15+ GDPR Statistics 2023 – Facts, Fines and Impact

Barry Elad

Updated · Sep 15, 2023

15+ GDPR Statistics 2023 – Facts, Fines and Impact


GDPR Statistics: The topic of privacy has been hotly debated in recent years. This is often in relation to tech giants like Facebook, Google, and others who trade user data.

This movement is being led by the EU which has issued multimillion-dollar fines to many large corporations for mishandling of personal data.

This article examines the General Data Protection Regulation (“GDPR“), which has been an icon since its creation. Numerous countries around the world have adopted similar laws.

Below are various GDPR statistics that can be used to evaluate its efficacy and provide critical information on the public’s reception.

Gripping GDPR Statistics

  • May 25, 2018, was when GDPR compliance was due.
  • 45% still worry about their privacy, even after GDPR.
  • 67% of Europeans are familiar with the GDPR.
  • Non-compliance can lead to fines of up to 4% of a company’s global turnover (or EUR20 million, whichever is greater).
  • There are no loopholes in GDPR.
  • All data breaches must immediately be reported.
  • In the first year of GDPR being enforceable, nearly 150,000 complaints were filed.
  • More than 1,000 news websites in the EU blocked EU citizens instead of complying with GDPR.
  • 93% of American decision-makers claim that they have taken steps to comply with GDPR Standards.
  • As of today, 15% of the countries have no data protection laws resulting in a worldwide impact on GDPR.
  • Around 40% of the companies in the United States of America have appointed Data Protection Officers.
  • According to GDPR Statistics, 27% of companies in the United States of America spend more than $500,000 to meet General Data Protection Regulation requirements.
  • Almost a third of EU companies are not complying with GDPR rules and regulations.
  • Today, GDPR Statistics say that the demand for Data Protection Officers has increased by more than 700%.
  • 66% of Americans say that the US government should adopt a personal data protection law similar to GDPR.
  • Only 78% of the companies in the United States of America performed GDPR gap assessments and made amendments to their privacy notices.
  • As of February 2022, more than 1,000 fines for violations of GDPR were recorded as follows: 1. Not complying with GDPR (224 companies), insufficient fulfillment of GDPR (87 companies), the insufficient legal basis for data processing (350 companies), inadequate implementation of measures to protect user privacy (202 companies), inability to comply with data subjects rights (97 companies), failure to comply with data processing agreements (6 companies), Non-fulfillment of data protection officer positions (12 companies), ineffective collaboration with supervisory authorities (41 companies) and penalties for undisclosed reasons (6 companies).

Summary of EU’s GDPR. What Is It?

The GDPR is about data protection.

These GDPR facts will give you more information about the regulation and what it means.

#1. The GDPR became legally binding on May 25, 2018.

When did the GDPR come into effect? Like any large-scale law, it took some time to get the GDPR into effect. It was first proposed in 2012. After many years of negotiations among the European Parliament Council and Commission, it finally became effective in 2016. It became effective two years later, on 25 May 2018, when its provisions were put into effect.

As of July 20, 2018, GDPR was also in effect for EEA nations (Iceland Liechtenstein, Norway, and Liechtenstein).
(Source: EUR-Lex)

#2. “Opt-Out,” is out.

General Data Protection Regulation, or “GDPR”, stands for General Data Protection Regulation. This regulation takes data protection seriously. Websites that collect our personal information are asked for consent. They had done it previously without asking us to consent, and they usually offered an “opt-out” that’d be deep within the account settings.

Websites will now be required to ask for consent from users to provide their data following the implementation of GDPR. It is now an “opt-in” system. Websites can collect personal information as long you do not press the “I agree” button.

You’re probably familiar with the pop-ups that say “This site uses cookies …” every time you visit a new page.”

That’s what the GDPR doing. Although they can be irritating, it is better than the alternative.
(Source: Securiti.ai)

#3. Companies must notify GDPR within 72 hours of any breach.

A data breach can be defined as a security event that results in the leakage of confidential user information. Even though breaches are common, they can be very serious and affect many millions. Companies will attempt to conceal the extent or even deny the breach.

That’s where GDPR steps in. The GDPR requires companies to report security incidents within 72 hours. It won’t suffice to send out a simple press release. Users will have to be personally notified.

Next time you wonder why the GDPR is being introduced, think back to Equifax. In 2017, Equifax suffered a data leak that led to the theft of private information from nearly 150,000,000 Americans.

The worst part? Equifax didn’t report it until September. The worst part? This would be a serious violation of the GDPR.

#4. The GDPR provides eight consumer rights.

