ComplianceUpdated June 3, 2026; refreshed July 8, 202612 min read

How to Estimate Your GDPR Fine Exposure: A Step-by-Step Guide

GDPR fines are not arbitrary. They follow structured methodologies published by the EDPB and national supervisory authorities. This guide walks through how fines are calculated, what factors determine severity, and how to estimate your organisation's exposure before an incident occurs.

How are GDPR fines calculated under Article 83 in Ireland and the UK?

GDPR fines are calculated by applying Article 83's two-tier statutory caps— up to €10 million or 2% of worldwide annual turnover (lower tier) and up to €20 million or 4% (upper tier), whichever is higher — and then working within those caps using the EDPB five-step methodology(Guidelines 04/2022) for cases led by the Irish Data Protection Commission, and the ICO's parallel six-step model under the UK GDPR. The caps are a ceiling, not a formula: the actual figure turns on the eleven Article 83(2) factors — severity, duration, the categories of data, the organisation's conduct, and the harm caused.

Key takeaways

  • Two tiers, one ceiling. Article 83(4) caps lower-tier breaches at €10M or 2% of worldwide turnover; Article 83(5) caps upper-tier breaches (consent, special-category data, data-subject rights, international transfers) at €20M or 4%, whichever is higher. The Acompli GDPR Fine Calculator works out the DPC and ICO caps for your turnover.
  • The method, not the maximum, sets the fine. The Irish DPC and EU authorities follow the EDPB five-step methodology (Guidelines 04/2022); the UK ICO applies a six-step model. Both weigh the Article 83(2) factors against consolidated group worldwide turnover, not the single entity.
  • Most fines land far below 4%. Published enforcement puts a realistic first-infringement-with-cooperation exposure at roughly 0.1% to 0.5% of turnover. The headline outliers — Meta's €1.2 billion (a DPC decision) and TikTok's €530 million — are upper-tier international-transfer cases, not the norm.
  • Conduct moves the number. Self-reporting, cooperation and early remediation are explicit mitigating factors; concealment is aggravating. For organisations under DPC lead supervision, the EDPB can raise a draft fine under the Article 65 consistency mechanism — model the upside.
1 / 10

01Context

Why understanding fine exposure matters

This explainer walks through the methodology behind the GDPR Fine Calculator: the statutory two-tier structure under Article 83, the EDPB five-step methodology published in Guidelines 04/2022, the ICO's parallel six-step framework, and how to read the pattern in published enforcement decisions to produce a defensible internal range estimate.

The statutory caps (€10M or 2% / €20M or 4% of worldwide annual turnover) are a ceiling, not a formula. The actual fine depends on a structured assessment of the infringement's nature, severity, the organisation's conduct, and the harm caused. Understanding the methodology supports practical decisions: how to prioritise compliance investment, how to frame risk in board reporting, and how to evaluate whether a particular processing activity carries disproportionate exposure.

02Article 83

The Two Fine Tiers Under Article 83

GDPR Article 83 establishes two tiers of administrative fines, each tied to specific categories of infringement.

Lower Tier (Article 83(4))

Up to €10 million or 2% of total worldwide annual turnover, whichever is higher. This tier covers infringements of obligations relating to:

  • Controllers and processors (Articles 8, 11, 25–39, 42, 43)
  • Certification bodies (Articles 42, 43)
  • Monitoring bodies (Article 41(4))

In practice, this includes failures in data protection by design and default, inadequate technical and organisational measures, incomplete records of processing activities, and delayed breach notification.

Upper Tier (Article 83(5)–(6))

Up to €20 million or 4% of total worldwide annual turnover, whichever is higher. This tier covers the core principles and data subject rights:

  • Lawfulness, fairness, and transparency (Article 5)
  • Conditions for consent (Article 7)
  • Processing of special categories of data (Article 9)
  • Data subject rights (Articles 12–22)
  • International transfers (Articles 44–49)
  • Non-compliance with a supervisory authority order

The upper tier is where the headline fines occur. TikTok's €530 million fine for China transfers was an upper-tier infringement under the international transfer provisions.

03Method

The EDPB Five-Step Methodology

In 2023, the European Data Protection Board published Guidelines 04/2022, establishing a harmonised five-step methodology for calculating fines. While individual supervisory authorities retain discretion, this framework provides the closest thing to a formula that exists.

Step 1: Identify the Processing Operations and Evaluate Article 83(2) Criteria

The authority identifies the relevant processing operations and assesses 11 criteria listed in Article 83(2): nature, gravity and duration of the infringement; whether it was intentional or negligent; actions taken to mitigate damage; degree of responsibility considering technical and organisational measures; previous infringements; cooperation with the authority; categories of personal data affected; how the authority became aware of the infringement; compliance with previous orders; adherence to approved codes of conduct or certification mechanisms; and any other applicable aggravating or mitigating factors.

