GDPR Fines do NOT average €500,000

An article posted on the Cledara blog claims that GDPR fines average over $500,000, which makes them larger than the average seed round and something that startups need to look out for. As is the case with articles like this, it got shared on Reddit, where users commented on the headline and the description without bothering to look into the article. The ones who did were greeted by a much less interesting truth: the $500.000 average figure came when you include the over $400M in fines applied to 6 large international companies. GDPR fines for smaller companies are usually less than $20,000. As they should be, given that GDPR fines are based on total company revenue and not on average seed rounds.

I am always glad to see an analysis of the effects of GDPR. However, the Cledara article is intentionally misleading, and seems intent on getting shared based on their clickbaity approach. A large graph shows how much GDPR fines are increasing, and at a quick glance you might not notice they are referring to "Cumulative GDPR Fines" - a number which can only increase.

The article goes on to mention that "The increasing number of fines means that it’s only a matter of time before a smaller startup receives a fine. On average, the size of a GDPR fine in 2019 was about equivalent to an average startup’s seed round and so it’s important to take GDPR seriously." Note how the sentence is constructed to make it seem like any single startup would be expected to go bankrupt to pay for a fine, even though they themselves admit that smaller startups have not yet received a significant fine.

As with a lot of these clickbait articles, the truth is still hidden somewhere. Behind a long, boring spreadsheet containing a list of all GDPR fines. There you will see, in small print, a mention to the $110M and $204M fines applied to Marriott International Inc. and British Airways, respectively. Read on and you will also find large fines applied to Google, Austrian Post, and other large companies.

Let's try to get a number that makes more sense for you and I, shall we? The average fine, when you remove these $1M+ outliers, is $57,862, almost 10x lower than the estimate reported on the Cledara article. However, even this average is not a great indicator of anything, since fines range from €90 to €900,000. If you want to understand the risks for you or for any company better, just keep in mind that GDPR fines are set to based on the severity of the breach, and on the size, impact, and revenue of the company.

Data protection should be taken seriously, and GDPR is here to stay. We at Insights are in this business exactly because we are interested in data protection and regulation. However, painting GDPR as a boogeyman and instilling fear from it among startup companies is not the right way to bring these topics into discussion.