The expected application of the General Data Protection Regulation 2016/679 (the “Regulation”) from May 2018 is likely to have some entities fretting about the huge fines. The Regulation provides for considerably higher maximum fines and describes criteria the supervisory authorities will have to consider when deciding whether to impose an administrative fine or what amount should be set. This article explores some of the criteria defined by the Regulation and a set of guidelines on the application of administrative fines drawn up by the Article 29 Working Party. The criteria for applying administrative fines should be considered in both assessing an entity’s data protection risks and deciding about data protection measures to be implemented.