Step 2: Determine the Starting Amount

Based on the Article 83(2) assessment, the authority places the infringement into a severity category and determines a starting amount as a percentage of the applicable legal maximum. Infringements of low severity start at the lower end of the applicable tier; infringements of high severity start toward the upper end.

Step 3: Adjust for Turnover

The starting amount is adjusted relative to the organisation's size and financial capacity. This ensures that fines are “effective, proportionate, and dissuasive” regardless of whether the controller is a startup or a multinational. For undertakings, “turnover” means total worldwide annual turnover of the entire group, not just the entity that committed the infringement.

Step 4: Apply Aggravating and Mitigating Factors

The authority may increase or decrease the fine based on factors not fully captured in Steps 1–3. Common aggravating factors include repeated infringement, failure to cooperate, or deliberate obstruction. Common mitigating factors include proactive notification, early remediation, or voluntary compensation of affected data subjects.

Step 5: Ensure the Fine Does Not Exceed the Legal Maximum

The final figure is capped at the relevant statutory maximum (2%/€10M or 4%/€20M). If the calculated amount exceeds the cap, the fine is reduced to the maximum. For multiple infringements arising from the same processing operation, the authority applies a single fine capped at the amount applicable to the most serious infringement.

04UK

The ICO Approach

The UK Information Commissioner's Office publishes its own detailed penalty calculation guidance, structured similarly but with some procedural differences. The ICO uses a six-step model: assess seriousness, consider the size and financial resources of the organisation, apply aggravating and mitigating factors, consider the need for the penalty to be effective and dissuasive, check proportionality, and ensure consistency with other decisions.

In practice, the ICO has historically issued fines at the lower end of its available range compared to EU authorities, though recent enforcement actions — including the £14.47 million Reddit fine— signal a shift toward larger penalties, particularly where children's data or repeated failures are involved.

05Ireland

The DPC in Practice

As the lead supervisory authority for major technology platforms established in Ireland, the Irish Data Protection Commission has issued some of the largest GDPR fines globally. The DPC follows the EDPB methodology and has been subject to the Article 65 dispute resolution mechanism on multiple occasions, where other EU authorities challenged the proposed fine as insufficient. The pattern is clear: organisations subject to DPC oversight should not assume that the DPC's initial assessment will be the final figure, as other authorities may push for higher penalties through the cooperation and consistency mechanism.

06Comparison

GDPR fine tiers compared: lower tier vs upper tier (DPC and ICO)

The two Article 83 tiers differ in which breaches they cover and in their statutory ceilings under both the Irish DPC (EU GDPR) and the UK ICO (UK GDPR), whichever amount is higher:

AspectLower tier (Article 83(4))Upper tier (Article 83(5))
Maximum fine (DPC / EU GDPR)€10 million or 2% of total worldwide annual turnover€20 million or 4% of total worldwide annual turnover
Maximum fine (ICO / UK GDPR)£8.7 million or 2%£17.5 million or 4%
Breaches coveredData protection by design and default, technical and organisational measures, incomplete records of processing activities, delayed breach notification (Articles 8, 11, 25–39, 42, 43)Lawfulness, fairness and transparency (Article 5), conditions for consent (Article 7), special-category data (Article 9), data subject rights (Articles 12–22), international transfers (Articles 44–49)
Turnover baseConsolidated worldwide annual turnover of the whole groupConsolidated worldwide annual turnover of the whole group

07Estimation

Estimating Your Own Exposure

While no tool can predict what a regulator will decide, you can use the methodology above to produce a defensible range estimate for internal risk reporting. The key inputs are:

  1. Identify the applicable tier. What category of infringement is most likely given your processing activities? A record-keeping failure is lower tier; a consent or transfer violation is upper tier.
  2. Determine your turnover base. For group companies, use consolidated worldwide annual turnover. This is the figure the statutory cap is calculated against.
  3. Assess severity. Consider the number of data subjects affected, the sensitivity of the data, the duration of the infringement, and whether harm has occurred.
  4. Factor in organisational conduct. Have you self-reported? Cooperated? Remediated? These materially affect the final figure.

The Acompli GDPR Fine Calculator automates this analysis. It calculates statutory maximum caps for both DPC and ICO jurisdictions and provides illustrative scenario ranges based on the published methodologies. All turnover data is processed locally in your browser and is never transmitted to a server.

