Incident Type: Compliance · Updated April 2026

Compliance Violation Cost: When a Regulatory Incident Hits

Q: What is the biggest GDPR fine ever issued?

Meta (Instagram) was fined €1.2 billion by the Irish Data Protection Commission in May 2023, the largest GDPR fine on record. The fine related to unlawful transfers of EU personal data to the United States without adequate safeguards. Amazon was fined €746 million in 2021, the previous record. GDPR fines have accelerated significantly since 2022, with total fines issued exceeding €4 billion cumulatively.

Q: How much is a HIPAA violation?

HIPAA violation penalties are tiered by culpability. Tier 1 (no knowledge): $145-$29,000 per violation. Tier 2 (reasonable cause): $1,450-$58,000 per violation. Tier 3 (wilful neglect, corrected): $14,500-$58,000 per violation. Tier 4 (wilful neglect, not corrected): $58,000-$2,190,000 per violation. Each category has an annual cap. The minimum annual penalty is $25,000 per violation category, and the maximum is $2.19M.

Q: What does a PCI DSS violation cost?

PCI non-compliance costs $5,000-$100,000 per month in fines levied by the card brands through your acquiring bank. Additional penalties apply if a breach occurs during a period of non-compliance: these card brand fines range from $5,000 to $100,000 per incident, plus mandatory forensic investigation costs (PCI-DSS forensic investigator fees of $20,000-$100,000+). Losing card acceptance rights is the ultimate penalty and effectively ends many businesses.

A compliance violation is an incident with a specific cost profile: a regulatory fine, remediation costs, legal fees, and reputational damage, all triggered by a failure to meet a legal or contractual obligation. Unlike security incidents where the trigger is an external attacker, compliance incidents often begin internally, through inadequate data handling, missed breach notifications, or audit failures. The financial exposure can exceed typical security incident costs, particularly for GDPR violations at 4% of global revenue.

GDPR (General Data Protection Regulation)

Violation Category	Maximum Fine	Example
Less serious violations (Art. 83(4))	€10M or 2% of global annual turnover (whichever higher)	Failure to maintain records, failure to notify supervisory authority
More serious violations (Art. 83(5))	€20M or 4% of global annual turnover (whichever higher)	Data processing without legal basis, breach of data subjects' rights

Notable GDPR Fines (2021-2025)

Organisation	Year	Fine	Reason
Meta (Instagram)	2023	€1.2B	Unlawful EU-US data transfers
Amazon	2021	€746M	Non-compliant cookie consent
WhatsApp (Meta)	2021	€225M	Transparency violations
Google (Ireland)	2022	€60M	Cookie consent issues (French DPA)
British Airways	2020	£20M	2018 breach; inadequate security

Calculate your GDPR fine exposure at gdprfine.com

HIPAA (Health Insurance Portability and Accountability Act)

Tier	Culpability	Per Violation Range	Annual Cap
Tier 1	No knowledge (reasonable care exercised)	$145-$29,000	$25,000
Tier 2	Reasonable cause (not wilful neglect)	$1,450-$58,000	$100,000
Tier 3	Wilful neglect, corrected within 30 days	$14,500-$58,000	$250,000
Tier 4	Wilful neglect, not corrected	$58,000-$2,190,000	$2,190,000

Note: HIPAA penalties are per violation, and multiple violations occurring in the same audit can be cited separately. A single incident can trigger Tier 4 penalties across multiple violation categories simultaneously.

PCI DSS (Payment Card Industry Data Security Standard)

PCI Non-Compliance Cost	Amount	Notes
Non-compliance fines (monthly)	$5,000-$100,000/month	Levied by card brands through acquiring bank
Breach during non-compliance	$5,000-$100,000 per incident	Plus card brand assessments and forensics
Mandatory PFI (forensic investigation)	$20,000-$100,000+	Required for any breach; QSA or PFI firm
Card replacement costs	$3-$5 per reissued card	Card brands charge back to merchant's acquirer
Operating in non-compliant state	Loss of card acceptance rights	Terminal penalty; effectively ends most businesses

Full PCI compliance cost guide at pcicompliancecost.com

Cost Beyond the Fine

Regulatory fines are typically 20-30% of total compliance violation cost. The larger costs are:

Legal counsel

$200K-$2M+

Regulatory defence, data subject claim defence, internal investigation

Remediation programme

$100K-$5M

Technical and process changes to achieve and demonstrate compliance

Notification costs

$20K-$2M

Individual notification to affected data subjects; credit monitoring

Reputation damage

Unquantifiable

Customer churn, brand damage, reduced new business conversion

Insurance premium increase

+$50K-$200K/yr

Cyber insurance renewal post-incident

Increased audit scope

+$30K-$150K/yr

Mandatory follow-up audits, enhanced monitoring periods

Frequently Asked Questions

What is the biggest GDPR fine ever issued?

Meta (Instagram) was fined €1.2 billion by the Irish DPC in May 2023 for unlawful EU-US data transfers. Total GDPR fines issued cumulatively have now exceeded €4 billion.

How much is a HIPAA violation?

HIPAA penalties range from $145 per violation (Tier 1, no knowledge) to $2.19M per violation (Tier 4, wilful neglect uncorrected). Each violation category in a single incident can be penalised separately.

What does a PCI DSS violation cost?

$5,000-$100,000 per month in ongoing non-compliance fees, plus card brand fines and mandatory forensic investigation ($20K-$100K+) if a breach occurs during non-compliance.

Is a compliance violation the same as a data breach?

Not necessarily. A data breach may trigger a compliance violation (e.g. GDPR notification failure, HIPAA breach notification failure). But compliance violations can also occur without a data breach, such as failing a PCI audit, inadequate consent mechanisms, or missing mandatory training documentation.

Who decides the fine amount?

Fines are levied by regulatory authorities (GDPR: national Data Protection Authorities; HIPAA: US HHS Office for Civil Rights; PCI: card brands through acquiring banks). Regulators consider cooperation, remediation effort, and the organisation's security programme when determining the final penalty.