Disclosure: BusinessConnect earns affiliate commissions from some links on this page. This does not affect our recommendations.

GDPR Fines Statistics 2026: What Small Companies Actually Pay

Published 2026-05-20 · Updated 2026-07-03 · BusinessConnect

GDPR turned eight in May 2026, and the enforcement numbers keep climbing. The headlines are dominated by billion-euro fines against big tech — but the statistics also show a second, much quieter track of small fines against small companies that rarely gets reported. This page collects the key GDPR fine statistics for 2026, every one of them with a named source, and then looks at what the data actually means if you run a small business.

GDPR fines: key statistics (2026)

Cite this page: BusinessConnect, “GDPR Fines Statistics 2026”, businessconnect.lt, updated 3 July 2026. All statistics are free to quote with a link to this page or to the primary source next to each number.

GDPR fines by year

The annual totals below come from DLA Piper's yearly GDPR Fines and Data Breach Surveys. Note that most survey periods run late January to late January, so they approximate — but do not exactly match — calendar years.

PeriodFines issuedChangeSource
25 May 2018 – 27 Jan 2021≈ €0.2bn*Derived*
28 Jan 2021 – 27 Jan 2022≈ €1.1bn“Nearly a sevenfold increase” on the prior yearDLA Piper, Jan 2022
28 Jan 2022 – 25 Jan 2023≈ €1.64bn+50% year on yearDLA Piper, Jan 2023
28 Jan 2023 – 27 Jan 2024≈ €1.78bn+14% year on yearDLA Piper, Jan 2024
Calendar year 2024≈ €1.2bn−33% vs 2023DLA Piper, Jan 2025
Calendar year 2025≈ €1.2bnRoughly flat vs 2024DLA Piper, Jan 2026
Cumulative, 25 May 2018 – 10 Jan 2026€7.1bnDLA Piper, Jan 2026

* The first row is not separately reported in the sources above; it is derived by subtracting the later survey periods from the €7.1bn cumulative total, so treat it as an approximation only.

Two different totals circulate for cumulative GDPR fines: DLA Piper's €7.1bn (a survey of supervisory authorities across 31 European jurisdictions) and the CMS Enforcement Tracker's ~€6.11bn (a database of individually documented public fines, 2,685 of them as of 1 March 2026). The datasets are built differently, which is why the numbers differ — cite whichever matches your use case, and name the source.

The largest GDPR fines ever issued

Per the CMS Enforcement Tracker Report (as of 1 March 2026), the ten largest GDPR fines to date:

  1. Meta Platforms Ireland — €1.2 billion (Ireland, 2023)
  2. TikTok Technology Limited — €530 million (Ireland, 2025)
  3. Meta Platforms, Inc. — €405 million (Ireland)
  4. Meta Platforms Ireland — €390 million (Ireland)
  5. TikTok Limited — €345 million (Ireland)
  6. LinkedIn — €310 million (Ireland, 2024)
  7. Uber Technologies Inc. / Uber B.V. — €290 million (Netherlands, 2024)
  8. Meta Platforms Ireland — €265 million (Ireland)
  9. Meta Platforms Ireland — €251 million (Ireland, 2024)
  10. WhatsApp Ireland — €225 million (Ireland)

Nine of the top ten were issued in Ireland — a structural effect of the GDPR's one-stop-shop mechanism, since most large US tech companies have their EU headquarters in Dublin.

Fines by country: two very different league tables

The takeaway for a small business: the value league table is about big tech, but the count league tables — Spain's 1,048 fines, France's 67 simplified-procedure sanctions in one year — are largely about ordinary companies.

What businesses get fined for

The CMS Enforcement Tracker Report ranks violation types by frequency across all tracked fines:

  1. Insufficient legal basis for data processing (the most common)
  2. Non-compliance with general data processing principles
  3. Insufficient technical and organisational security measures
  4. Insufficient fulfilment of data subjects' rights
  5. Insufficient fulfilment of information obligations

France's 2025 numbers show the same pattern at small-business scale: the CNIL sanctioned 21 entities for cookie and tracker breaches, 16 for improper employee video surveillance, 14 for insufficient data security, 14 for failing to cooperate with the regulator, 14 for ignoring erasure/objection/access requests, and 10 for marketing-prospecting violations. Cookies, cameras, security basics and ignored data requests — not exotic edge cases.

