top of page
Search

GDPR Fines

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • 4d
  • 2 min read

The DLA Piper GDPR Fines and Data Breach Survey: January 2026 confirms a trend that many organizations already feel operationally:

➡️ more cyber incidents, more breach notifications, and sustained high enforcement activity across Europe.

 

GDPR enforcement is not slowing down, it is maturing and sharpening its focus, especially where cybersecurity and governance fail.

 

€1.2 Billion in Fines

European supervisory authorities issued approximately €1.2 billion in GDPR fines in 2025.

 

Obraz autorstwa freepik


22% Increase in Data Breach Notifications

For the first time since GDPR came into force:

➡️ average daily breach notifications exceeded 400,

➡️ reaching 443 notifications per day,

➡️ a 22% year-on-year increase.

 

Top Enforcement Areas

Fines related to violations of:

➡️ integrity and confidentiality,

➡️ security of processing,

continue to dominate enforcement across jurisdictions.

 

Notably:

➡️ processors are increasingly fined directly, not only controllers,

➡️ supply chain security is under growing regulatory scrutiny.

 

This aligns with the rise of:

➡️ ransomware,

➡️ third-party breaches,

➡️ cloud and outsourcing incidents.

 

International Data Transfers

The largest GDPR fine in 2025 (€530 million) was imposed by the Irish DPC for breaches of international data transfer rules.

Although the record fine (€1.2 billion against Meta in 2023) still stands, this shows that:

➡️  cross-border data transfers remain one of the most expensive GDPR risk areas.

 

Compensation Claims

GDPR risk does not stop with regulators.

The survey highlights:

➡️ increasing compensation claims,

➡️ evolving CJEU case law on non-material damage,

➡️ growing litigation exposure following incidents.

 

With the growing number of cyberattacks and cyberincidents this year, and very likely next year, organizations should expect fines to follow incidents.

Cybersecurity maturity is a must.

 

When a serious incident happens, regulators will ask:

➡️ Were appropriate technical measures in place?

➡️ Were organizational and administrative measures implemented?

➡️ Was governance effective before the incident — not after?

 

Beyond technical security, companies must strengthen administrative and governance measures to remain compliant with:

➡️ GDPR and UKGDPR,

➡️ the AIAct,

➡️ and other privacy and digital regulations.

Regulators are clearly strengthening enforcement and penalties, and compliance gaps are becoming more visible after incidents.



 
 
 

Stay in touch

p.welenc@metaformena.com

META FOR MENA Information Technology Consultants Est.

City Avenue, 7th floor, office 706-0114

2 27 Street, Port Saeed, Deira, Dubai, United Arab Emirates
P.O. BOX: 40138
Licence N.O.: 1049080

Privacy policy

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page