GDPR Data Breach Fine Exposure Estimator

Translate your GDPR incident metrics into a regulator-style penalty range. Combine worldwide turnover, the appropriate Article 83 tier, the number of affected records, and a mitigation score to surface a high-low fine estimate, the statutory cap reference, and a per-record exposure benchmark for breach playbooks and board updates.

Most recent audited worldwide revenue, before VAT.
Enter 4.00 for upper-tier infringements (Art. 83(5)) or 2.00 for lower-tier violations (Art. 83(4)).
Count unique data subjects or records involved in the incident.
0 means no mitigation, 1 means exemplary cooperation and remediation.

Outputs are directional for planning. Regulatory decisions depend on detailed fact patterns, authority discretion, and qualified legal review.

Examples

  • Example 1 — €120,000,000.00 turnover, 4.00% severity tier, 25,000 records, mitigation score 0.60 ⇒ Projected fine range: €1,395,224.23 – €2,761,974.49 | Statutory cap reference: €20,000,000.00 (Upper tier (Art. 83(5))) | Implied fine per record at upper bound: €110.48
  • Example 2 — €48,000,000.00 turnover, 2.00% severity tier, 8,000 records, mitigation score 0.35 ⇒ Projected fine range: €377,827.32 – €528,420.41 | Statutory cap reference: €10,000,000.00 (Lower tier (Art. 83(4))) | Implied fine per record at upper bound: €66.05

FAQ

How do I choose the mitigation score?

Score toward 1.0 if you notify within 72 hours, provide detailed containment evidence, and document affected parties; use lower scores when timelines slip or remediation is incomplete.

Does this replace legal counsel guidance?

No. Use the estimator to brief counsel and leadership, then collaborate with legal advisers on authority-specific precedent and aggravating factors.

Can I switch currencies?

The calculator assumes euro amounts. Convert local currency figures to EUR before input so the results align with GDPR fine ceilings and press releases.

What if multiple violations apply?

Enter the highest applicable severity tier and aggregate record counts so you model the most conservative exposure for planning and reserve setting.

How can I stress-test insurer coverage?

Run best- and worst-case mitigation scores to compare the resulting fine range against your cyber insurance limit and self-insured retention.

Additional Information

  • Severity percentage maps to the Article 83(4) or 83(5) statutory ceiling, whichever delivers the higher cap.
  • Impacted record count feeds a logarithmic scaling factor that mirrors how authorities weigh incident scope.
  • Mitigation score tempers the exposure to reflect regulator leniency for rapid notification, remediation, and cooperation.
  • Per-record exposure highlights the upper-bound liability on a per-subject basis for insurance gap analysis.
  • Outputs are formatted in euros with two decimals and thousands separators for immediate insertion into incident reports.

Related calculators