AI Obligations Are Exposing the Limits of Static GDPR Programs, Research Warns

Nearly one in three compliance and data protection professionals (31%) do not know when their organisation last reviewed its main GDPR risk assessments. That is according to the latest findings from a survey of 198 professionals carried out at the end of May 2026 by VinciWorks, marking eight years since GDPR came into force.

A further 18% said their risk assessments had not been reviewed for more than a year, and five per cent said reviews only take place when required. Combined, more than half of respondents (54%) cannot confirm that their risk position reflects the organisation they are today.

According to DLA Piper’s 2026 GDPR Fines and Data Breach Survey, European data protection authorities received an average of 443 breach notifications every day in 2025, a 22% rise on the year before and the highest daily figure since GDPR came into force. Cumulative GDPR fines across Europe since 2018 now exceed €7.1 billion, with more than 60% of that total imposed since January 2023.

The finding sits awkwardly alongside reported levels of confidence. A majority of respondents (54%) said they were fairly confident in their organisation’s GDPR compliance program, with a further nearly one in six (16%) describing themselves as very confident. Yet that confidence appears, in many cases, to rest on programmes that have not been properly tested or reviewed.

AI Has Overtaken Every Other GDPR Concern

When asked which GDPR issue feels most challenging right now, over two in five respondents (43%) selected AI and automated decision-making. No other issue came close. Just over one-fifth (22%) cited supplier and processor management, while approximately one in five (19%) pointed to staff awareness and training. International transfers were cited by fewer than one in ten (8%) as were data subject rights requests, at 8%.

Nick Henderson-Mayo, head of compliance at VinciWorks, said, “AI has progressed from being a faraway, future concern to the central data and cyber compliance challenge right now. The problem is that many are applying GDPR thinking that was designed for static systems to technology that changes continuously. A DPIA written when a tool was first procured might not reflect what that tool is doing six months later, and regulators are increasingly focused on exactly that kind of governance lag.”

Regulators are already acting on this.

In September 2025, the Hamburg Commissioner for Data Protection fined a financial services provider €492,000 for rejecting credit card applications using algorithms alone, without human oversight or adequate explanation, in breach of Article 22 of GDPR.

In a separate case, the Italian data protection authority imposed a €5 million fine on Luka Inc., the company behind the AI chatbot Replika, for a range of GDPR failings including inadequate age-verification mechanisms.

Both cases show that AI-related GDPR enforcement is no longer confined to large technology platforms.

Eight Years On, Nearly One in Ten Organisations Still Have No Data Protection Training

On training, only roughly one in five respondents (22%) said their data protection training is very effective. Over half (52%) described it as OK but said it could be better. More than one in ten (11%) said their training is not very effective, and nine per cent said their organisation has no data protection training at all.

In the UK, the stakes are rising sharply. According to an analysis by Slaughter and May published in March 2026, the average ICO fine climbed from around £380,000 in 2024 to just under £3 million in 2025, with all major penalties following cyber-attacks. The same analysis noted that the National Cyber Security Centre reported a 50% increase in highly significant cyber incidents during 2025 compared to the previous year.

Henderson-Mayo added, “Nine per cent of organisations having no data protection training eight years after GDPR came into force is a serious exposure. But also the quality of training matters, too. Regulators investigating a breach will go straight to training records: who was trained, when, and whether what they were taught was relevant to the decisions they were making. Tick-box training that was last updated in 2019 could be evidence of a problem.”

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.