New VinciWorks survey finds AI governance has become the defining GDPR challenge, while basic risk management is falling short eight years after the regulation came into force.
Nearly one in three compliance and data protection professionals (31%) do not know when their organisation last reviewed its main GDPR risk assessments. That is according to the latest findings from a survey of 198 professionals carried out at the end of May 2026 by VinciWorks, marking eight years since GDPR came into force.
A further 18% said their risk assessments had not been reviewed for more than a year, and five per cent said reviews only take place when required. Combined, more than half of respondents (54%) cannot confirm that their risk position reflects the organisation they are today.
According to DLA Piper’s 2026 GDPR Fines and Data Breach Survey, European data protection authorities received an average of 443 breach notifications every day in 2025, a 22% rise on the year before and the highest daily figure since GDPR came into force. Cumulative GDPR fines across Europe since 2018 now exceed €7.1 billion, with more than 60% of that total imposed since January 2023.
The finding sits awkwardly alongside reported levels of confidence. A majority of respondents (54%) said they were fairly confident in their organisation’s GDPR compliance programme, with a further nearly one in six (16%) describing themselves as very confident. Yet that confidence appears, in many cases, to rest on programmes that have not been properly tested or reviewed.
AI has overtaken every other GDPR concern
When asked which GDPR issue feels most challenging right now, over two in five respondents (43%) selected AI and automated decision-making. No other issue came close. Just over one-fifth (22%) cited supplier and processor management, while approximately one in five (19%) pointed to staff awareness and training. International transfers were cited by fewer than one in ten (8%) as were data subject rights requests, at 8%.
Nick Henderson-Mayo, head of compliance at VinciWorks, said: “AI has progressed from being a faraway, future concern to the central data and cyber compliance challenge right now. The problem is that many are applying GDPR thinking that was designed for static systems to technology that changes continuously. A DPIA written when a tool was first procured might not reflect what that tool is doing six months later, and regulators are increasingly focused on exactly that kind of governance lag.”
Regulators are already acting on this. In September 2025, the Hamburg Commissioner for Data Protection fined a financial services provider €492,000 for rejecting credit card applications using algorithms alone, without human oversight or adequate explanation, in breach of Article 22 of GDPR. In a separate case, the Italian data protection authority imposed a €5 million fine on Luka Inc., the company behind the AI chatbot Replika, for a range of GDPR failings including inadequate age-verification mechanisms. Both cases show that AI-related GDPR enforcement is no longer confined to large technology platforms.
Eight years on, nearly one in ten organisations still have no data protection training
On training, only roughly one in five respondents (22%) said their data protection training is very effective. Over half (52%) described it as OK but said it could be better. More than one in ten (11%) said their training is not very effective, and nine per cent said their organisation has no data protection training at all.
In the UK, the stakes are rising sharply. According to an analysis by Slaughter and May published in March 2026, the average ICO fine climbed from around £380,000 in 2024 to just under £3 million in 2025, with all major penalties following cyber-attacks. The same analysis noted that the National Cyber Security Centre reported a 50% increase in highly significant cyber incidents during 2025 compared to the previous year.
Henderson-Mayo added: “Nine per cent of organisations having no data protection training eight years after GDPR came into force is a serious exposure. But also the quality of training matters, too. Regulators investigating a breach will go straight to training records: who was trained, when, and whether what they were taught was relevant to the decisions they were making. Tick-box training that was last updated in 2019 could be evidence of a problem.”
If the findings resonate with where your organisation is right now, VinciWorks has a number of resources that may help. For a broader view of where GDPR stands eight years on and what is coming next, the guide The state of GDPR: what’s changed, what’s coming and how to stay compliant covers the current regulatory landscape in full. For organisations grappling specifically with AI and data protection, When data thinks: the intersection of GDPR and AI explores the practical compliance questions that AI adoption is raising. Those looking to upskill their teams can explore the AI and Data Privacy course, and organisations that want to bring their data collection, workflows and regulatory evidence into one place can find out more about Omnitrack, VinciWorks’ GDPR workflow solution.
