// NEWS
Risk of GDPR non-compliance: what every manager needs to understand before 2026
The General Data Protection Regulation (GDPR) is a European regulation that aims to protect the personal data of European Union citizens. Failure to comply with it can have serious consequences for businesses and organizations. What are the risks involved? Let's take a closer look.
Many SME and mid-sized company executives still believe that the CNIL (French Data Protection Authority) only targets digital giants. The figures tell a different story: in 2024, nearly 8 out of 10 sanctions targeted very small businesses and SMEs. This article explains, in clear, jargon-free terms, the real risks involved, the most common vulnerabilities, and concrete steps to protect against them.
Another major development, often underestimated by managers, is that the CNIL has significantly modernized its detection capabilities. The authority is now able to assess an organization's GDPR maturity level by directly scanning its websites, at varying depths. Cookie banners, trackers, legal notices, data collection forms, privacy policies, protocol security: all of this can be analyzed remotely, without prior notice, and serve as the starting point for a formal audit.
This industrialization relies on artificial intelligence, which allows the CNIL (French Data Protection Authority) to conduct these online audits on a massive and automated scale. Where a human agent used to examine a few dozen sites per year, algorithmic tools can analyze thousands in a single day, identify recurring breaches, and precisely target the most exposed organizations. For SMEs, the "background noise" of regulation has therefore fundamentally changed: simply being invisible is no longer enough to avoid detection.
Key takeaways
- Heavy financial penalties: up to 20 million euros or 4 % of global turnover, whichever is higher.
- Expanded target: Very small businesses and SMEs now account for the majority of sanctions issued by the CNIL.
- Multiple consequences: fines, criminal penalties, damage to reputation, loss of contracts, actions for damages.
- Main lever: A structured approach to GDPR compliance, driven by management and supported by a DPO, drastically reduces the risk.
- Trends for 2025-2026: Free and Free Mobile were fined €42 million, France Travail €5 million, and Shein €150 million. Fewer fines, but much higher.
Understanding the risk of GDPR non-compliance for a company
What exactly are we talking about?
The General Data Protection Regulation (GDPR) has governed all operations performed on personal data since May 2018: collection, storage, transmission, profiling, and deletion. Any organization that processes this data—customers, prospects, employees, suppliers—falls within its scope, regardless of its size or sector.
Failure to comply with the GDPR is not simply an administrative error. It entails civil, administrative and sometimes criminal liability for the data controller, which is most often the company itself and its legal representative.
Who is really affected?
The rule is broad: if your company processes personal data of individuals residing in the European Union, you are affected. This applies to the local retailer managing a loyalty program as well as to the holding company managing an international group.
Three actors are at the forefront: data controllers, data processors (IT service providers, marketing agencies, hosting providers), and any joint controllers. Each can be sanctioned independently, a fact that many companies are unaware of.
Why is this topic becoming a hot topic again?
For a long time, the application of the GDPR seemed uneven. Those days are over. In 2022, the CNIL (French Data Protection Authority) implemented a simplified sanction procedure that allows it to quickly impose fines of up to €20,000 without disclosing the identity of the organization. As a result, 69 simplified sanctions were issued in 2024, nearly three times more than in 2023.
In major cases, the amounts involved are skyrocketing. In 2025, two cookie-related rulings alone accounted for €475 million, including €325 million for Google and €150 million for Shein. The message is clear: fewer cases, but exemplary penalties.
What GDPR penalty applies to a non-compliant company?
Administrative fines imposed by the CNIL
The GDPR sets out two caps. The first, up to €10 million or 2 % of global annual turnover, targets breaches such as the absence of a processing register or the failure to conduct an impact assessment. The second, up to €20 million or 4 % of global turnover, penalizes the most serious violations: lack of legal basis, infringement of data subject rights, and unregulated international transfers.
The most telling CNIL fine in recent years isn't a multi-million euro penalty, but rather the one imposed in December 2024 on Amazon France Logistique: €32 million for surveillance deemed disproportionate to that of order pickers. The message is clear: even a system presented as "productive" can cross the line into illegality if it infringes on employees' privacy.
GDPR criminal penalties
Beyond the administrative aspects, the French penal code provides for GDPR-related criminal penalties of up to five years' imprisonment and a €300,000 fine for individuals, and €1.5 million for legal entities. These penalties cover fraudulent data collection, the processing of sensitive data without a legal basis, and misuse of data. While such prosecutions remain rare, they can be added to a CNIL (French Data Protection Authority) procedure.
The indirect consequences, often the most costly
A GDPR sanction has a cost that goes far beyond the fine: damage to image, especially in B2B markets where compliance has become a purchasing criterion; loss of contracts, as some clients now require formal proof of compliance in their calls for tenders; actions for redress by the persons concerned, individually or via class actions; internal remediation costs often exceeding the fine itself.
How is a CNIL audit triggered?
Sources and forms of control
A CNIL audit can be triggered by a complaint (the CNIL received nearly 17,800 in 2024), a breach notification sent by the company, an annual priority issue, or negative media coverage. Four formats exist: on-site inspection, hearing, online review, and document review. The latter, using a detailed questionnaire, is the most frequent and the most underestimated.
The procedure
If breaches are identified, the CNIL first issues a formal notice with a deadline. In 2024, 180 formal notices were issued. This is often the last chance to avoid a public sanction. Otherwise, the restricted panel opens a procedure that can last between six and eighteen months. For more information, you can consult the Viqtor guide on GDPR compliance auditing.