The GDPR has been implemented and all businesses that store the personal data of EU citizens have to follow eight guidelines. These are the rights of the EU consumer. The regulation officially refers to them as “Rights of the Data Subject”.

They are the following: the rights of information, access, and correction, as well as the rights to rectification (also known as the right of being forgotten), the restriction of processing, the data portability, objections, and the avoidance of automated decision-making.

The Impact on the GDPR: Who Do They Target?
Since its inception, the GDPR has been a model law for the creation and promotion of numerous similar laws worldwide. California Consumer Privacy Act, the closest US law, is.

Although the GDPR was intended to improve privacy for European citizens, non-EU businesses are also required to comply. Below, we present key GDPR statistics which show the effect of the regulation on non-EU businesses.

#5. Nearly 150,000 queries were made within a year after GDPR was made enforceable.

The GDPR provided clear guidelines for what is acceptable in the data processing. It also opened up new channels to allow Europeans to report wrongdoers.

The GDPR infographic reveals that, within a year of its implementation, people and organizations had made contact with authorities with 144.376 queries and complaints regarding inadequate data protection, security breaches, or illegal video surveillance.

Fun fact – July 2019 saw an increase of 98% in complaints (41.661) compared to July 2018 (21.019).

#6. Sixty-seven percent of Europeans know about the GDPR.

As per the GDPR statistics of 2012, 2/3 of Europeans had heard of it. A further 36% claim that they are well-versed in its rules and regulations, benefits, etc.

It’s not surprising, however, that the GDPR awareness levels vary greatly between countries. For example, ninety percent know the meaning of the GDPR in Sweden, but only 44% do so in France.
(Source from European Data Protection Board)

#7. 57% know that data protection is the responsibility of public authorities in Europe.

The GDPR was created to protect the privacy and security of European citizens. But, it has also been publicized to raise the sense of being knowledgeable about the protection of data worldwide.

Only about 1/3rd, or 33%, of EU citizens, were aware that the responsibility lies with the public authorities for protecting data of information that personal existed in 2015. Since 2015, this number has increased to 57%. But only 20% of people know the right public authority to get in touch to file a doubt.
(Source Source: European Commission)

#8. Sixty-seven percent of citizens of the USA would like the United States to abide by their lead.

(Source: PR Newswire)

2/3rd of Americans say they’d love to get a sight of a “GDPR in the USA” – they agree with the government that it should do something more than data protection work and improve federal regulations.

78% also worry about how companies handle their data. Obviously, most people aren’t willing to share information that is personal in exchange for a lesser price or fewer ads on the internet. Surprisingly young people don’t care, with 45% saying that they would give up personal data to get a great deal.

#9. The whole world is being applied to the GDPR

The regulation’s main goal is to take care of the European Union citizens’ personal information. It would be pointless if it permitted foreign businesses to operate without protection. Extraterritoriality in the GDPR is important because it allows any organization to handle data of personal information of European Union subjects, no matter where they are located.

The GDPR has a direct impact on every European-based business. Because we live in a world that is not digital, it is hard to ensure that all your consumers are located within the EU. The GDPR is applicable to all organizations in the world with some exceptions only for companies of a small setup.
(Source: GDPR.eu)

#10. Many businesses with a high profile in the area did not allow the whole EU after the GDPR became effective.

Statistics from GDPR reveal that over 1000 online sites, out of which many are American, did allow access to EU visitors to access their web pages instead of following the norms of the GDPR.
News websites of America and almost 1/3rd out of these websites named in this list, also have the big news agencies names of USA.

Few of them claimed that it is not economically feasible to comply. Others say they are working to implement changes to ensure compliance. While that is nice and all, they still had to comply since 2016 and didn’t. Many businesses had to wait several months before they opened their online sites to the visitors of the European Union.
(Source: Fortune)

The worst part? Equifax did not report the incident until September. The GDPR would have severe consequences for the delay.

Every business that stores personal data from EU citizens is required to comply with eight rules as of the GDPR implementation date. These are the rights of the customer. The regulation calls them “Rights of the Data Subject”.

They include the following:
the freedom to access information, the freedom to rectify, the freedom to erase (also called the right to be forgotten), and the ability to restrict processing.

The GDPR Impact: Who Do They Target?

Since its creation, the GDPR has been a model for many other similar laws in the world. California Consumer Privacy Act (US) is the closest comparable law.

Non-EU businesses must adhere to the GDPR, even though it is designed to increase the privacy rights of European citizens. Below we examine key GDPR stats to show the impact that the regulation has had, since 2018.

How to Avoid a Fine for GDPR Compliance

It is not necessary to be fined. This is a similar situation, however, when GDPR was first implemented, it became clear that most businesses weren’t complying with the law.

