The UK might be trying to distance itself from GDPR through the Data Protection & Digital Information (No.2) Bill but five years on from its implementation, the fines keep on coming and have now reached nearly €4bn.
And, according an analysis by the Atlas VPN team, the first half of 2023 saw one of the busiest for regulators, with companies slapped by fines of more than €1.5bn.
January and May were noteworthy, with nearly €400m and €1.2bn in fines, respectively. Interestingly, both months saw fines issued against Meta Platforms which controls Facebook, Instagram, WhatsApp, and other apps.
Although March only saw €1.5m in fines, it was the month when businesses received the most penalties for data violations, with a total of 46 penalties issued.
February was the month with the least amount of fines issued in H1 2023, with only 34 fines accounting for €2.6m in penalties. Overall, businesses received 237 fines throughout the first half of 2023, bringing the five year grand total to 1,679 fines. There are no figures, however, to show how many have actually been paid and how many are still under appeal.
A country by country breakdown reveals that since GDPR came into force in May 2018, Spain has accumulated 689 fines resulting in over €60m in penalties. While the average of each fine is about €88,000, Spanish businesses received more than twice the number of fines than any other country.
Italy’s data protection authorities have issued 284 fines, totalling €133m in penalties. The average fine here is about €468,000. Germany has received the third-highest number of violations, totaling 160. These fines have resulted in penalties of €55m.
Romania is the last country whose authorities have issued over 100 fines in the 5 years of GDPR’s existence. In addition, Romania has a very low average penalty of only €5,390. Greece stands out from the rest of the countries with a high average per fine of €525,000.
Cybersecurity writer at Atlas VPN Vilius Kardelis said: “The GDPR fines are significantly impacting how businesses operate and handle data. Companies must prioritise data privacy and security to avoid potential fines and reputational damage.
“As we move forward, companies must continue investing in their data protection strategies and staying informed about any updates or changes to the GDPR.”
Revealed: Data breaches which will get the ICO calling
GDPR five years on: ‘Firms just don’t fear enforcement’
GDPR five years on: The death knell for lazy marketing?
Data reform law ‘on track’ to be passed by the autumn
£4.7bn data reform cost savings branded pie in the sky
Privacy organisations fume at ‘weakened data laws’