What do small companies actually pay?

Honest answer first: there is no reliable public statistic for the “average small-business GDPR fine”. Many small-company sanctions are never published — the CNIL's 67 simplified-procedure decisions from 2025, for example, are confidential by design. Treat any precise “average SME fine” figure you see online with suspicion. What the verifiable record does show:

A documented small-company case: Knuddels, €20,000

Germany's first-ever GDPR fine, issued on 21 November 2018 by the Baden-Württemberg data protection authority (LfDI), went to Knuddels.de, a small German chat platform. After a hack exposed user credentials, the investigation found the company had stored user passwords in plain text — a violation of Article 32(1)(a) GDPR. The fine: €20,000 (IAPP).

The instructive part is why the fine stayed low. Per the regulator, Knuddels contacted the authority directly after the hack, informed users immediately and comprehensively, cooperated in what the LfDI called an “exemplary” way, and invested a six-figure sum in fixing its security. The LfDI's head stated openly that the goal was better data protection, not maximum fines. Two lessons for any small business: report breaches fast (you have 72 hours), and cooperation measurably reduces the damage.

How to stay out of this table

Across the CMS violation rankings and the CNIL's 2025 caseload, small-company enforcement keeps hitting the same missing basics. The essential minimum:

  1. A proper cookie consent mechanism on your website
  2. A clear, comprehensive privacy policy
  3. A documented process for handling data subject requests
  4. Data processing agreements with your third-party tools
  5. A breach notification procedure (72-hour deadline)

Items 1 and 2 — the exact areas behind the CNIL's 21 cookie sanctions and the most common violation categories — are the easiest to automate. A compliance platform like Termly handles both: the free plan includes a cookie banner with automatic script blocking, one basic policy and 10,000 banner views per month, and paid plans run $10–15/month (billed annually) with a 30-day money-back guarantee — we break down the plans and limits in our full Termly review. For the wider toolbox, see our GDPR compliance tools comparison.

Cheapest insurance

Don't end up in this table

Every dataset on this page points the same way: small companies get fined for missing basics — cookie consent, privacy policies, ignored data requests. Termly covers the first two for less per year than even the smallest fine on the CNIL's published list, with a free plan to start and a 30-day money-back guarantee on paid plans. It covers GDPR, UK GDPR and CCPA.

Frequently Asked Questions

How much have GDPR fines totalled since 2018?

According to DLA Piper's GDPR Fines and Data Breach Survey (January 2026), European supervisory authorities reported an aggregate of 7.1 billion euros in GDPR fines from 25 May 2018 to 10 January 2026. Around 1.2 billion euros of that was issued in 2025 alone.

What is the largest GDPR fine ever issued?

The largest GDPR fine ever is 1.2 billion euros, issued by the Irish Data Protection Commission against Meta Platforms Ireland in 2023 for unlawful EU-US data transfers. The largest fine of 2025 was 530 million euros against TikTok, also from the Irish DPC.

Do small businesses really get fined under GDPR?

Yes. GDPR applies to any business that processes personal data of EU residents, regardless of size. In 2025, 67 of the French CNIL's 83 sanctions went through its simplified procedure, which handles cases involving companies and independent professionals — these smaller decisions are simply not published, so they rarely make headlines.

How much do GDPR fines cost for small businesses?

The legal maximum is 20 million euros or 4% of worldwide annual turnover, whichever is higher. In practice, documented fines start much lower: the CNIL's published sanction list includes fines from 500 euros, and Germany's first GDPR fine was 20,000 euros against the small chat platform Knuddels. There is no reliable public statistic for an average small-business fine, because many small-company sanctions are never published.

What's the fastest way to make my website GDPR compliant?

The fastest approach is a compliance platform that handles cookie consent and privacy policy generation in one setup — for example, Termly's free plan includes a cookie banner with automatic script blocking, one basic policy and 10,000 banner views per month, with paid plans from 10 dollars per month billed annually.

Keep reading