Four years of the GDPR: an overview

Four years of the GDPR: an overview

The GDPR officially became a requirement on May 25, 2018 which means it's been four years of this data privacy law! While some had seen this coming from miles away, others had to make a lot of adjustments over the years. How are we doing now and what's happened in the past four years?  


More adjustments due to the GDPR 

GDPR may have become law four years ago, but not everyone manages to stick to the guidelines it seems! Once again, there was a staggering (total) amount of data breaches reported in 2021. Get your data security together, people! 

Here is a brief overview on what's changed since the introduction of GDPR

The legal bases for collecting personal data:

  • Unambiguous consent
  • Contractual Necessity
  • Compliance with legal obligations
  • Vital interests
  • Public interests
  • Legitimate interests

Technical and organizational measures

  • Register with all processing operations
  • Data protection policy
  • (Digital) security

In addition, people involved have been given more rights::

  • Right to access data
  • Right to make changes (rectification)
  • Right to be forgotten 
  • Right to restriction of processing
  • Right to carry over data 
  • Right to information 

The GDPR was introduced to protect the personal data of users and reduce the risk of security breaches. It goes without saying that people have been given more rights with regards to their personal data. That's a good thing, too! You want personal information to stay safe and secure, so it's in everyone's best interest to comply with the GDPR. 


Here's what happened during the four years of the GDPR

Most organizations have been able to err on the side of caution and spare themselves of consequences: fines of up to 4% of the worldwide annual turnover, reputational damage and revenue loss.

Yet not every organization has been able to protect itself well enough. The number of data breaches caused by hacking, malware and phishing in 2021 has increased by 68% compared to the previous year, according to the Annual Data Breach Report. This is what else has changed:



  • There have been more than 390,000 data breach notifications since the application of GDPR on 25 May 2018.

  • From 28 January 2020 to 27 January 2022 there were, on average, 356 breach notifications per day (an 8% increase in comparison to last year) in Europe. 

  • Germany tops the list as the country with the most reported data breaches. Since the GDPR became a requirement, they have reported 106,731 data breaches. The Netherlands is the runner-up (number two with 92,657 reported data breaches) with the United Kingdom (number three with 40,026 reported data breaches) bringing up the close for top three. High numbers but it can be said that these countries take legislation seriously! 

  • In Europe, a total of more than € 1,000,000,000 in fines have been handed out since the GDPR became a requirement. 
    • The top 5 countries in terms of GDPR fines imposed from 25th May 2018 are:
      • Luxembourg: €746,299,400
      • Ireland: €226,046,500
      • Italy: €79,144,728
      • Germany: €69,329,916
      • Spain: €61,024,128

  • The three biggest fines in Europe are:
    • In 2021, Amazon was slapped with a hefty €746 million fine because of their cookie consent policy not being up to par. The case is still ongoing.
    • Ireland slammed WhatsApp with a whopping €225 million fine in 2021 too, because WhatsApp had failed to properly explain its data processing practices in its privacy notice. 
    • On January 6 2022, the French authorities hit Google Ireland with a €90 million fine. Google should have made it easier for YouTube users to refuse cookies...

European data protection authorities

The General Data Protection Regulation (GDPR) is the main law in Europe and though it has been in place since 2016, it didn't become enforceable until May 2018. European member states are therefore obliged to follow it, though many countries have their own data privacy authorities to report data breaches. Some examples follow below: 

  • The Autoriteit Persoonsgegevens (AP) is the authority for reporting data breaches in the Netherlands. As an organization, you must report a data breach here within 72 hours.
  • In Germany the national authority is the Bundesdatenschutzgesetz (BDSG).
  • The United Kingdom has the Information Commissioner’s Office (ICO) which protects the data of their civilians. 
  • Ireland is covered by the Data Protection Commission (DPC) 
  • In Sweden the Integritetsskyddsmyndigheten (IMY) makes sure civilians’ data is protected.
  • In Belgium the Autorité de protection des données (APD) also known as the Gegevensbeschermingsautoriteit (GBA) is where all the data breaches get reported. 
  • Datatilsynet is the Danish authority on data protection and data breaches.


The best defence against data breaches

No one wants to experience a data breach. Fortunately, there are many ways to prevent this. Here are some tips: 


Do you want to know more about preventing data breaches? Download our whitepaper and learn how to do this easily:


New call-to-action

Similar posts