As the GDPR celebrates its 7th birthday, the latest report from the European Data Protection Board (EDPB) makes one thing clear: Data privacy compliance has become a lot more than just having a policy.
Data privacy compliance is now about showing you’re actively managing risk, you’re embedding data protection into your business decisions and you’re staying ahead of the curve, specifically when it comes to AI.
The report reflects a compliance landscape that has evolved. And it acknowledges that while some organisations have made progress, many have not. Despite guidance and a growing list of fines, too many companies still struggle to demonstrate that data privacy is genuinely integrated into their operations. This includes outdated consent mechanisms, superficial data protection impact assessments (DPIAs) and weak accountability documentation.
What’s next in data privacy
Significantly, the EDPB is looking ahead to the GDPR’s next chapter. These involve changes such as strengthening enforcement cooperation and streamlining cross-border investigations which the report notes is an indication that regulators are preparing for a more centralised system of oversight. This will reduce delays, eliminate inconsistencies and ensure that big players can’t hide behind jurisdictional loopholes.
One of the biggest drivers of this change is the need for faster, more decisive action, particularly in complex, high-impact cases. The report explicitly ties the need for reform to challenges regulators face in coordinating these large-scale investigations. Future changes to the GDPR could see more cases handled jointly or centrally by the EDPB, with national regulators expected to play a more supportive role in rapid response enforcement.
Nowhere is this more relevant than in cases involving AI. The EDPB’s recent opinion on training AI models using personal data signals a new level of regulatory scrutiny, not just for developers building large language models (LLMs), but also for organisations deploying them. This means relying on your provider or claiming you don’t know how a model was trained is not going to fly.
Deployers of AI tools need to start asking hard questions. Was the model trained lawfully? Was personal data used without a valid basis? If sanctions have already been imposed on the provider, you can’t ignore the risks. Deployers are now expected to assess whether a model’s development breached the GDPR, and what that means for ongoing use.
The EDPB has made it clear that most AI models won’t meet the threshold for being considered anonymous so you can’t simply assume GDPR doesn’t apply. Legitimate interest remains a possible legal basis but only if you can demonstrate a clear purpose and that you are adequately protecting individuals’ rights. That means a robust DPIA and concrete mitigation measures, like ensuring personal data isn’t used in outputs or fine-tuning.
What can you do now?
Get your house in order. Review your data protection programme and update any outdated practices especially around consent and accountability. Make sure you can explain how and why you collect data, who has access to it and how you manage risks. Ensure your AI systems align with data protection principles like fairness, transparency and data minimisation.
If you’re deploying AI tools, don’t wait for a fine to discover a compliance gap. Do your due diligence. Make sure the enterprise version you’re using doesn’t allow your data to be used to train public models. Implement governance controls to track which tools are in use, whether they’ve been assessed and what risks they raise. Watch out for “shadow AI” usage by staff bypassing policies.
And always look ahead. The GDPR isn’t standing still. Upcoming reforms will likely give regulators greater powers to act quickly and consistently across the EU. They’ll also put more pressure on companies to demonstrate not just intent, but impact. This is your opportunity to move from reactive compliance to proactive governance.
One note: Don’t forget the broader legal landscape. The EU AI Act is coming into force, and companies could face fines of up to 7% of global turnover for violations. So integrate your data protection, AI risk and compliance efforts now, before regulators come knocking.
And don’t miss our upcoming webinar, GDPR: Seven years on, to learn everything you need to know about the upcoming changes to the GDPR. Click the button below to register.
