GDPR Statistics – 3 Years On

The GDPR was officially implemented in May 2018. This in-depth guide lists and explains the most relevant GDPR statistics since the policy went into effect.

Below you’ll learn more about the latest GDPR trends and how these statistics will impact the future of data privacy.

What is the GDPR?

GDPR is an acronym for “General Data Protection Regulation.” It’s a data privacy and protection law that’s enforced in the European Union (EU) and European Economic Area (EAA).

The primary purpose of the GDPR is to give individuals more control over their personal data. It encompasses concepts like how data is collected, how data is stored, and how individuals maintain certain rights to their data.

The GDPR is also designed to create a unified data privacy legislation and enforcement throughout the EU. These laws ensure that data privacy regulations will continue to adapt as technology changes in the coming years.

In terms of user privacy, the GDPR imposes conditions explaining if and how users want to share personal data with businesses. Here’s a summary of the eight user privacy rights outlined in Chapter 3 of the GDPR:

  • The Right to be Informed — If a business is collecting or processing personal data, the user has a right to know who is processing it, why they’re processing it, what type of data is being collected, and how that data will be stored. Organizations are also required to inform users if they’re sharing data with any third parties.
  • The Right of Access — Article 15 of the GDPR states that users can request information about their personal data being processed by an organization through a “Subject Access Request.” Organizations might be asked to provide documentation related to a user’s data that’s being collected, processed, or stored.
  • The Right to Rectification — Accuracy is a fundamental principle of data processing under GDPR. Users have the right to correct any inaccurate data that businesses are collecting or processing about them.
  • The Right to Erasure — Users have the right to request that their personal data be deleted. This is often referred to as the “Right to be Forgotten,” and it’s explained in Article 17 of the GDPR.
  • The Right to Restrict Processing — Users have the right to prevent organizations from doing certain things with their personal data. This is defined in Article 18 of the GDPR.
  • The Right to Data Portability — Article 20 of the GDPR grants users the right to request any copies of their personal data that’s being stored by an organization. This shows that the data is truly owned by the user. If the user wants to, they should be able to take their personal data from one organization and give it to another.
  • The Right to Object — According to Article 21, users have the right to object against data processing. This is mainly designed for direct marketing purposes. If users object to personal data processing for reasons other than direct marketing, they may be required to give a reason for the objection.
  • Rights Related to Automated Decision-Making and Profiling — Article 22 of the GDPR mandates how decisions are made using data when humans aren’t involved in the process. For example, if a company used personal data like a credit score to automatically deny or approve someone, it would fall into this category.

For a more in-depth explanation of the GDPR, check out our Ultimate Manual to General Data Protection (GDPR) Compliance.

20 Key GDPR Statistics You Need to Know

Now that you have some background information on the GDPR and its purpose, let’s take a closer look at the most important GDPR statistics.

The GDPR statistics below have been segmented into relevant categories. In addition to the statistics, we’ll also break down what all of this means for you, your business, your data, and the future of data privacy.

GDPR Compliance Statistics

Since its enactment in 2018, organizations in the EU and beyond have been taking steps to ensure compliance. Some have been more successful than others.

1. Just 7% of organizations in the EU believe they are fully compliant with GDPR

According to a recent survey on Statista, only 7% of companies in the EU rated their current level of GDPR compliance as “fully compliant.” Here’s a full breakdown of the responses:

  • Fully Compliant — 7%
  • Very Compliant — 38%
  • Moderately Compliant — 43%
  • Somewhat Compliant — 10%
  • Not at all Compliant — 1%
  • Does Not Apply — 1%

These are based on self-evaluations rather than a thorough investigation into compliance. But it tells us that many organizations believe there’s room for improvement to achieve full GDPR compliance.

2. 35% of professionals believe their companies can prove GDPR compliance

A Deloitte poll of business professionals discovered that just 34.5% of employees believe that their companies can defensively demonstrate their compliance with GDPR standards.

Business professionals who are on the front lines working with customer data have a better understanding of how GDPR standards are being applied. Roughly one-third of those surveyed were confident that they could prove GDPR compliance if their company needed to defend its data security practices.

