Connecting Cybersecurity and GDPR Fines

Latest Posts
Random Educational Post

Introduction

Since the General Data Protection Regulation (GDPR) came into effect in 2018, companies across the European Union (EU) have faced significant financial penalties for failing to comply with data protection standards. These fines are often proportionate to the company’s revenue, reflecting GDPR’s intention to hold organizations of all sizes accountable.


In this post, we examine data on GDPR fines and analyze how they vary in relation to company revenue, providing insights on the minimum, maximum, and average fine amounts imposed across the EU.

Key Findings

Average Fine Amount: 0.2309 % of revenue or budget

This average helps establish a benchmark for understanding typical fines and suggests that GDPR enforcement is scaled based on the nature and magnitude of non-compliance.


Minimum Fine Amount: 0.0001 % of revenue or budget

This minimum fine amount indicates that GDPR enforcement is applied universally, with penalties even for minor infringements or smaller organizations.


Maximum Fine Amount: 1.3962 % of revenue or budget

This maximum fine reflects the severity with which GDPR penalizes substantial violations, especially among larger corporations.

Data and Analysis

Our analysis is based on a dataset of GDPR fines levied against companies in the EU, it can be found here - cybersecurity fines.


Data Composition: Each record in our dataset captures information on a specific GDPR fine, including the fine amount itself and the annual revenue or budget of the company or organization that paid it. This enables us to examine the relationship between the size of the fine and the financial scale of the company. A small sample can be seen below:


Small data sample showing the format of the dataset.

A more detailed explanation of the columns is as follows:

  • name - The name of the company that paid the fine.

  • industry - In which industry is the company mainly active.

  • domain - Domain name of the company.

  • org_size_eur - Revenue or budget from the previous financial year in EUR (€).

  • country - Country of the company’s headquarters.

  • amount - The amount of penalty paid in EUR (€).

  • authority - Responsible authority that issued the fine.

  • year - When was the penalty issued.

  • reference - Where is the information coming from.

  • reason - What was the reason that the company had to pay a fine.

  • summary - Summary of the reason, why the company received a penalty.

  • infringement - Which articles of the GDPR were violated.

To calculate a very simple connection of the company size and the amount of penalty paid, a new column is introduced: Penalty = amount / org_size_eur. Visualizing the column in a boxplot:

Boxplot visualizing penalties in % of org_size_eur (either revenue or budget)

Data Cleaning: Extreme fines or revenue figures were examined carefully. In some cases, fines that were disproportionately large relative to the company’s revenue were flagged as potential outliers. After review, we either retained or excluded certain data points based on documented sources or validation checks.

Histogram visualizing penalties after data cleaning in % of org_size_eur

Boxplot visualizing penalties after data cleaning in % of org_size_eur

Data and Model Limitations: While the data is extensive, it’s important to note that it may not capture every fine issued, as some fines may not be publicly disclosed. Additionally, revenue data is sourced directly from the company website but some entries may be sourced from publicly available financial reports, which could lead to slight variations.


Using this data, we calculated basic descriptive statistics, focusing on the minimum, maximum, and mean (average) fine amounts across the EU. These metrics help us understand the distribution of GDPR fines and the typical financial impact of GDPR enforcement.

Conclusion

GDPR enforcement is robust and reflects the regulation’s commitment to protecting data privacy across the EU. The substantial range of fines illustrates the EU’s dedication to accountability at all levels, and the average fine amount provides insight into typical penalties. Businesses operating in the EU should treat these statistics as a reminder of the importance of rigorous data protection practices.

Subscribe to our newsletter

And keep up with the infosec industry :)