The most frequent areas of vulnerability in business
A flawed data governance
This is the primary risk factor. Many companies drafted a GDPR policy in 2018, filed it away, and never revisited it. However, tools, service providers, and data flows are constantly evolving. Without continuous monitoring, the gap with reality widens. This issue falls squarely under the purview of management: the principle of accountability enshrined in Article 5.2 of the GDPR requires demonstrating compliance at any time. This is not an obligation of means, but an obligation of proof.
The absence or poor positioning of the DPO
Appointing a Data Protection Officer (DPO) is mandatory for public authorities, organizations processing sensitive data on a large scale, or those systematically monitoring individuals. In practice, many companies benefit from appointing one even without a formal obligation, as it strengthens the chain of responsibility. However, the DPO must have the necessary resources to act: direct access to management, a budget, independence, and involvement in projects. Several recent sanctions have specifically targeted companies that appointed a purely formal DPO.
Under-dimensioned technical security
This has become the number one reason for significant sanctions. In 2025, 29% of European fines related to inadequate technical and organizational measures. The Free and Free Mobile case, sanctioned in January 2026 with a total of €42 million, perfectly illustrates this point: the lack of multi-factor authentication on VPN access and the ineffectiveness of exfiltration detection systems were deemed serious breaches after an intrusion compromised 24 million contracts.
To structure this dimension, the Viqtor's GDPR governance module offers a directly usable operational framework of biblical simplicity.
Do you want to concretely assess your level of exposure? The Viqtor team can assist you in a diagnosis tailored to your business.
Building an effective GDPR compliance approach
Map before correcting
No serious GDPR compliance process begins without a comprehensive mapping of data processing activities. This step is essential for everything else: identifying data flows, purposes, recipients, retention periods, and legal bases. The resulting information feeds into the processing register, a mandatory document and the first item requested in the event of a CNIL audit.
Securing contracts and the subcontracting chain
Every service provider that processes data on your behalf must be governed by a contract compliant with Article 28 of the GDPR: hosting provider, SaaS publisher, marketing agency, payroll firm. A single missing clause can be enough to make you liable in the event of a data breach at the subcontractor's premises. This point is all the more critical given that many tools transfer data outside the European Union, which requires specific safeguards that are rarely formalized.
Implementing sustainable management
Compliance is not a project, it's a process. This involves an annual review of data processing activities, a documented breach management procedure (notification within 72 hours), a training plan, monitoring of data subject rights requests, and a summary dashboard for management. Viqtor guide to personal data details these best practices.
In conclusion
The risk of GDPR non-compliance has changed in nature over the past two years. It has become more likely because controls are becoming more standardized. More costly because authorities are adopting a strategy of imposing exemplary fines. More visible because compliance is becoming a contractual standard expected by your customers and partners.
For a leader, the question is no longer whether the effort is worthwhile, but how to structure it effectively. A well-executed approach—mapping, governance, security, and monitoring—is always less expensive than a penalty and, in the long run, constitutes a real competitive advantage.
Do you want to ensure your compliance? Chat with a Viqtor expert to structure your approach over time.
FAQ — Your questions as a leader
Which companies are affected by the risks of GDPR non-compliance?
All of them. As soon as a company processes the data of natural persons residing in the European Union—customers, prospects, employees, suppliers—it falls within the scope of the GDPR. Size, status, and sector make no difference. In 2024, nearly 8 out of 10 sanctions issued by the CNIL (French Data Protection Authority) targeted micro-enterprises and SMEs.
What happens if the CNIL opens an investigation?
The CNIL (French Data Protection Authority) first sends a notification, by mail, summons, or on-site visit. The company then has a period of time to provide the requested documents: processing register, privacy policy, subcontracting agreements, and security measures. If any shortcomings are found, a formal notice is issued, initiating a compliance period. If the situation is not rectified, sanction proceedings are initiated.
Can a subcontractor be penalized for non-compliance with GDPR?
Yes, and it happens regularly. The GDPR imposes specific obligations on data processors: security, records, breach notification, and adherence to documented instructions. A CNIL fine can target the data processor alone, the data controller alone, or both. Article 28 contracts are therefore essential to clarify who is responsible for what.
How to quickly reduce your risk of non-compliance with the GDPR?
Three high-impact actions can be implemented within 90 days: audit and update the processing register; verify that all subcontracting agreements include the mandatory clauses of Article 28; and strengthen basic technical security (multi-factor authentication, encryption, strict access management). These three measures cover the majority of recent grounds for sanctions.
What are the maximum fines for non-compliance with the GDPR?
The GDPR sets two maximum fines: up to €10 million or 2 % of global annual turnover for first-level breaches, and up to €20 million or 4 % of global turnover for serious breaches (lack of legal basis, infringement of rights, unregulated data transfers). In addition to these administrative penalties, there are also criminal penalties under the French Penal Code.
Examples of GDPR violations that resulted in significant penalties?
Several cases stand out: Meta, fined €1.2 billion in 2023 for data transfers to the United States; Uber, €290 million in 2024 for insecure transfers; Amazon France Logistique, €32 million in 2024 for disproportionate employee monitoring; and Google, €325 million and Shein, €150 million in 2025 for cookie violations. These cases illustrate the scale of the risks and the diversity of offenses penalized.
EN 
FR 
DE 
ES 
EL 
IT 
HR 
PT 
NL 
DE_AT 
ET 
FI 
LV 
LT 
SK 
SL