Mondo Visione Worldwide Financial Markets Intelligence
Track all markets on TradingView

FTSE Mondo Visione Exchanges Index:

CCData-468x60x2.jpg BT_Radianz_468x60_Jul23 FEAS 30th Anniversary Conference

Data Privacy Expert Tiernan Connolly Comments On The 8th Anniversary Of The EU GDPR

Date 27/05/2025

  • Cumulative fines levied under the GDPR surpassed €6 billion in May 2025 
  • Ireland tops the table with the highest value of fines to date, at over €4bn, whilst Spain has seen the highest volume of fines, at 958 
  • Volume of fines per month has dropped in Q1 2025, to levels not seen since 2019 

In line with the 8th anniversary of the GDPR coming into force,  Kroll, the leading independent provider of global financial and risk advisory solutions, has compiled the below datapoints and expert commentary from Tiernan Connolly, data privacy expert and Managing Director in the Cyber & Data Resilience team.  

  • Over the past 8 years since coming into force, 2,319 individual GDPR fines have been levied, reaching a cumulative value of €6,191,738,083 as of 12th May 2025.  
  • The volume of fines rose to a peak of 68 in December 2022, but have been declining since. Q1 2025 saw only 32 fines levied, compared to 77 in Q1 2024 and 128 in 2023. This is the second-lowest Q1 for fines since the GDPR came into force, with only Q1 2019 lower (23 fines). 
  • The country that has seen the highest value of fines to date is Ireland, with €4,037,363,400 levied through 31 fines. This was notably above the second-highest country for fine value, Luxembourg, where €746,314,000 was raised by 32 fines.  
  • The country with the highest volume of fines over the period is Spain, with 958 fines levied to a value of €118,260,790, significantly higher than the second-highest country Italy, where 400 fines were levied to a value of €266,725,000. 

Tiernan Connolly, Managing Director in the Cyber & Data Resilience team at Kroll, comments,  

“The 8th anniversary of the GDPR may fly under the radar for many, but the birthday of this gold-standard data protection regulation is something worth noting. Most, if not all, businesses will now have a GDPR framework integrated into their data governance practices, with the regulation becoming an international standard for other nations to follow. 

“Although GDPR might be considered ‘old news’ in 2025, the ECB has committed to renewing its focus on areas where “persistent sluggishness” is seen with compliance to existing regulations (e.g. BCBS239 - itself now a ten-year old piece of regulation) in the financial industry. This shows that older requirements will not be forgotten or fly under the radar of regulators. Hence, while compliance teams may now be more concerned with  adherence to newer regulations such as NIS2 (Network and Information Security Directive), Digital Operations Resilience Act (DORA) and the EU AI Act, and how they apply to internal data governance, protection and management, the GDPR’s landmark 4% fines loom in the background for any business that forgets the grandfather of data privacy regulation.” 

MV 120 X 600 Hard to Reach BT_Radianz_120x600_Jul23.jpg FEAS_2025_MondioVisione_120x600-banner