General Data Protection Regulation fines continue to increase as European regulators toughen their response to data incidents. According to the GDPR Enforcement Tracker, firms incurred over 330 fines in 2025. Law firm DLA Piper claims they totalled €1.2 billion.
Social media firm TikTok was hit with 2025’s largest GDPR fine. Issued in Ireland, the €530 million fine concerned its sharing of European user data to China-based personnel. Last year also resulted in Luxembourg’s data supervisory authority upholding a 2021 €746m GDPR fine issued against Amazon after it harvested user data for advertising purposes without user consent. An appeal by Amazon was rejected, suggesting that European data protection watchdogs are serious about GDPR enforcement.
The continued prevalence of GDPR fines can be attributed to a record increase in data breach notifications, which firms must issue within 72 hours of a data incident. DLA Piper found that, in 2025, these notifications reached 400 per day for the first time since GDPR’s 2018 implementation. Between January 2024 and January 2026, they topped 443 – up 22% from 363. DLA Piper attributes this to hacking driven by global geopolitical instability, increased press coverage of cybercrime, and the emergence of data breach laws and rules that mandate incident notifications.
Clearly, data protection regulators aren’t prepared to ignore GDPR violations now that the law has been in place for eight years. However, with data the lifeblood of modern organisations and GDPR fines not just posing a financial risk but wider harm to businesses, what can they do to comply?
Regulators Are Clamping Down
A major reason behind the recent spate of GDPR fines is that regulators believe businesses have had more than enough time to understand the law and put it into practice, according to Lucas von Stockhausen, executive director of security engineering at application security firm Black Duck.
He tells IO that data protection authorities have had enough of excuses used by non-compliant firms and are now focused on holding them accountable. Ignoring this could result in “substantial penalties” for companies, with regulators able to fine up to €20 million or 4% of global annual revenue for the worst infringements.
Despite regulators continuing to clamp down on GDPR violations by issuing fines, many firms remain oblivious to this. Jake Moore, global cybersecurity advisor at antivirus software maker ESET, says data protection is a “tickbox exercise” for lots of organisations – when, in fact, it should be embedded throughout every area of a modern business.
He says this results in “weak access controls” and failure to remember the location of sensitive data. Consequently, data can easily fall into the hands of unauthorised parties, and if businesses are unsure where they stored a particular piece of data, they’ll struggle to fulfil data deletion requests. These issues put firms at risk of GDPR fines.
But GDPR non-compliance doesn’t just put businesses at risk of costly fines – it can harm all aspects of a company’s operations. Jo Brianti, a data protection specialist, says cleanup efforts can result in “operational disruption” when executives have to dedicate already-stretched schedules to cleanup efforts. Executives could even be liable for fines themselves if they knew about GDPR failures and didn’t intervene, she adds.
She says neglecting GDPR can also damage firms’ reputations, expose them to costly lawsuits launched by affected customers, make it harder for businesses to operate in different markets by disrupting “platform obligations and cross-border data flows” and show up in due diligence reports, leading to a loss of sales and other business opportunities.
AI Is Changing The Playing Field
The growing adoption of artificial intelligence technology by businesses is also contributing to rising GDPR fines. As AI is trained on large datasets to function and improve over time, the risk of data leaks and subsequent regulatory action is significant.
And because many firms use AI systems developed by third-party technology vendors, they don’t always have control over how the data they input into these applications is stored and protected. According to von Stockhausen of Black Duck, this means there’s a real risk of inadvertent data exposure and subsequent GDPR enforcement.
He tells IO: “The efficiency gains can be tremendous, but from a GDPR standpoint, the central risk is clear: organisations must be able to guarantee that AI outputs do not reveal personal data.”
When it comes to securing AI systems and the data upon which they rely, businesses aren’t just expected to follow GDPR guidelines. There’s also a growing legislative landscape dedicated to AI. It’s easy for firms to treat GDPR and AI compliance as separate entities, but this could be counterintuitive.
ESET’s Moore explains that because data privacy and AI governance use identical datasets, businesses are better off “treating them as one joined-up discipline with clear ownership”. Doing so can result in simplified workloads and no duplicated work, making employees less likely to neglect data. Moore says it can result in fewer fines for businesses.
Brianti is another firm believer in a joined-up approach to data and IT governance, explaining that regulators are now “converging GDPR with a wider digital package”. She uses the EU’s Digital Services, Digital Markets Act, and updates to existing data and AI-related laws as examples.
According to Brianti, failing to comply with any one of these laws can cause “knock-on effects across multiple regulatory frameworks”. She tells IO: “This turns GDPR from a legal silo into a strategic risk affecting corporate governance, investor risk profiles, acquisition due diligence and reputation management.”
Getting Compliance Right
As regulators continue to enforce GDPR, von Stockhausen of Black Duck says their primary expectation is that businesses have implemented a “clear” data privacy strategy that explains the reasons behind personal data collection, whether the data is actually needed, and their data storage and protection methods.
“Regulators are looking for companies that handle personal information deliberately, responsibly, and with a clear understanding of the risks,” he says. “Those that don’t are increasingly finding themselves under scrutiny.”
But he says the most important way to stay compliant with GDPR is to be constantly vigilant about data privacy and security risks. To do this, he says businesses must enforce “demonstrable safeguards”, constantly monitor the threats posed by new technologies and adapt existing data privacy strategies accordingly.
For businesses unsure where to start, Brianti recommends integrating best practices outlined in professional standards and frameworks into everyday processes to meet regulatory requirements such as GDPR. She says ISO 27001 is great for handling information security-related issues and ISO 27701 for privacy. Cyber Essentials and NIST 800-53 are two more of her top picks.
Other recommendations from Brianti to ensure GDPR compliance include: logging the location of personal data and the way it’s processed in an inventory; adopting privacy-by-design principles so products are always data secure; defining roles and responsibilities related to data privacy; educating staff on the importance of data privacy; documenting all decisions made about data privacy; determining data risks through impact assessments; keeping these assessments and everything related to data in a single environment; and ensuring all incident response activities are aligned.
It’s easy to think of GDPR non-compliance as just paying a fine and moving on. But that’s just wishful thinking. GDPR enforcement can deal a huge blow to business operations and growth. That’s why it should be treated as a strategic priority, rather than a tickbox exercise just to please bureaucrats. And when GDPR compliance is aligned with other IT-related governance activities, businesses can rest assured they’ll keep regulators happy and protect themselves from a fast-changing cyber threat landscape.