3. 28% of companies say GDPR compliance requires significant changes to security practices

Achieving GDPR compliance is easier said than done. Nearly 30% of companies surveyed said they needed to make significant changes in their security policies to comply with GDPR.

56% of companies surveyed said that changes to security policies would be minor.

This tells us two things. First, organizational security policies prior to GDPR were not very strict. Second, making the shift to GDPR compliance isn’t a quick fix.

4. 75% of companies in the UK don’t follow GDPR data request standards

A recent GDPR study revealed that the UK is lacking in certain areas of GDPR compliance. More specifically, they’re not following the GDPR mandates for sharing copies of data when requested by users.

5. The demand for DPOs has risen by 700% as a result of the GDPR

Prior to GDPR, there were roughly 83,000 Data Protection Officers (DPOs) in the workforce. But today, that number has skyrocketed to more than 500,000.

This shows that companies across the globe are hiring data security offers as a way to help apply GDPR standards for their organizations.

6. 25% of companies are spending $1+ million on GDPR compliance

Complying with GDPR can be expensive. Roughly one-fourth of organizations are investing over $1 million in compliance. An additional 27% are spending $500,000+ on compliance.

Aside from the money already spent, other organizations say they plan to spend over half a million dollars to ultimately become compliant with GDPR standards.

This puts smaller companies with modest budgets in a difficult position. Many don’t have this type of cash that’s required to be fully compliant.

7. 40% of companies don’t have the budget for GDPR compliance

This piggybacks off of our last point. While some organizations are spending hundreds of thousands of dollars on compliance, other companies can’t keep up with this spending.

Furthermore, 43% of organizations say their staff doesn’t have the skills to implement GDPR compliance company-wide. That’s one of the reasons why we’ve seen such an increase in hires for DPOs.

But the lack of budget and resources definitely concerns smaller organizations. If they can’t hire the right people to impose GDPR-compliant policies, the data privacy standards in those companies will definitely be lacking.

GDPR Enforcement Statistics

There are two tiers of GDPR fines:

  • Less severe violations: Up to €10 million or 10% of the company’s global revenue from the preceding financial year (whichever is higher)
  • Severe violations: Up to €20 million or 4% of the company’s global revenue from the preceding financial year (whichever is higher)

Non-compliance has proven costly for many organizations. Here’s a closer look at how the GDPR is being enforced:

8. Amazon was fined €746 million ($877 million) for GDPR violations

This is the most expensive fine in GDPR history. While the exact details of the fine have yet to be confirmed, the cause is related to Amazon’s cookie consent.

Some of the other biggest fines imposed by the GDPR include:

  • WhatsApp — €225 million
  • Google — €50 million
  • H&M — €35 million
  • Telecom Italia — €27.8 million
  • British Airways — €22 million
  • Marriott — €20.4 million
  • Wind — €17 million

It’s also worth noting that Google’s €50 million fine wasn’t the company’s only violation. They were also hit with a €7 million fine in 2020.

9. Luxembourg has the largest sum of fines in the EU

According to the GDPR enforcement tracker, organizations in Luxembourg have been fined more than €746 million for non-compliance.

Here are the top ten most fined countries in terms of the sum of total fines:

  • Luxembourg — €746,257,900
  • Ireland — €225,877,900
  • Italy — €89,610,096
  • France — €57,714,300
  • Germany — €50,158,633
  • UK — €44,261,800
  • Spain — €36,450,610
  • Austria — €16,770,950
  • Sweden — €15,331,730
  • The Netherlands — €7,164,500

10. 327 separate GDPR fines have been issued in Spain

The same GDPR enforcement tracker also says that companies in Spain have been given 327 fines. This is significantly more than any other country in the EU.

To put that into perspective, Italy is number two on this list with 97 fines. Romania ranks third with 67 total fines.

11. The smallest GDPR fine to date was €28

We’ve looked at lots of big numbers. But Google Ireland was fined just €28 by the Hungarian Data Protection Regulator for non-compliance.

