Regulatory update 2026: what companies must know about data protection enforcement

1. Normative background and recent decisions

From a regulatory standpoint, European supervisory authorities intensified enforcement in 2025–2026. The Garante and the EDPB led actions targeting large-scale profiling, incomplete records of processing activities, and weak vendor oversight.

The EDPB published guidance clarifying the treatment of automated decision-making under the GDPR and its interaction with emerging sectoral rules. Several national authorities issued fines for shortcomings in data portability and for inadequate technical and organizational security measures.

The enforcement wave focused on processors and controllers operating at scale across EU markets. Authorities cited cross-border impacts and the potential for significant rights infringements as reasons for prioritization.

From a practical standpoint, these decisions signal regulators’ emphasis on demonstrable compliance, accurate documentation, and rigorous third-party risk management. The Authority has established that mere policy statements are insufficient without verifiable implementation and oversight.

2. Interpretation and practical implications

The Authority has established that mere policy statements are insufficient without verifiable implementation and oversight. From a regulatory standpoint, accountability is now a continuous, demonstrable management process. Companies may not rely on one-off audits or static manuals.

Practically, businesses must keep up-to-date records of processing and make them readily available to supervisory authorities. Vendors require documented due diligence and ongoing supervision. Automated profiling must be supported by a clear lawful basis and recordable impact assessments.

Compliance risk is real: regulators treat procedural gaps—such as incomplete documentation, weak data protection impact assessments (DPIAs), and missing contractual clauses—as indicators of substantive non-compliance. Such gaps can trigger inquiries that escalate into formal investigations and sanctions. The consequences include administrative fines, corrective orders, and damage to corporate reputation.

What companies should do next is practical and measurable. Maintain living DPIAs that reflect product and process changes. Embed contractual clauses that allocate data protection responsibilities and permit audits. Track remediation with verifiable evidence: timestamps, versioned documents, meeting minutes and monitoring logs. Provide targeted training and board-level reporting to show governance and oversight.

From a regulatory standpoint, demonstrable implementation matters as much as written policies. The Authority expects organisations to show how controls operate in practice, not only that controls exist. Companies that document and test their processes reduce enforcement risk and improve resilience.

3. what companies must do now

Companies that document and test their processes reduce enforcement risk and improve resilience. From a regulatory standpoint, firms should prioritise verifiable actions over policy statements.

First, update your data map so it matches actual processing flows. Verify sources, destinations and retention periods. Link each data flow to legal bases and recorded purposes. Perform targeted checks where automated profiling or large-scale processing occurs.

Second, conduct or refresh DPIAs for high-risk systems. The Authority has established that DPIAs must demonstrate concrete mitigations and validation steps. Document assumptions, threat scenarios and the outcomes of any technical or organisational measures.

Third, tighten vendor governance. Amend contracts to include mandatory data protection clauses, mandatory breach notification timelines and audit rights. Require subprocessors to meet the same controls and keep an up-to-date register of third-party processors.

Fourth, implement continuous monitoring using RegTech where feasible. Automate log collection, anomaly detection and evidence retention. Compliance risk is real: testing and automated alerts reduce time to detection and support timely response.

Fifth, prepare a compliance dossier that is production-ready. Include records of processing, DPIAs, vendor audits, breach response plans and training evidence. Run tabletop exercises and keep incident playbooks current so supporting documents can be produced promptly during inquiries.

Finally, train staff on specific operational tasks linked to records and responses. Assign clear ownership for data flows and remediation steps. Expect regulators to focus on demonstrable execution rather than on policy language alone.

4. Risks and possible sanctions

From a regulatory standpoint, enforcement can target controllers and processors with several measures. Authorities can issue corrective orders, impose temporary limitations on processing, deliver public reprimands, and levy administrative fines up to 4% of global annual turnover or €20 million, whichever is higher. The Authority has established that financial penalties are not the only tool available.

Beyond fines, organisations face reputational harm and contractual liabilities. Customer claims, indemnities and third‑party breaches frequently follow enforcement actions. Operational disruption is also common when regulators order processing suspensions.

Compliance risk is real: non-compliance can impair cash flow, erode customer trust and restrict market access. Expect regulators to prioritise demonstrable execution over policy wording alone.

From a practical perspective, the risks translate into quantifiable exposures. Legal costs, remediation expenses and lost revenue from interrupted services are typical. The Authority has established that failure to show verifiable fixes increases the likelihood of escalated remedies.

Companies should treat these outcomes as business risks. Maintain incident response plans, preserve evidence of remedial steps and align contractual clauses with data protection obligations. The risk of enforcement is not abstract; it has immediate operational and financial consequences.

5. best practices for robust compliance

From a regulatory standpoint, the risk of enforcement is not abstract. It has immediate operational and financial consequences. The Authority has established that regulators expect an integrated approach of policy, process and technology.

Adopt the following pragmatic measures.

• data mapping and governance: maintain a live inventory of personal data flows. Assign clear data ownership and publish accountability lines.
• DPIAs and risk registers: perform DPIAs for high‑risk processing. Keep a prioritized remediation plan linked to your risk register.
• vendor oversight: standardize contracts with clear data protection clauses. Require subprocessors lists and schedule periodic audits based on risk.
• technical and organizational measures: apply encryption and pseudonymization where feasible. Enforce access controls and deploy incident detection capabilities.
• RegTech and automation: use tooling to automate record‑keeping, consent management and breach reporting to reduce human error.
• training and culture: deliver role‑based privacy training and run tabletop exercises for breach response.

interpretation and practical implications

From a regulatory standpoint, documentation must show how measures interact. Regulators look for demonstrable evidence that controls are operating, not just written policies. Compliance risk is real: gaps in one area can invalidate safeguards elsewhere.

what companies should do

Map critical processing and link each activity to a legal basis. Integrate DPIA outcomes into project planning and change control. Require suppliers to provide audit evidence and contractual commitments. Automate routine proof points such as logs, consent receipts and data retention workflows.

risks and possible sanctions

The Authority has established that failures in governance or vendor oversight can trigger corrective orders and fines. Operational disruption, reputational damage and remediation costs are common consequences. Maintain a remediation budget and escalation procedures to reduce exposure.

best practice checklist

Prioritize measures that produce verifiable artifacts: live data maps, dated DPIAs, signed supplier attestations and automated logs. Test incident response quarterly and include third‑party scenarios. Assign a single senior owner for privacy risk and report metrics to the board.

From a regulatory standpoint, building an auditable trail matters more than single‑point fixes. Demonstrable controls reduce enforcement risk and improve operational resilience.

translating rules into operational controls

From a regulatory standpoint, enforcement in 2026 rewards demonstrable accountability. National and EU authorities now expect ongoing governance, rigorous vendor oversight, and proportionate technical safeguards.

The Garante and the EDPB have signaled that one-off fixes are insufficient. The Authority has established that continuous, documented controls are the best evidence of compliance during investigations.

Compliance risk is real: organisations that cannot show repeatable processes face higher legal, financial, and reputational exposure. Companies should treat GDPR compliance as a strategic requirement and embed data protection into project lifecycles.

Practically, firms should adopt RegTech-enabled monitoring for scalability, map processing activities end to end, and maintain auditable records of decisions and technical settings. From a regulatory standpoint, these steps convert policy into verifiable action.

What should companies do now? Prioritise measurable controls, assign clear accountability for data flows, and document vendor due diligence and security measures. The Authority reviews documentation; absence of records weakens defence during enforcement.

Expected development: regulators will continue to focus on demonstrable governance rather than solely on single incidents. Firms that align procedures, technology, and documentation will reduce enforcement risk and strengthen operational resilience.