For years, the story of GDPR enforcement has been told through a handful of jaw-dropping numbers. This is to be expected as fines are easily understandable globally. When people say the GDPR “has teeth”, they often mean that fines let regulators signal the seriousness of a case, and let the public see the consequences – at least for a moment. Some fines are so large that that even boardrooms have to take notice. But there is another aspect that tends to get pushed aside right when things get interesting: once you start tracking not only what supervisory authorities hand down but also what they actually collect, the comforting narrative begins to wobble.