GDPR violations: Media is most heavily fined industry of 2024

GDPR non-compliance can be very costly for both large and small businesses, and while penalties haven’t yet reached the magnitude of 2023, Amazon France Logistique have already received a €32m fine, and TikTok a €1.8m fine.

RELATED: Number of GDPR fines surge by 113% in a year despite strict regulations

While SMEs won’t face the same fines received by these larger companies, penalties scale based on the size of the business so remain a costly mistake to make. Interested in this, application SaaS company Indusface have investigated the most common GDPR violations, and which have cost European businesses the most.

Key insights

The most committed GDPR violation is “insufficient legal basis for data processing” with 654 fines attributed in 2024 alone
The costliest violation is “non-compliance with general data processing principles”, totalling €2,410,164,550 in 2024
The media, telecoms and broadcasting industry has received the highest sum of GDPR-related fines in 2024, amounting to €3,313,891,366
Industry and commerce received the highest amount of fines (467)

Industries Spending the Most on GDPR Fines

Sector	Number of fines	Sum of fines	Average cost per fine
Media, Telecoms and Broadcasting ADVERTISEMENT	296	€3,313,891,366	€11,195,579 ADVERTISEMENT
Industry and Commerce	467	€946,933,077	€2,027,694
Employment	144	€349,998,777	€2,430,547
Transportation and Energy	120	€173,541,941	€1,446,183
Finance, Insurance and Consulting	229	€64,187,258	€280,293
Public Sector and Education	251	€27,952,463	€11,364
Accommodation and Hospitality	73	€22,592,648	€309,488
Health Care	212	€21,327,209	€100,600
Real Estate	64	€2,702,431	€42,225
Individuals and Private Associations	301	€1,939,156	€6,442
Not Assigned	138	€1,847,688	€13,389

The Media, Telecoms and Broadcasting industry ranked highest for the total sum of fines received in 2024 thus far, amassing €3,313,891,366, a substantially higher figure than any other industry. Some of the primary culprits include Meta Platforms and TikTok, with the debate ranging from issues around child data protection to AI data training on platforms like X.

The Industry and Commerce industry placed second, with an eye-watering sum of €946,933,077 in GDPR fines this year and the highest-recorded fine occurrences of all industries. The sum of these fines were substantially higher than the Employment sector which were required to forfeit €349,998,777 of their earnings.

Non-compliance with general data processing principles – €2,410,164,550 (617 fines)

Falling under the higher tier of fines under GDPR violations, the above qualifies as a serious infringement that violates the right to privacy and the right to be forgotten. Individual fines can reach €20 million, or 4% of a firm’s worldwide annual revenue from the preceding financial year, whichever is higher. So far in 2024, fines total over €2.4billion.

Venky Sundar, Founder and President – Americas, Indusface, comments: “To avoid facing penalties, SMEs must follow data minimization principles and keep personal data accurate and up to date. Any data acquired should not be subjected to further processing for aims beyond the ones that the individual or organisation has consented to.

Protecting the acquired data is equally important. After all, data breaches can also lead to GDPR violations. Since most of the acquired data is stored in databases that are accessed through websites, apis and other applications, protecting these assets is important using tools such as a WAF or a WAAP. Data breaches can be prevented by following the below four step process:

Step 1: Maintain an inventory of all your external facing websites, mobile applications and APIs.
Step 2: Perform regular vulnerability scans and periodic manual penetration testing
Step 3: Patch all open vulnerabilities on time or at least virtually patch these on the WAF
Step 4: Protect the applications using tools such as WAF, WAAP, Intrusion prevention systems where these tools block the attacks from entering the corporate network infrastructure”

Insufficient legal basis for data processing – €1,652,855,412 (654 fines)

Insufficient legal basis for data processing ranks in second position, amassing €1,652,855,412 in total sums to date – it is also the biggest violator in terms of number of fines in 2024.

Venky Sundar, Founder and President – Americas, Indusface recommends that organisations should only process data if they meet one of the six following criteria for lawful processing:

The data subject has given consent to the processing of their personal data for one or more specific purposes.
The processing is necessary to execute a contract or to take steps at the request of the data subject.
The processing is necessary for compliance with a legal obligation.
The processing is necessary to protect the vital interests of the data subject.
The processing is necessary to perform a task carried out in the public interest.
The processing is necessary to pursue the data controller’s legitimate interests, except where such interests are overridden by the rights of the data subject — in particular, where the data subject is a child.

GDPR further prohibits processing data including a person’s racial origin, political opinions, religious beliefs, trade union membership, and health or biometric data, except in limited circumstances.

Insufficient technical and organisational measures to ensure information security – €480,011,915 (393 fines)

Robust security measures are essential for any organisation controlling and processing data, whether technical measures such as cybersecurity software and good password practices, or organisational practices such as employee security training and confidentiality clauses.

As the third most common violation (393 fines in 2024 so far), SMEs must consider best practices regarding security within their organisation.

Credit: Indusface

Methodology

All data surrounding GDPR fines throughout Europe was taken from Enforcement Tracker and is accurate as of 12.9.24, but is subject to change as per further updates.
Venky Sundar has provided comments on complying with GDPR regulations on behalf of Indusface.

GDPR violations: Media is most heavily fined industry of 2024

More in Features

Cognitive defence: The role of mindfulness in thwarting cyberattacks

Prosperity or catastrophe: #Insurance2040 study reveals four possible futures for the industry

Uche Nnaji: A great man of history leads Nigeria’s space agenda to greater heights

Global Cybercrime Report 2025 warns of escalating costs and growing threats

UNESCO named key partner for G20 in 2025, spotlight on Artificial Intelligence

DBI and SBTS Group to strengthen Nigeria’s digital workforce, advance tech-driven economy

Afrobarometer connects early-career researchers with scholars to build analytical capacity in Africa

Meta to build $10b world’s largest subsea cable network

Events

Technology Picks

What do satellites have to do with climate change and sustainability?

Securing critical infrastructure: The radical possibilities of facial recognition systems

TECH TIPS: Taming Group Chats with WhatsApp’s ‘Mute’ Feature

Classic account takeover via the direct deposit change

Editorial

Unlocking Nigeria’s Digital DNA: The $18B potential for innovation and growth

Crafting the Blueprint: CEO perspectives on Nigeria’s digital economy

Upcoming Events

The South Africa Manufacturing Show has announced the honorees for the esteemed Manufacturing 50 Awards

BFSI IT Summit: Recipients of the Prestigious BFSI50 Awards!

Unconnected! Nigeria’s premier expo + conference on telecoms and renewable energy to bridge rural gaps