Glossary
GDPR (data breach fines)
The EU regulation that requires breach notification and allows fines up to 4% of global turnover. The ceiling, not the expectation.
The General Data Protection Regulation governs how organizations handle personal data of people in the EU, and its Article 83 allows administrative fines up to 4% of global annual turnover or 20 million euros, whichever is higher. That number gets quoted as if it is the expected outcome. It is the statutory maximum, reserved for the worst conduct at the largest companies.
For an SME that has a breach, reports it on time, and can show reasonable controls, the realistic regulatory cost is far lower. What actually drives a fine up is failing to report or being unable to demonstrate basic security. The UK runs an equivalent regime under UK GDPR and the ICO. How regulatory exposure fits the total.