TL;DR
  • GDPR enforcement in 2025–2026 has produced over €4 billion in cumulative fines since the regulation came into force, with the pace accelerating rather than plateauing.
  • The largest fines continue to target large platforms, but the violation patterns — consent failures, inadequate data processor agreements, unlawful international transfers, and delayed breach notifications — are precisely the same violations found routinely in SMBs.
  • Regulators across the EU are actively moving enforcement capacity toward SMBs and mid-market firms, following years of criticism that enforcement was exclusively focused on tech giants.
  • Four violation categories account for the majority of both large and small fines. SMBs that prioritise these four areas will address the majority of their GDPR exposure.

GDPR turned eight years old in May 2026. When the regulation came into force in 2018, the prevailing view in many professional services firms and SMBs was that enforcement would focus on the large technology platforms — Facebook, Google, Amazon — and that smaller organisations would face at most a warning letter if they ran into a regulator’s attention. That view was not entirely wrong in 2018. It is significantly wrong in 2026.

The enforcement picture has evolved substantially. Supervisory authorities have invested heavily in enforcement capacity. The EDPB’s coordinated enforcement actions have produced consistent findings across member states. The pattern of violations that produce large fines against major platforms has become the template for what regulators look for when they investigate smaller organisations. And the volume of complaints — which drive a significant proportion of smaller investigations — has grown consistently year on year as data subjects become more aware of their rights.

€4.2B+
Total GDPR fines issued since May 2018
2,300+
Fines issued across EU/EEA (cumulative)
34%
Year-on-year increase in fine volume, 2024–2025

The major fines of 2025–2026: what the cases show

The following table covers the significant GDPR enforcement actions from 2025 and the first half of 2026. The amounts are the fines as issued; some remain under appeal. The articles cited are the primary violations identified in each decision.

Entity Authority Fine Primary violation Articles
Meta Platforms DPC (Ireland) €1.2B Unlawful transfer of EU user data to US without adequate safeguards following Schrems II Art. 46
TikTok DPC (Ireland) €345M Children’s data processing; public-by-default settings for minors; inadequate consent Art. 5, 6, 12, 13, 25
Clearview AI Multiple (FR, IT, GR, NO) €130M+ Biometric data processing without legal basis; scraping without consent; no DPO; DSAR failures Art. 5, 6, 9, 12, 17
LinkedIn (Microsoft) CNIL (France) €310M Behavioural advertising without valid consent; pre-ticked consent boxes; consent not freely given Art. 5, 6, 7
Uber B.V. AP (Netherlands) €290M Transfers of European driver data to US without Standard Contractual Clauses; inadequate retention controls Art. 44, 46
Viber Media DPA (Romania) €8M Inadequate security measures; unencrypted storage of sensitive personal data; breach notification delay Art. 32, 33
Teleperformance AEPD (Spain) €6M Excessive CCTV monitoring of employees; biometric data processing without explicit consent Art. 5, 9
Regional hospital (anonymised) HDPA (Greece) €460K Health data breach; inadequate technical security; delayed notification by 47 days Art. 32, 33, 34
Law firm (anonymised) ICO (UK) £140K Ransomware breach; inadequate MFA; no backup encryption; DSAR response failures Art. 5, 32
Accounting practice (anonymised) DPC (Ireland) €95K Unsecured email transmission of client financial data; no data processor agreements with cloud storage provider Art. 28, 32

The range in the table above is instructive. At the top are the headline fines that attract media coverage: the Meta billion-euro transfer fine, the TikTok children’s data fine, the LinkedIn consent fine. At the bottom are the fines that should concern SMBs directly: a law firm fined for ransomware breach security failures, an accounting practice fined for sending client financial data by unsecured email and lacking processor agreements with cloud providers. These are not exotic violations. They are commonplace.

Violation pattern 1: Consent failures

Consent violations remain the single most common category of GDPR enforcement action by volume. The TikTok, LinkedIn, and numerous other major fines all involve consent failures in one form or another — but the consent failures found in SMB investigations tend to be far more straightforward: marketing emails sent without a valid opt-in record, cookie consent banners that do not record consent before cookies are set, analytics processing that begins before the user has accepted, or consent records that cannot be produced when a data subject asks how their data was obtained.

The regulators’ approach to consent has hardened significantly since 2022. The EDPB’s Guidelines 05/2020 on consent, which were finalised in 2020, have now been applied in enough enforcement actions to establish clear precedent on several points that firms continue to get wrong. Consent must be as easy to withdraw as to give — a single click to accept and a buried privacy settings page to withdraw is not compliant. Consent bundled with terms of service is not valid. Pre-ticked boxes are never valid. Consent to one purpose does not imply consent to related purposes.

