Businesses have forked out €4.5 billion for GDPR violations over the last six years, with Spain, Italy, and Germany imposing the biggest fines.
Research from security firm Nordlayer shows that individual data protection authorities (DPAs) have between them issued 2,072 violation decisions since 2018 under the legislation.
"We've witnessed businesses across industries change their data handling practices and invest in security measures to achieve compliance," said Carlos Salas, cyber security expert at NordLayer.
"While full compliance has been challenging for many companies, the GDPR's impact in empowering individuals and holding organizations accountable for data mishandling cannot be overstated. It has reshaped the digital landscape, forcing a much-needed prioritization of privacy rights."
Spanish businesses were the worst offenders, violating GDPR 842 times and paying out €80 million in fines since 2018.
Italy was second on the list; while the country's organizations have received half the number of GDPR violations compared with Spain, they've paid nearly three times as much in fines. Companies in Italy, meanwhile, were issued 358 fines and paid nearly €229 million.
German organizations fell victim to 186 fines, resulting in €55 million worth of penalties. Romanian businesses weren't far behind with 179 fines - but have paid only €1.1 million in fines. Poland rounds out the top five, with companies receiving 73 fines, resulting in nearly €4 million losses.
Ireland isn’t scared to dish out GDPR fines
In terms of the biggest payouts, it's Ireland that stands out, with €2.8 billion in fines issued since 2018. The main reason, of course, is that many of the largest tech companies, such as Meta and TikTok, have registered their European subsidiaries there and have been hit with multi-million-dollar fines.
Indeed, it's Meta that's far and away the biggest violator of GDPR, having been slapped with six of the EU's ten biggest fines.
The biggest cost the company €1.2 billion, for insufficient legal basis for data processing in 2023. There were also two fines of around €400 million for non-compliance with general data processing principles.
In 2021, Amazon had to pay €746 million to Luxembourg’s data protection authorities; while last year, TikTok paid €345 million. Google was punished twice in 2021 for having insufficient legal basis for data processing, and paid €90 million and €60 million for separate violations.
RELATED WHITEPAPER
And it's insufficient legal basis for data processing that's the most common reason for a fine, with 635 cases since 2018, costing companies €1.6 billion. For non-compliance with general data processing principles, organizations were fined 578 times and paid over €2 billion.
"Achieving and maintaining GDPR compliance is an ongoing journey, not a one-time destination," Salas said.
"Data protection regulations evolve, and cyber threats become more sophisticated, so businesses must remain proactive in their data privacy and security approach."
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Why Meta could face a hefty EU fine over its 'pay or consent' ad modelNews The European Commission said Meta is failing to offer users a valid option for equivalent services that doesn't involve tracking and targeting
-
Meta delays plans to train AI using European user dataNews Meta won't continue with plans to train AI models using European user data following backlash from privacy groups
-
Meta faces $100,000 daily fine for harvesting user data to power adsNews The Norwegian data protection authority’s ruling could set a precedent for other regulators
-
Meta to fight “unjustified” record $1.3 billion GDPR fineNews The company has been ordered to cease EU-US data transfers
