Ongoing Evolution of the GDPR - Impact on Business Part 2

Ongoing Evolution of the GDPR - Impact on Business Part 2

Services List

    In our previous discussion, we looked at how far we've come since the implementation of the General Data Protection Regulation, set by the European Union, effective May 2018.  In this section, we uncover how costly non-compliance to this worldwide benchmark for data privacy has been for some organisations. We also look at what to expect in terms of new developments and amendments to the Regulations going forward into 2024.

    Cost of noncompliance

    Covered in this Article

    The Implications of Non-Compliance 
    GDPR Enforcement
    Planned Amendments for 2024
    Ongoing Evolution

    The Implications of Non-Compliance

    We previously considered the benefits and challenges posed to businesses by the implementation of the GDPR. Since the implementation of the GDPR in May 2018, several landmark cases have shown the cost of non-compliance. If you are a big corporate with billions to spare, this may not really seem to be such a major deal. But consider an SME, with already limited resources, being fined for non-compliance with the requirements of the GDPR -  it could mean the end of the road for them. Costs also include more than the monetary fines and penalties - there is also the reputational risk to contend with. In our analysis below we have only listed the value of the fines imposed by the various Data Protection Authorities (DPAs). 

    Let’s look at some of the cases where significant fines and penalties for non-compliance have been incurred: 



    Value of Fine


    January 2019

    Google is fined by the French data protection authority (CNIL in France).

    €50 million

    Lack of transparency and valid consent regarding personalised advertising.

    January 2020

    TIM (Telecom Italia) is fined by Italy’s data protection authority, Granate. 

    €27.8 million

    Unlawful data processing, aggressive marketing practices and invalid consent.

    October 2020

    British Airways is fined by the UK’s Information Commissioner’s Office (ICO).

    £20 million

    Failure to protect personal data resulted in a data breach from a cyber-attack in 2018, affecting the personal data of around 400 000 customers. 

    October 2020

    H&M is fined by the German data protection authority, HmbBfDI.

    More than €35 million

    Illegal surveillance of employees through collecting excessive personal information about employees at its Nuremberg service center, including private details about their personal lives.

    July 2021

    Amazon is fined by Luxemborg’s National Commission for Data Protection (CNPD)

    A whopping  €746 million

    Non-compliance with GDPR's processing of personal data. 

    September 2021

    WhatsApp is fined by the Data Protection Commission of Ireland for lack of transparency.

    €225 million

    Failing to provide clear information to users about how their data was shared with parent company Facebook.

    September 2022

    Meta is fined by the Data Protection Commission of Ireland for lack of transparency.

    €405 million

    Failing to protect children’s privacy through the publication of email addresses and phone numbers on Instagram.

    May 2023

    Meta is again fined by the Data Protection Commission of Ireland for lack of transparency.

    €1.2 billion 

    The transfer of personal data of European users to the United States without adequate data protection mechanisms. 


    These landmark cases demonstrate the seriousness with which regulatory authorities are enforcing GDPR compliance and the significant financial risks for businesses that fail to comply. They also highlight the complex and multi-faceted nature of GDPR compliance, encompassing issues ranging from data security to transparency and consent. The fine levied on Meta in May 2023 surpasses all others and is a clear warning to other businesses that the GDPR’s requirements are not to be viewed as trivial. 

    GDPR Enforcement 

    The fines levied under GDPR, through a two-tier fine structure, for instances of non-compliance, are designed to make any departures from data security a costly mistake. Less severe infringements can result in a fine of €10 million or 2% of a firm’s annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm’s annual revenue from the preceding year, depending on what is higher.

    According to Statista, data protection fines have reached record highs in 2023. With 151 violations in 2019, fines issued amounted to a total of 73 million. Five years later and 154 fines have been imposed to the value of 1 623 million. A clear spike in violations during 2021 is evidenced in the graph below. 

    Statista data protection fines

    The drastic increase in the number of fines and value of such levied in recent years reflects a growing lack of consent and transparency - a cause for concern when it comes to protecting individuals' rights as far as their data is concerned. It is, however, reassuring to see that European Regulators are actively enforcing the law. 

    Planned amendments for 2024

    At present the GDPR is enforced by independent national Data Protection Authorities (DPAs), as well as national courts in member countries. In cases involving processing or where multiple data subjects in more than one member state are affected, the DPA in the area where the entity is under investigation takes the lead. Other DPAs then cooperate with the lead DPA. 

    Going forward the  European Commission has proposed some changes to rules in order to promote cooperation, and harmonisation between all parties involved and assist in the timely completion of investigations and resolution for affected individuals. 

    Streamlining cooperation

    The purpose of the amendment is to provide tangible procedural rules for authorities when applying the GPDR in situations that affect individuals located in more than one member state. 

    For example, the lead Data Protection Authority will be required to send a “summary of key issues” to its counterparts, identifying the main elements of the investigation and its opinion of the case. Other authorities will be able to provide their views on the matter early on, helping to reduce disagreements and foster consensus from the initial stages of the investigation. 

    Implications for individuals

    Individuals will be informed of what they need to submit when making a complaint. In addition, DPAs will ensure the appropriate involvement of the individuals throughout the process. The new rules also establish common rights for complainants to be heard in cases where their complaints are fully or partially rejected.

    Implications for businesses

    Businesses (both controllers and processors) will be informed of their due process rights when a DPA investigates a potential breach of the GDPR. Those being investigated have the right to be heard at specific stages during the investigation. Provision is also made for dispute resolution between parties by the European Data Protection Board.

    Ongoing evolution 

    By harmonising the procedures followed in respect of the GDPR compliance enforcement process, the focus forward is on supporting the timely completion of investigations and the delivery of swift corrective actions for individuals.

    Based on the outcomes of the past five years and the planned amendments for 2024 onwards, it is clear that the GDPR is continuously evolving. It is therefore vital for businesses to stay informed and adapt to the changing regulatory landscape. 

    New call-to-action

    Quick Lists

    Services List


      The Psychology Behind Conversions

      Explore the psychology of CRO in our FREE e-book to boost conversions and profits by understanding customer behaviour and decision-making factors.


      Let us be a part of your success