Skip to main content

Enforcement of GDPR

In the ever-evolving landscape of data protection, questions linger about the true effectiveness of GDPR enforcement. This blog peels back the layers to examine the current state of GDPR law enforcement. Delve into the complexities, challenges, and successes that shape the enforcement of this pivotal regulation.

Who enforces GDPR?

Each EU member state has its own data protection authority (DPA) or agency.  Essentially, these authorities are responsible for overseeing and enforcing GDPR compliance within its jurisdiction. To this end, they investigate complaints, issue fines and provide data privacy guidance.

Indeed, local data protection authorities can provide a wealth of resources for companies. It’s a good idea to browse your local agency’s website for the most up-to-date compliance information for your area.

Together, these agencies form an umbrella organisation called the European Data Protection Board (EDPB). For its part, the EDPB helps all EU data authorities act as one to make sure everyone’s rights are protected. Further, it can weigh in on the interpretation of data protection and intervene when key legal issues are at stake.

Recent GDPR enforcement statistics

Almost 300 GDPR fines have been reported so far in 2023, according to the website enforcementtracker.com. Here are some highlights about fines that got our attention:

  • Spain had the heaviest enforcement, with 147 fines leveled in the last 8 months
  • The highest fine over all went to Meta Platforms, for €1,200,000,000
  • The highest fine for an EU company was €40,000,000 (CRITEO)
  • Fines for small businesses in Europe ranged from €300 to €215,000

Let’s look at some details about these fines.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Who is getting GDPR fines, and why?

Moving on to the types of companies fined, these included:

  • Banks
  • Gyms
  • Grocers
  • Movers
  • Estate agents
  • Insurance companies
  • Marketing companies, and more.

Now, let’s shift our focus to the what led to the fines. For example, some common violations that caught our eye were:

  • Storing personal data of registered users indefinitely
  • A privacy policy with no information about withdrawing consent
  • Incomplete records of processing activities
  • Failure to respond to data rights requests
  • Failure to notify breaches within 72 hours

Usually, small and medium businesses are not caught committing egregious abuses of people’s data on a large scale. Instead, they simply fail to put basic GDPR framework and policies in place. Unfortunately, this leaves them vulnerable to breaches and unprepared to respond when they occur.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

What can we learn from GDPR statistics?

After reviewing GDPR enforcement data, it’s clear that data laws such as GDPR are indeed being enforced. And enforcement is getting tougher and more frequent. Therefore, if you haven’t already, you should focus your attention on a few key compliance tasks in the imminent future such as:

  • Updating your privacy policies
  • Deleting data you no longer need
  • Monitoring your data storage
  • Responding promptly to data rights requests

Of course, the specific needs of each company are different. However, any company that processes personal data should stay on top of the tasks above. Usually, your difficulty as a small business owner is, first and foremost, a lack of time, resources and training to get started. Then, going forward, you may have a hard time monitoring you everyday compliance. Unlike larger companies, you probably do not have a legal team on retainer or the budget for complicated enterprise solutions. That’s why, at Safe Online we’ve created simple, affordable GDPR compliance tools designed for small businesses, that all include the processing of sensitive data.

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →

GUIDE

How to handle sensitive personal data

GUIDE

How to find personal data with datamapping tool

GUIDE

How to prepare for a data audit