This website uses cookies to provide you with a great user experience. You can review our Privacy Policy
Data Privacy
Data Management
Distributed Systems
Since the General Data Protection Regulation (GDPR) came into effect in 2018, companies across the European Union (EU) have faced significant financial penalties for failing to comply with data protection standards. These fines are often proportionate to the company’s revenue, reflecting GDPR’s intention to hold organizations of all sizes accountable.
In this post, we examine data on GDPR fines and analyze how they vary in relation to company revenue, providing insights on the minimum, maximum, and average fine amounts imposed across the EU.
This average helps establish a benchmark for understanding typical fines and suggests that GDPR enforcement is scaled based on the nature and magnitude of non-compliance.
This minimum fine amount indicates that GDPR enforcement is applied universally, with penalties even for minor infringements or smaller organizations.
This maximum fine reflects the severity with which GDPR penalizes substantial violations, especially among larger corporations.
Our analysis is based on a dataset of GDPR fines levied against companies in the EU, it can be found here - cybersecurity fines.
Data Composition: Each record in our dataset captures information on a specific GDPR fine, including the fine amount itself and the annual revenue or budget of the company or organization that paid it. This enables us to examine the relationship between the size of the fine and the financial scale of the company. A small sample can be seen below:
A more detailed explanation of the columns is as follows:
name - The name of the company that paid the fine.
industry - In which industry is the company mainly active.
domain - Domain name of the company.
org_size_eur - Revenue or budget from the previous financial year in EUR (€).
country - Country of the company’s headquarters.
amount - The amount of penalty paid in EUR (€).
authority - Responsible authority that issued the fine.
year - When was the penalty issued.
reference - Where is the information coming from.
reason - What was the reason that the company had to pay a fine.
summary - Summary of the reason, why the company received a penalty.
infringement - Which articles of the GDPR were violated.
To calculate a very simple connection of the company size and the amount of penalty paid, a new column is introduced: Penalty = amount / org_size_eur. Visualizing the column in a boxplot:
Data Cleaning: Extreme fines or revenue figures were examined carefully. In some cases, fines that were disproportionately large relative to the company’s revenue were flagged as potential outliers. After review, we either retained or excluded certain data points based on documented sources or validation checks.
Data and Model Limitations: While the data is extensive, it’s important to note that it may not capture every fine issued, as some fines may not be publicly disclosed. Additionally, revenue data is sourced directly from the company website but some entries may be sourced from publicly available financial reports, which could lead to slight variations.
Using this data, we calculated basic descriptive statistics, focusing on the minimum, maximum, and mean (average) fine amounts across the EU. These metrics help us understand the distribution of GDPR fines and the typical financial impact of GDPR enforcement.
GDPR enforcement is robust and reflects the regulation’s commitment to protecting data privacy across the EU. The substantial range of fines illustrates the EU’s dedication to accountability at all levels, and the average fine amount provides insight into typical penalties. Businesses operating in the EU should treat these statistics as a reminder of the importance of rigorous data protection practices.
And keep up with the infosec industry :)