Three years of the GDPR: an overview

Three years of the GDPR: an overview

 A lot of organizations can still remember: the day the GDPR became a requirement. The GDPR became a requirement on May 25, 2018. Some considered this a logical step, while others had to make a lot of adjustments. How are we doing now and what has happened the past three years?


More adjustments due to the GDPR 

Even though the GDPR became a requirement three years ago, people still sometimes forget what has changed. With the increase in the number of data leaks in 2020, it appears that not everyone has taken the correct measures yet.

But, what else has changed because of the GDPR? Here is a brief overview (source: Dutch Data Protection Authority): 

The collection of data based on:

  • User consent
  • Vital interests
  • Legal obligation
  • Agreement
  • Common interest
  • Legitimate interest

Technical and organizational measures

  • Register with all processing operations
  • Data protection policy
  • (Digital) security

In addition, people involved have been given more rights::

  • Right to access data
  • Right to make changes 
  • Right to be forgotten 
  • Right to carry over data 
  • Right to information 

The bottom line is that people involved have been given more rights when it comes to the processing of personal data. It was previously possible to store data longer than necessary, but this is no longer the case. 


Here's what happened during the three years of the GDPR

Most organizations have been able to take the correct technical measures. This spares them the awful consequences of a data leak: fines of up to 4% of the worldwide annual turnover, reputational damage and loss of costs due to a decline of activities.

Yet not every organization has been able to protect itself this well. The number of data leaks caused by hacking, malware and phishing in 2020 has increased by 30% compared to the previous year. Here you can see what else has changed:



  • In aggregate there have been more than 281,000 data breach notifications since the application of GDPR on 25 May 2018.

  • For the period from 28 January 2020 to 27 January 2021 there were, on average, 331 breach notifications per day (a 19% increase) in Europe. 

  • Germany tops the list as the country with the most reported data leaks. Since the GDPR became a requirement, 77,747 data leaks have been reported. The Netherlands is the runner-up (number two with 66,527 reported data leaks) with the United Kingdom (number three with 30,536 reported data leaks) behind them. Although these numbers are high, it can also be said that the countries are taking the legislation seriously.

  • In Europe, a total of € 272,500,000 in fines have been handed out since the GDPR became a requirement. 
    • The top 5 countries in terms of GDPR fines imposed from 25th May 2018 are:
      • Italy: € 69,328,716
      • Germany: € 69,085,000
      • France: € 54,436,300
      • United Kingdom: € 44,221,000
      • Spain: € 14,490,094

  • The three biggest fines in Europe are:
    • In 2019, the French data protection authority CNIL fined Google Inc. € 50,000,000. due to lack of transparency about their GDPR rules. 
    • In 2020, The Hamburg data protection authority fined a global retailer (H&M) € 35.26 million because their legal reasons for storing data were not good enough.
    •  In 2020, the Italian data protection authority, the Garante, fined a telecommunications company (TIM) € 27.8 million because of a lack of transparency.


European data protection authorities

The General Data Protection Regulation (GDPR) is the main law in Europe. This law has been in place since 2016 and obliges organizations in Europe to protect the personal data of EU citizens when they are exchanged within the EU. This norm is the original legislation, but each country has its own authority that monitors compliance and reports data leaks. Here are some examples of European authorities: 

  • The Autoriteit Persoonsgegevens (AP) is the reporting point for data leaks in the Netherlands. As an organization, you must report a data breach here within 72 hours.
  • In Germany the national authority is the Bundesdatenschutzgesetz (BDSG). Here all German data leaks are reported. 
  • The United Kingdom has their own authority as well. The Information Commissioner’s Office (ICO) protects the data of their civilians. 
  • Ireland has The Data Protection Commission (DPC) that makes sure organizations comply to the GDPR.
  • In Sweden the Integritetsskyddsmyndigheten (IMY) makes sure civilians’ data is protected.
  • In Belgium the Autorité de protection des données (APD) also known as the Gegevensbeschermingsautoriteit (GBA) is where all the data leaks get reported. 
  • Datatilsynet is the Danish authority on data protection and data leaks.


The best defence against data leaks

No one wants to experience a data leak. Fortunately, there are many ways to prevent this. Here are some tips: 


Do you want to know more about preventing data leaks? Download our whitepaper and learn how to do this easily:


New call-to-action

Similar posts