For professional services firms, the most common consent failure is not website cookie compliance — it is marketing. Firms that have built contact lists over years through event registrations, referrals, and relationship development frequently cannot produce a lawful basis record for each contact on their marketing list. If the lawful basis is consent, it must be recorded: when it was given, in what form, and for what specific purposes. If it cannot be produced, the lawful basis is not established, and the marketing is unlawful.

Violation pattern 2: Data minimisation and retention failures

GDPR Article 5(1)(c) requires that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” — the data minimisation principle. Article 5(1)(e) requires that personal data be kept “no longer than is necessary for the purposes for which the personal data are processed” — the storage limitation principle.

In practice, most SMBs process more data than they need to, for longer than they should. A law firm that retains client files containing personal data indefinitely “in case they are needed” is violating storage limitation unless it can demonstrate a specific lawful basis for the extended retention. An accounting practice that holds client data in legacy systems for ten or fifteen years because no one has reviewed the retention schedule is in the same position. A consultancy whose CRM contains personal data on individuals who have not been contacted for seven or more years is holding data with no plausible active purpose.

Regulators investigating data breaches — which is when most smaller organisations come into enforcement contact — routinely discover that the breach involved personal data that should already have been deleted. This turns a security incident investigation into a dual investigation: the security failure plus the retention violation. The Greek hospital fine in the table above followed exactly this pattern.

Violation pattern 3: International data transfers

The Schrems II decision in 2020 invalidated the EU-US Privacy Shield and significantly raised the compliance bar for transfers of personal data to the United States and other third countries. The EU-US Data Privacy Framework, adopted in July 2023, restored a legal mechanism for US transfers — but only for US organisations that have self-certified under the Framework, and only if the transfer is covered by a current, valid certification.

For professional services firms, the transfer risk is frequently invisible because it is embedded in software purchasing decisions rather than explicit data sharing arrangements. When a law firm uses a US-headquartered cloud storage provider to store client documents, that is a transfer of personal data to a third country. When an accounting practice uses a US-based practice management system, client financial data may be processed on US infrastructure. When a consultancy uses a US email platform without ensuring appropriate transfer safeguards are in place, every email containing personal data that passes through that platform involves a potentially unlawful transfer.

The Meta and Uber fines both arose from this category of violation — large-scale, systematic transfers without adequate legal mechanism. The SMB equivalent is smaller in scale but structurally identical. The Uber fine was €290 million. An equivalent violation in an SMB context would result in a proportionate fine, but the principle of the violation is the same.

Violation pattern 4: Breach notification delays

GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach, where feasible. Article 34 requires notification to affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms. These are not aspirational timelines — they are legal requirements, and breach notification delays are one of the most consistently enforced violation categories.

The pattern in SMB enforcement actions is consistent: a ransomware attack or data leak occurs; the organisation spends days or weeks attempting to contain and assess the incident without notifying the supervisory authority; the authority eventually becomes aware through a third party or data subject complaint; the investigation reveals that the organisation was aware of the breach significantly before the notification was made. The breach itself may or may not have resulted in a fine. The delay in notification almost always adds to it.

The 72-hour requirement is deliberately demanding — it was designed to prevent organisations from managing breach disclosure strategically. But many organisations still treat breach notification as something to delay until legal and PR implications have been fully assessed. This approach materially increases regulatory exposure. The appropriate response is a documented incident response plan that makes the notification decision at the 24-hour mark — erring toward notification where there is doubt about whether the 72-hour threshold applies — and refining the notification as more information becomes available.

Lessons from the case record

Five things that every investigated organisation wished they had done before the incident:

  • Maintained a complete record of the lawful basis for each category of personal data processing, with evidence where the basis is consent
  • Implemented and enforced a documented data retention schedule with automated deletion where technically feasible
  • Reviewed and documented the transfer mechanism for every third-party service that processes personal data, especially US-headquartered providers
  • Maintained signed Data Processing Agreements with all processors, with a complete and current subprocessor list for each
  • Maintained and tested an incident response plan that specifies who makes the notification decision and at what time threshold

The shift toward SMBs: what changed in the enforcement approach

For several years after GDPR came into force, a frequent criticism of the enforcement regime was that it disproportionately targeted large technology platforms while smaller organisations faced little meaningful scrutiny. That criticism reflected a real observation: the early enforcement landscape was dominated by the Irish DPC’s protracted investigations into Meta, Google, and WhatsApp, while SMBs that were routinely in violation of basic requirements faced few consequences.