Fearing penalties, many EU users were even blocked from accessing their sites in certain regions. We’ll be looking at some amusing GDPR facts, which will show you how even the largest corporation in the world couldn’t avoid paying some incredibly large fines.

#11. Amazon was hit by a huge fine from Luxembourg of EUR746 Million ($865M) in 2021.

Failure to adhere to GDPR guidelines can lead to severe financial consequences. Amazon is huge, but it can’t avoid GDPR fines. The company was fined in France $39.6 million in 2020 and by the Luxembourg National Commission for Data Protection $865 million in 2021. These cases are primarily related to Amazon’s alleged use of user data without consent. Simply put, Amazon could have avoided the penalty if it didn’t “force” users into accepting cookies.

Fun fact: The largest privacy-related fine ever issued by the US Federal Trade Commission was in 2019. The fine was $5 billion and Facebook was the target. This must have encouraged the EU to adopt a more aggressive approach.
(Source: Bloomberg)

#12. Businesses are not allowed to hide behind legalese under the GDPR.

Let’s face facts, we don’t read the Terms & Conditions or the Data Privacy Policy. Or any other information that comes with signing up for a new service.

It’s possible that we are all lazy but it is also untrue that legal terminology used in such documents is almost impossible to understand for the average person.

The GDPR is now available! Companies can no longer hide behind legalese when complying with GDPR. They are now required to disclose what they do with our data, and more importantly, explain it clearly and concisely.
(Source: Osano)

#13. The GDPR gives EU citizens the right to DSARs.

Yes, we are fully aware of the irony. We just spoke about legalese. Now we hit you with this headline. Don’t worry, we will explain everything. DSAR stands for “Data Subject Access Request”, while “data subject” refers to any individual whose data was collected by an organization.

How can you comply with GDPR in this respect? Any organization that stores personal data about EU citizens must provide an easy way for them to ask questions about how the data is being used. The organization must also provide the requested data on such a request.

Fun fact: The CCPA, California Consumer Privacy Act, has more specific provisions. The Act states, for example, that Californians must provide two ways to submit a DSAR. One must be a toll-free number. California took this to the next level.
(Source: Egnyte)

#14. The GDPR places human rights first.

What is GDPR compliance? It is the prioritization of human rights over profits and user experience. This is an easy example.

Do you know that Google Assistant is a lot better than Siri? Google uses billions of user data to feed its AI algorithm. Apple does not do this (you must opt-in to the settings of your device).

Although the Google Assistant user experience may be superior, the GDPR states that Google must follow human rights laws.

It’s not surprising that four of the Top 20 largest GDPR fines have been aimed at Google by the EU, totaling $240 million.
(Source: Secuvy.ai)

#15. The GDPR covers virtually all personal information.

What is the GDPR? Protect individual’s personal information What exactly is “personal information?” The most basic information about you (name, address, and date of birth) is your identity. ), web information (geodata IP address, cookies), basic identity information (name, address, date of birth, etc. ), biometric data (fingerprint scanners, facial recognition on smartphones), health and genetic data (all the info on your phone’s app stores), political opinions (this includes things you post on social networks) and sexual orientation.

Fun fact: While the CCPA (California Consumer Privacy Act), is similar in scope, there are two important exceptions. It does not apply to financial and personal health information. These are supposedly covered by other statutes.
(Source: CSO)

#16. The GDPR also applies to minors.

The website of the General Data Protection Regulation makes it clear that it applies to children too.

It goes so far that minors deserve additional protection because they may not be aware of all the risks. “Minors” refers to children below 16 years of age by default. However, EU member states may “may provide by law”, for a lower age as long as it is not less than 13 years.

This means that organizations must provide clear, age-appropriate guidance. The GDPR also requires that they make “reasonable efforts” to verify parental consent. We admit, however, that this is a rather vague requirement.
(Source: GDPR.eu)

GDPR Statistics by Fines Paid by Companies in 2022

(Source: moosend.com)

Take a bow

A mass surveillance society sounds to many like something from a dystopian novel. But in reality, it may be closer than we think. Regulations such as the GDPR are key to preventing corporations from gaining undue influence and power through the harvesting of personal information.

This list of GDPR statistics is a collection of interesting facts. It aims to help you understand privacy and, if you are European, to show you some rights that you may not have known about. We hope that now you are able to browse the internet with more confidence.

Barry Elad
Barry Elad

Barry is a lover of everything technology. Figuring out how the software works and creating content to shed more light on the value it offers users is his favorite pastime. When not evaluating apps or programs, he's busy trying out new healthy recipes, doing yoga, meditating, or taking nature walks with his little one.

More Posts By Barry Elad