08Data

What the Enforcement Data Tells Us

Analysing published enforcement decisions reveals consistent patterns. The majority of fines cluster well below the statutory maximums. For most organisations, the realistic exposure for a first infringement with cooperation and remediation is in the range of 0.1% to 0.5% of turnover — still material, but far below the headline “4%” figure. The outlier fines — Meta's €1.2 billion, TikTok's €530 million — involve repeat infringements, international transfers to high-risk jurisdictions, or processing at massive scale. The 2025 enforcement datashows total EU fines holding steady at approximately €1.2 billion annually.

09Controls

From Estimation to Prevention

Fine estimation is a risk management exercise, not a compliance strategy. The goal is to reduce exposure through operational controls: documented assessments before processing begins, active records of processing activities that reflect current operations, an evidence-linked risk register that connects identified risks to treatment actions, and a governance model where nothing publishes without human review.

Acompli connects these elements so that the evidence base for demonstrating compliance is built as a byproduct of the operational work, not as a separate documentation exercise conducted after the fact.

10Fit

Where Acompli fits for GDPR fine-risk reporting

Best for privacy teams turning fine exposure into a risk treatment plan: Acomplilinks board-level exposure drivers to the DPIAs, RoPA entries, transfer assessments and privacy risk records that explain why the exposure exists and what is being done about it. The GDPR Fine Calculator estimates DPC and ICO caps; the risk workflow keeps the mitigation owner, review date and evidence trail attached to the underlying issue.

Frequently asked questions

How are GDPR fines calculated under Article 83 in Ireland and the UK?

GDPR Article 83 sets two tiers — up to €10 million or 2% of worldwide annual turnover (lower tier) and up to €20 million or 4% (upper tier), whichever is higher. Within those caps the Irish DPC and EU authorities apply the EDPB's five-step methodology (Guidelines 04/2022): weigh the eleven Article 83(2) factors, set a starting amount by severity, adjust for group turnover, apply aggravating and mitigating factors, then cap at the statutory maximum. The UK ICO uses a parallel six-step model. The caps are a ceiling, not a formula.

What is the maximum GDPR fine the DPC or ICO can impose?

The upper-tier maximum is €20 million or 4% of total worldwide annual turnover, whichever is higher (Article 83(5)); the lower tier is €10 million or 2% (Article 83(4)). The UK ICO applies the equivalent £17.5 million / 4% and £8.7 million / 2% caps under the UK GDPR. For undertakings the base is consolidated worldwide group turnover, not the single entity. The maximum-fine and two-tier breakdown for both the DPC (Ireland) and the ICO (UK) is maintained on the Acompli GDPR Fine Calculator at /gdpr-fine-calculator/; this guide focuses on the EDPB five-step method that decides where within those caps a fine actually lands.

How should a privacy team estimate GDPR fine exposure for the board?

Produce a defensible range, not a single number: identify the likely tier (a record-keeping failure is lower tier; a consent or transfer failure is upper tier), use consolidated worldwide turnover as the base, score severity (data subjects affected, sensitivity, duration, harm), then factor conduct — self-reporting, cooperation and remediation materially lower the figure. Published enforcement data puts a realistic first-infringement-with-cooperation exposure around 0.1% to 0.5% of turnover, far below the headline 4%. The Acompli GDPR Fine Calculator computes the DPC and ICO caps and illustrative ranges locally in your browser.

Why are international-transfer (Schrems II) fines so much larger?

International-transfer breaches sit in the upper tier (Article 83(5), up to €20 million or 4%), and post-Schrems II enforcement against unlawful transfers drives the outlier fines — TikTok's €530 million for China transfers and Meta's €1.2 billion for EU–US transfers, a decision of the Irish DPC. The practical takeaway: a transfer or consent failure carries disproportionately larger exposure than a record-keeping failure, so transfer mapping and Transfer Impact Assessments are worth prioritising.

Can the EDPB increase a fine set by the Irish DPC?

Yes. As lead supervisory authority for many Ireland-established technology platforms, the DPC's draft decisions can be challenged by other concerned EU authorities under the Article 60 cooperation and Article 65 consistency mechanisms, and the EDPB can issue a binding decision that raises the fine — which has happened on several high-profile DPC cases. Organisations under DPC oversight should not treat the DPC's initial figure as final and should model upside risk.

Does self-reporting a breach to the DPC or ICO reduce the fine?

Proactive notification, cooperation and early remediation are explicit mitigating factors under Article 83(2) and the EDPB five-step method (and the ICO's six-step model), and can reduce the figure at the aggravating-and-mitigating stage. The 72-hour Article 33 breach-notification duty to the DPC or ICO is mandatory regardless, and documented cooperation materially lowers exposure versus concealment, which is treated as aggravating.