So, you think you are GDPR compliant?
Europe's landmark GDPR faces its first major proposed overhaul since 2018 amid surging enforcement fines topping €7 billion cumulatively and the looming full rollout of the EU AI Act in August 2026.
Key takeaways
- •The European Commission's Digital Omnibus proposal from late 2025 seeks to simplify GDPR rules—such as easing record-keeping for mid-sized firms and clarifying AI data use—sparking debate between competitiveness boosters and privacy defenders wary of dilution.
- •Enforcement remains relentless, with €1.2 billion in fines issued in 2025 alone, pushing total penalties since 2018 beyond €7 billion, as regulators prioritize transparency, cross-border consistency, and AI intersections.
- •The impending August 2026 deadline for key EU AI Act obligations on high-risk systems heightens pressure, forcing organizations to reconcile overlapping GDPR requirements for automated processing and data protection impact assessments.
GDPR at a Turning Point
The General Data Protection Regulation, now eight years into enforcement, has imposed cumulative fines exceeding €7 billion, with Irish authorities alone responsible for over €4 billion, largely targeting major tech platforms for breaches involving data transfers, transparency, and consent.
In late 2025, the European Commission introduced the Digital Omnibus proposal, targeting revisions to the GDPR alongside the AI Act, ePrivacy rules, and other digital frameworks. Proposed changes include narrowing the definition of personal data for entities unable to reasonably identify individuals, expanding exemptions for records of processing activities to organizations with up to 750 employees, and permitting legitimate interests as a basis for certain AI development and deployment activities, provided safeguards remain intact.
These adjustments aim to reduce administrative burdens, particularly for smaller and medium-sized enterprises, and foster innovation in a competitive global landscape. Yet privacy advocates and regulators like the European Data Protection Board have expressed support for simplification while cautioning against any erosion of core protections, highlighting tensions between economic growth and fundamental rights.
Compounding the pressure, the EU AI Act's phased implementation reaches a critical milestone on August 2, 2026, when high-risk AI systems must comply fully, including transparency, risk assessments, and monitoring obligations that frequently intersect with GDPR rules on profiling, automated decision-making, and special category data. This convergence creates dual compliance demands, especially for organizations deploying AI that processes personal data.
Meanwhile, a new GDPR procedural regulation effective from January 2026 streamlines cross-border enforcement, imposing tighter timelines for investigations and resolutions, signaling regulators' intent to deliver faster, more harmonized outcomes in complex cases.
Sources
- https://www.eventbrite.co.uk/e/1982271451272?aff=oddtdtcreator
- https://www.globalpolicywatch.com/2026/02/eu-regulators-issue-opinion-on-revisions-of-gdpr-and-other-data-laws
- https://www.onetrust.com/blog/the-5-trends-shaping-global-privacy-and-enforcement-in-2026
- https://secureprivacy.ai/blog/gdpr-compliance-2026
- https://www.dlapiper.com/en/insights/publications/2026/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2026
- https://artificialintelligenceact.eu/
- https://fpf.org/blog/2026-a-year-at-the-crossroads-for-global-data-protection-and-privacy
You might also like
- Feb 25AI Boost: Empower HR Teams for Tomorrow
- Mar 12SYNERGY Sydney 2026: Legal & Compliance Insights
- Mar 19Business Toolkit: An Introduction to Data Protection Law
- Mar 19Data Readiness - The Foundation for Automation, AI and Meaningful Customer Engagement
- Mar 31Cyber Integration for Businesses: Cyber, Privacy & AI Assurance for Health-Related SMEs