It becomes inherently difficult to make datasets actually anonymous the more data points they have about a given individual - it doesn’t much matter whether names and such are listed data points if they can be inferred from the rest. This investigation by Svea Eckert and Andreas Dewes, for instance, managed to identify a named German member of parliament (Valerie Wilms) and other public functionaries within a data set on web browsing habits they received from data brokers.

Most countries do have data privacy legislation and relevant regulatory/enforcement agencies, but the data brokerage business is big and intensely international so the picture on audits is kind of unavoidably complicated.

Privacy Compliance audits are a thing. Usually companies will hire a firm to do the audit which will culminate in a report of any violations and recommendations. That might be taken on for a company to cover its ass or because a client company asks them to as part of a contract. There’s not usually a “punishment” for those but a contract could have a clause to that effect.

Legal enforcement depends on the law in question. There’s a number of data privacy laws beyond GDPR each with different investigation and enforcement actions. They definitely can result in an audit by the enforcement body with risk of stick.

GREAT question thanks for posting it.