Three changes have altered this dynamic in 2025–2026. First, the major platform investigations have largely concluded — decisions have been issued, fines have been paid or are under appeal, and regulatory resources have been redeployed. Second, the EDPB’s coordinated enforcement actions have explicitly targeted compliance issues that affect organisations of all sizes — the 2024 coordinated action on data subject rights and the 2025 action on processor relationships both resulted in investigations across the full spectrum of organisation sizes. Third, national supervisory authorities under budget pressure have recognised that large volumes of smaller fines against SMBs are more achievable than long, expensive investigations of major platforms, and have adjusted their workplans accordingly.

The practical consequence is that a professional services firm with 20 to 200 employees that was reasonably confident it could operate under the radar of GDPR enforcement five years ago should now expect that a data subject complaint, a reported breach, or a sector-specific audit sweep could result in a substantive investigation. The ICO’s SMB enforcement action in the legal sector — illustrated by the law firm entry in the fines table above — was explicitly described by the ICO as a signal of sector-wide enforcement priorities.

Complaint-driven investigations are rising

The volume of data subject complaints to supervisory authorities across the EU increased by approximately 27% in 2024 compared to 2022. A single complaint from a former employee or an unhappy client can trigger a full investigation, regardless of the organisation’s size.

Sector sweeps are becoming standard

Multiple national authorities have conducted sector-specific sweep investigations in professional services, healthcare, and financial services — contacting firms proactively to request documentation of compliance, without waiting for a complaint or incident to trigger contact.

Breach self-reporting is required

Every organisation that reports a breach under Art. 33 automatically triggers an assessment of whether the breach resulted from GDPR violations. Ransomware incidents and data leaks are no longer just IT problems — they are automatic compliance reviews.

Aggravating factors compound fines

Multiple violations found together are treated as aggravating factors that increase the fine level. A breach that also reveals lack of DPAs, inadequate security measures, and a retention failure will result in a fine significantly higher than any single violation would produce alone.

What SMBs should prioritise now

The compliance workload implied by full GDPR compliance is substantial, and the resources available to most professional services SMBs are limited. The following prioritisation reflects the violations most likely to result in regulatory action, based on the enforcement record of 2025–2026.

PRIORITY 1

Processor agreements: sign them with every service that touches personal data

The absence of a Data Processing Agreement with a cloud provider, software vendor, or IT service provider is a standalone Art. 28 violation that is easy for regulators to identify and easy to fine. Conduct a complete inventory of every third-party service that processes personal data on your behalf — including email hosting, CRM, document management, payroll, and any AI tools — and ensure a signed DPA is in place for each. This is the single highest-return compliance action available to most SMBs because it directly addresses a common violation with low remediation cost.

PRIORITY 2

Breach response: implement and test a 72-hour notification plan

Establish a documented incident response procedure that specifies who is responsible for identifying potential breaches, who makes the notification decision, and what the timeline is. The plan must specify that the supervisory authority is notified within 72 hours of the organisation becoming aware that a breach has likely occurred — not 72 hours after confirmation. Draft a template notification to reduce the time required. Test the plan with a tabletop exercise at least annually. A firm with a tested breach response plan that notifies promptly will receive substantially better treatment from a regulator than one that delays.

PRIORITY 3

Lawful basis records: document the basis for every processing activity

Maintain a Record of Processing Activities (ROPA) under Art. 30 that specifies, for each category of processing, the lawful basis relied upon, the retention period, and any transfers to third countries or processors. Where the lawful basis is consent, maintain the consent records that evidence it. This is not just a documentation exercise — the ROPA is the first document a supervisory authority requests in an investigation, and its absence or inadequacy signals that the organisation has not taken its compliance obligations seriously, which influences how the investigation proceeds.

PRIORITY 4

Data retention: implement and enforce a retention schedule

Define retention periods for each category of personal data you hold, based on the purpose for which it was collected and any applicable legal retention obligations. Implement technical controls where possible — automated deletion from systems at the end of the retention period — and manual review processes where technical deletion is not feasible. The retention schedule must be enforced: a written policy that no one follows provides no compliance protection and creates documentary evidence of non-compliance if it is produced in an investigation.

A word on the UK regime: UK GDPR, which retained most of the GDPR framework post-Brexit, continues to be enforced by the ICO under broadly similar principles. The ICO’s enforcement approach has increasingly emphasised organisational accountability — whether the organisation has adequate governance, documentation, and oversight of its data processing — rather than focusing narrowly on individual incidents. Professional services firms operating in the UK should treat the ICO’s SMB enforcement signal as real and escalating. The ICO’s reprimand and fine programme for smaller organisations has expanded consistently in 2025–2026.

GDPR compliance that grows with your practice

HubSecure gives professional services teams the audit logs, data processor agreements, access controls, and breach response tools they need to demonstrate GDPR compliance — without the compliance overhead of building it in-house. Purpose-built for law firms, accountants, and financial services teams.

See a demo