On 25th May 2016, GDPR became a law. It provided a window of 2 years for implementaion and hence the law became effective from 25th May 2018. We now have the experience of 8 years of implementation and hundreds of cases where penalties were imposed. According to the enforcementtracker.com, 2775 complaints have been recorded and a total fine of of 6.8 billion Euros have been imposed. We are not awaare of how much has been actually collected and the state of litigations. Now about 30-40 fines are being imposed each month. (refer tracker report 2025).
The highest fine imposed was EUR 1.2 billion on Meta Platforms. Some of the other countries have mocked the astronomical fines imposed by GDPR authorities in various countries. These fines have remained under dispute and we need to wait a long time before they become a reality. Since EU had a data protection directive even before GDPR, there were trials based on the earlier directive undertaken after 25th May 2018.
Many countries who followed EU with their own laws also adopted measures to impose their own fines and a global cost of data management was imposed on the industry. Out of these UK has imposed fines of about 15 million pounds. Cumulative data of other countries is not easily available.
The practice of imposing fines on global turnover basis and on foreign entities, created a fear and urgency for compliance but has not endeared GDPR to the organizaions.
Organizations incurred high costs of compliance particualrly during the period 2018-2020 and have been maintaining substantial expenses since then. During 2016-2018 according to one survey, the investment for compliance was around $7.8 billion and since then there is annual expenditure of around $10 million each year by about 40% of organizations while around 88% spend less than $1 million. In 2025, the global market for GDPR tools was estimated to be around $3.7 billion. A conservative estimate on a global level indicatesmore than $20 billion invested in compliance.
In India it is estimated that the industry would spend around Rs 10000 crores in the next 3 years on compliance.
The transparency brought about by GDPR is good for the public but there is still problems of cosnent fatigue and the realization that this cost can finally only be borne by the consumers in the long run since large data processors have continued to prosper.
The smaller entities in the industry (Despite exemptions provided under GDPR) have however borne the brunt of the problems arising out of increased compliance burden.
India now has an opportunity to learn from these developments and ensure that SMEs and MSMEs are not unduly harassed as if this is a new tax regime. The responsibility for this falls squarely on the Data Protection Board and the MeitY.
While many other organizations will look at the so called “Rs 10000 crore Market” and how they can exploit it, FDPPI is concerned about
a) How to increase awareness of compliance particualrly at the industry level
b) How to ensure that the penalty system remains fair
c) How to ensure that the rules of compliance are practical
We have miles to go before we sleep…to achieve “Compliance without Pain and Penalty without a grudge”.
Naavi