GDPR Statistics in the United States and Outside of the EU

While the GDPR governs data privacy and protection in the EU, it impacts organizations across the globe. That’s because the GDPR governs non-EU countries that offer goods or services to consumers located in the EU.

12. 78% of companies in the US have taken steps towards GDPR compliance

It’s clear that companies outside of the EU are paying close attention to the GDPR.

There are several different reasons for this. Some organizations may believe that stricter regulations are coming to their local countries or regions. Others want to avoid fines for non-compliance when serving users in the EU. Many companies just want to make sure they’re following strict data security standards, and the GDPR is a great resource to model after.

13. US companies have spent $7.8 billion on GDPR compliance

Taking steps towards GDPR compliance is coming at a high cost. In the United States alone, more than $7.8 billion has gone to GDPR compliance.

This includes money spent on data protection offers, GDPR research, legal services, and more.

Companies feel as though spending money on compliance outweighs the risks associated with fines for GDPR violations.

14. Nearly 1,000 news sources blocked users in Europe to avoid GDPR non-compliance

When the GDPR first went into effect, media outlets worldwide began restricting site access to users in the EU. Major news publications like the Chicago Tribune and LA Times were redirecting users with an EU IP address to a page that looked like this:

The number of websites imposing these practices has scaled back over the past couple of years.

15. Over 13 countries have data privacy laws similar to the GDPR

Outside of the EU, there are countries and states imposing data privacy legislation at different levels. While the regulations and enforcement vary, here’s a quick list of those policies similar to GDPR:

  • Australia — Privacy Amendment (Notifiable Data Breaches) to the Privacy Act
  • Brazil — Lei Geral de Proteção de Dados (LGPD)
  • China — Personal Data Protection Law (PDPL)
  • Canada — Digital Charter Implementation Act
  • Chile — Constitution amendment Ley 19,628
  • India — Personal Data Protection Bill (PDPB)
  • Japan — Act on Protection of Personal Information Amendment
  • New Zealand — 1993 Privacy Act amended in June 2020
  • South Africa — Protection of Personal Information Act (POPIA)
  • Switzerland — Datenschutzgesetz (Data Protection Act)
  • South Korea — Personal Information Protection Act
  • Thailand — Thailand Personal Data Protection Act (PDPA)
  • USA — California Consumer Privacy Act (CCPA)

Regional data privacy guidelines in areas like the Asia-Pacific Cooperation Forum and OECD have begun structuring cross-border data privacy regulations as well.

In the coming years, we can expect to see more and more countries take a stricter stance on data laws.

GDPR User Statistics

The following statistics give us more insight into how consumers worldwide feel about the GDPR and data privacy:

16. 45% of citizens in the EU still don’t feel comfortable with Internet privacy

Despite the implementation of GDPR, nearly half of Europeans still aren’t confident with their data privacy online.

This could be due to the fact that so many organizations admittedly say they’re not fully compliant. Or maybe news of big companies getting hit with massive fines creates doubt amongst the citizens.

17. 62% of people in the UK feel more comfortable sharing data online now that GDPR is enacted

People in the United Kingdom have a different view than the EU as a whole. They are more comfortable sharing information online with these new standards in place.

This is interesting, especially considering the fact that the majority of UK companies are failing to follow data request standards. The UK also ranks sixth on the list of countries with the highest sum of total non-compliance fines.

18. 31% of users say that their experience with companies has improved as a result of GDPR

A recent survey from Marketing Week found that 25% of consumers agree that GDPR is improving their brand experience. An additional 6% say they strongly agree with that statement.

Here’s a complete look at the survey results:

19. 66% of Americans want the US to adopt data privacy regulations similar to the GDPR

The majority of US citizens want to see GDPR-like standards imposed throughout the United States. It’s clear that people in America want more control over their data, even if it means stricter government regulations on data privacy laws.

44% of Americans surveyed believe that the federal government should control data privacy laws. 32% of individuals say that each state should implement its own data privacy legislation.

20. 48% of users say they understand their rights surrounding personal data privacy

Nearly half of people believe they have a firm grasp on their data privacy rights.

An additional 41% of those surveyed feel that companies are giving them more control of their data today compared to the days before GDPR was implemented.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira