings, reprimands, temporary or permanent ban on data processing, etc.
Recently, the UK's data privacy regulator has said that it plans to fine the US hotel group Marriott International £99.2m.

The fine relates to a data breach that saw the personal details of approximately 339 million guests compromised. This announcement was hot on the heels of confirmation by the Information Commissioner's Office that British Airways was to be fined £183m over a data breach.

Unsurprisingly, it is these high-profile cyber attacks which make the headlines and potentially lull SMEs into a false sense of security and associated apathy related to their own risk. If the impact is particularly devastating for a large company, which can count on its resources and skilled professionals, it would be disastrous for a small and medium-sized business, where an unexpected interruption of trading and activities could seriously jeopardise the future of the business itself.

Go back to FAQs on Cyber Risk