What a GDPR breach actually costs (fines and the larger numbers behind them).
The statutory fine is visible. The forensic retainer activation, the legal counsel hours, the 72-hour notification work, the customer communications run, the regulator engagement, and the post-incident remediation are typically five to twenty times larger and rarely covered. We model both.
Statutory fine bands
UK GDPR and EU GDPR both use the same two-tier penalty structure set out in Article 83.
- Tier 1:up to €10 million or 2% of global annual turnover, whichever is higher. Covers procedural and documentation failures (Article 8, 11, 25-39, 42, 43).
- Tier 2:up to €20 million or 4% of global annual turnover. Covers substantive breaches (Articles 5, 6, 7, 9, lawful basis, international transfers, data subject rights).
The cap is the headline. Most fines settle well below the cap; regulators apply the Article 83(2) factors (nature, gravity, intent, mitigation, prior conduct, cooperation).
2025-2026 enforcement totals
| Metric | Figure | Source / date |
|---|---|---|
| Cumulative GDPR fines since May 2018 | ~€7.1bn | CMS Enforcement Tracker, March 2026 snapshot |
| 2025 calendar-year fines | ~€1.2bn | CMS Enforcement Tracker, 2025 annual review |
| Documented decisions (cumulative) | 2,200+ | GDPRhub case database, March 2026 |
| Daily breach notifications EU-wide | ~440 / day | EDPB statistics, 2025 |
| UK average data breach total cost | $4.07m | IBM Cost of a Data Breach 2025 report |
Incident response cost
A notifiable breach activates a structured response. The cost lines and typical UK-EU 2026 ranges:
- Forensic retainer activation: £15,000 - £200,000 depending on scope and IR firm. Mandiant, NCC Group, Kroll, Bridewell. Day rates inside the engagement run £1,200 - £2,500.
- Legal counsel: £500 - £1,500 / hour for senior data protection counsel; many firms run breach retainers (£3,000 - £30,000 / year) that include 72-hour engagement.
- 72-hour notification work: £8,000 - £40,000 fully loaded across legal, comms, and engineering for a mid-sized incident.
- Customer communications: £0.50 - £3.50 per affected data subject for tier-1 written notification; substantial multipliers for telephone or in-person steps.
- Regulator engagement: £20,000 - £150,000 in legal and forensic time over the 6-18 month investigation cycle.
- Post-incident remediation: commonly two to four times the original implementation budget, because the work is now non-negotiable and time-pressured.
The 5-20x ratio
For a typical mid-sized notifiable breach, the response cost (forensic, legal, notification, comms, regulator engagement, remediation) commonly runs five to twenty times the value of any eventual statutory fine. Some breaches receive no fine at all (the regulator may issue a reprimand or formal action plan) while still incurring the full response cost. The 5-20x range is sourced from aggregated IR firm survey data and IBM Cost of a Data Breach 2025 UK and EU sectoral breakouts.
What teams underestimate
Notification volume cost (mailing 200,000 affected customers is a materially different number from mailing 2,000) is the most commonly under-budgeted line. Civil litigation in UK and EU group-action contexts (representative actions, claimant law firms aggregating breach victims) is the second; this is recoverable in excess of any insurance ceiling for several recent UK cases. Brand and revenue impact (cancelled contracts, churned customers, deal delays) is the third and rarely budgeted at all. Board-level distraction (the executive team running the breach response is not running the company) is the fourth.
Sanity check scenarios
Phishing-led credential exposure, customer email and contact details. Forensic retainer £20-50k, legal £8-25k, notification under £4k, regulator engagement £6-30k. Fine band: warning to small monetary.
Web-app vulnerability, customer order history exposure. Forensic £80-200k, legal £40-150k, notification £80-300k, regulator £50-180k, remediation £80-400k. Fine band: 0.5-2% of UK turnover plausible.
API misconfiguration, multi-jurisdiction subjects, special-category data. Forensic £400k-1.5m, legal £600k-3m, notification £2-10m, regulator engagement multi-jurisdiction £1-3m, remediation £3-12m. Fine band: 2-4% of global turnover plausible.
Penalty data and notable enforcement
The penalty band a regulator applies to a notified breach is a separate analysis from the cost of getting compliant in the first place. Penalty data and notable enforcement actions are tracked at gdprfine.com.