The Data Protection Commission in Ireland announced Tuesday that it’s fining Meta Platforms, formerly Facebook Ireland Limited, €17 million (U.S. $18.8 million) for a dozen data breach notifications in 2018. 

The General Data Protection Regulation (GDPR) is a data protection and privacy law for the European Union that went into effect in 2018. The DPC found that Meta failed to have in place appropriate technical and organizational measures showing it protected user data in the 12 breach cases, according to the DPC news release.

It’s the second such fine against Meta under the GDPR regulations since 2021, when Meta — then known as Facebook — and its WhatsApp was issued an estimated $267 million fine, the largest-ever by the DPC.

Thomas Stoesser, director and cybersecurity expert with data security specialist Conforte, said companies need to realize that GDPR is “a data privacy regulation that has teeth” and that organizations will continue to be fined if they fail to take data privacy seriously.