Top GDPR statistics businesses must know

GDPR is one of the most extensive regulations governing data collection. Learn who it affects, the types of data it covers, and more.

Table of contents

The digital age has compelled companies to collect data on customers so they can provide a more customized experience. However, businesses are required to follow specific requirements to maintain the privacy of their customers during the data collection process.

One of the most extensive regulations governing data collection is GDPR.

What is GDPR?

The General Data Protection Regulation, or GDPR, is a strict set of data privacy laws for businesses that collect data on EU citizens.

Under GDPR, businesses are responsible for safeguarding numerous types of personal information, including the customer's IP address, cookie data, home address, and Social Security number.

The complete GDPR manual includes hundreds of laws promoting individuals’ right to digital privacy, which is an integral component of the 1950 European Convention on Human Rights. GDPR replaces the Data Protection Directive of 1995 and addresses the current digital privacy concerns of people who live in the EU.

Does GDPR impact US companies?

As the GDPR’s primary objective is to protect user data of residents of the EU, the regulations are applicable for all businesses, even if they aren’t based in the European Union. This information is covered in Article 3 of GDPR, which discusses the territorial scope of the legislation.

In other words, any company that collects data or provides a service to residents of Europe must comply with GDPR. Specifically, it applies to companies situated and registered outside of the EU that:

  • Are located in the US but target EU customers (for instance, presenting prices in Euros or running location-specific ads).
  • Engage in “professional or commercial activity.” This includes collecting funds from friends and family to finance a side business project.
  • Use digital tools to track cookies or IP addresses of users visiting the website from EU countries.

What types of personal data does GDPR cover?

GDPR covers all types of personal user data, including (but not limited to):

  • Personal ID information, such as names, addresses, contact numbers, or email addresses of users visiting the website
  • Personal information, such as political opinions, ethnic origins, sexual orientation, and religious ideologies
  • Health data, such as the patient’s genetic history, name, test results, emails, and audio recordings or physician notes about a patient
  • Biometric data, such as fingerprints, facial patterns, voice, or typing cadence of users
  • Web data, such as IP addresses, browsing activity, names, emails, and credit card information

GDPR statistics

Complying with GDPR requirements is extremely important for companies, regardless of their location. Let's look at some GDPR statistics to understand why it's important.

GDPR statistics about how Americans feel about digital privacy, the impact of data breaches, how GDPR compliance has impacted user experience, and more

GDPR enforcement: types of violations and fines

According to DLA Piper, GDPR regulators issued nearly $1.2 billion in fines since January 2021 — almost seven times 2020’s total.

As of February 2022, there have been around 1,000 fines, broken down into a few main types of violations:

  • 224 firms were fined for not complying with GDPR.
  • 87 companies were fined for insufficient fulfillment of GDPR.
  • 350 firms were penalized for having an insufficient legal basis for data processing.
  • 202 fines were given to firms that inadequately implemented technical and organizational measures to safeguard user privacy.
  • 97 companies were penalized for their inability to comply with data subjects rights.
  • 6 penalties were due to the company's failure to comply with the data processing agreement.
  • 12 firms were penalized for not hiring a data protection officer.
  • 41 fines were due to ineffective collaboration with a supervisory authority.
  • 6 penalties were made for undisclosed reasons.

How Persona helps businesses with GDPR compliance

When you use Persona for your identity processes, you can focus on growing your business and leave the secure PII storage up to us. Not having PII in your system means you don’t carry the liability of potential breaches or leaked customer data, yet you have easy and reliable access to it whenever you need it. We meet the highest security standards, so you can know that your data is safe with us and that you’re complying with GDPR and other data regulations, such as CPRA, from the start.

If an individual requests their PII, it’s easy to retrieve from Persona because all information about that user is stored under that user’s account. And if you have compliance or legal requirements for how long you can keep PII, you can set up automated PII removal on the cadence of your choosing.

Interested in learning more about how we store PII? Get in touch and we’d be happy to share more.

Frequently asked questions

What is the first thing a company should do in its GDPR journey?

The first step that a company must take to ensure GDPR compliance is appoint a knowledgeable data privacy officer. This expert can help the business figure out the resources and investments it needs to comply with GDPR.

What is the maximum fine if GDPR is violated?

The maximum fine for GDPR violations is set at €20 million (about £18 million) or 4% of annual global turnover — whichever is greater.

What is GDPR cookie compliance?

Under GDPR, a website can only use cookies to collect user data if it has the user’s express consent. It must also inform the user about the cookies and trackers, objectives, duration, and provider. Moreover, the banner should allow users to provide express consent by ticking the "I accept" box or clicking a button. 

Businesses must ensure that the cookie banners do not come with pre-ticked checkboxes or other options to coerce users into giving consent. Additionally, the website must not track or store any user data until the end-user permits it.

What is PII for GDPR?

Personal Identifiable Information (PII) is data that can be used to identify a person, such as their name, address, birth date, Social Security number, banking numbers, photographs, social media posts, preferences, and locations.

Continue reading

Continue reading

What is KYB, and why does it matter?

What is KYB, and why does it matter?

If you work with other companies, you may be required to implement KYB verification. Learn more.

Decentralized exchanges and KYC

Decentralized exchanges and KYC

It's important for decentralized exchanges to get ready for KYC and AML regulations now so they will be prepared if and when they find themselves subject to the rules.

5 best practices for securing health data

5 best practices for securing health data

Healthcare organizations must prioritize data security to protect patient information and ensure regulatory compliance. Learn how.

Ready to get started?

Get in touch or start exploring Persona today.