If you do not comply with the GDPR, the Data Protection Authority can give you a fine. This could be the result of either a complaint lodged by an individual or a control initiated by the DPA itself.
The Data Protection Authority has to make sure that the fine in each individual case is effective, proportionate, and dissuasive. The DPA will take into consideration, among other things, the nature and gravity of the infringement; the level of negligence involved; whether you have taken any actions to mitigate the damage; and the budget of your company or organisation.
Fines can go up to a maximum of 4% of a organisation’s annual turnoveror up to 20 million EUR – whichever figure is higher.