DLA Piper GDPR Fines and Data Breach Survey: January 2026

The eighth annual edition of DLA Piper's GDPR Fines and Data Breach Survey has revealed a sustained high level of data enforcement activity across Europe this year, with European supervisory authorities issuing fines totalling approximately EUR1.2bn (USD1.42bn/GBP1.06bn) in 2025, closely matching the 2024 total fines issued.

Significantly, the analysis of data from Europe's data protection supervisory bodies reveals a 22% annual increase in notified personal data breaches, amounting to an average of 443 notifications per day. This significant increase follows several years of plateauing notifications, and the first time since 2018 that the average daily breach notifications have exceeded 400.

Trends and Insights

European supervisory authorities issued fines totalling approximately EUR1.2bn (USD1.42bn/GBP1.06bn) in 2025, broadly matching 2024’s figure. While there is no year-on-year increase in aggregate GDPR fines, this figure marks a reversal of last year’s downward trend and underscores that European data protection supervisory authorities remain willing to impose substantial monetary penalties. The aggregate total fines reported since the application of GDPR on 25 May 2018 to 10 January 2026 across all the jurisdictions surveyed now stands at EUR7.1bn (USD8.4bn/GBP6.2bn).

Ireland once again leads the enforcement tables, with aggregate fines issued by the Irish Data Protection Commission now reaching EUR4.04bn (USD4.77bn/GBP3.56bn) since the GDPR came into force in May 2018. The Irish Data Protection Commission also imposed the highest fine in 2025, issuing a EUR 530m (USD625m/GBP466m) fine in April 2025 against a social media company for breaching GDPR's international data transfer restrictions.

Despite another active year, the largest fine ever imposed under the GDPR remains the EUR1.2bn (USD1.42bn/GBP1.06bn) fine issued by the Irish Data Protection Commission against Meta Platforms Ireland Limited in 2023.

Increase in Data Breach Notifications

For the first time since 25 May 2018, average breach notifications per day have reached over 400 – breaking the plateauing trend we have seen in recent years. Between 28 January 2025 and 27 January 2026, the average number of breach notifications per day increased by 22% – from 363 to 443. While the data does not reveal the exact causes of this spike in notifications, it seems likely that geopolitical tensions, the abundance of new technologies available to threat actors to launch cyber-attacks, and the raft of new laws including incident notification requirements are all contributing factors.

Security of processing personal data

Perhaps not surprisingly given the sharp rise in reported personal data breaches this year and multiple global press reports of cyber-attacks, fines resulting from breaches of the GDPR integrity and confidentiality principle, also known as the security principle, and related GDPR articles continue to feature across all the jurisdictions surveyed. Supply chain security and compliance is increasingly attracting the attention of data protection supervisory authorities. Supervisory authorities expect robust security controls to prevent personal data breaches and processors, as well as controllers, are directly liable for breaches of the security principle resulting in several fines being imposed directly on processors this year.

GDPR compensation claims

GDPR compliance risks extend beyond regulatory penalties. There is also the potential for follow-on compensation claims. This year has brought several notable rulings from the Court of Justice of the European Union and European courts on GDPR-related compensation claims – particularly regarding the criteria for pursuing claims for non-material damage.

Commenting on the survey findings, Ross McKean, Chair of the DLA Piper UK Data, Privacy and Cybersecurity practice said:

“In a year when heightened geopolitical tensions and multiple high profile cyber-attacks have dominated global headlines, the 22% uptick in personal data breach notifications demonstrates the serious and immediate consequences of these uncertain times for organisations. Confirmation of such a significant increase in personal data breach notifications in black and white is, for me, the quieting canary. Coupled with the slew of new cybersecurity laws impacting business, some of which impose personal liability on members of management bodies, our report underscores the urgency and need for organisations to optimise cyber defences and operational resilience.”

“Elsewhere, the fact that combined GDPR fines held steady at EUR 1.2 billion shows regulators remain highly active, particularly in areas such as information security, international data transfers, transparency and the complex interplay between AI innovation and data protection laws.”