A fresh survey has spotlighted a major shift in priorities for compliance and privacy professionals across Europe. Artificial intelligence and automated decision-making have surged to the forefront of GDPR concerns, outpacing more traditional compliance headaches like international data transfers and subject access requests.
Conducted by VinciWorks, the research polled 198 data protection and compliance experts. The findings paint a picture of an industry grappling with cutting-edge technology while foundational elements of GDPR readiness lag behind. Even as organizations express reasonable confidence in their overall programs, many admit uncertainty about the currency of their core risk assessments.
Key Findings: A Compliance Landscape in Flux
The survey highlights a growing disconnect between the rapid adoption of AI tools and the slower pace of governance updates. Here’s a breakdown of the standout statistics:-
- 42.9% of respondents identified AI and automated decision-making as their most challenging GDPR issue right now.
-
- 21.8% pointed to supplier and processor management.
-
- 19.4% cited staff awareness and training.
-
- International transfers (8.2%) and data subject rights requests (7.6%) ranked significantly lower.
Risk Assessments: Out of Sight, Out of Mind?
More than half of the professionals surveyed could not confidently confirm that their organization’s GDPR risk position accurately reflects current operations. Digging deeper into the data on risk assessment reviews:-
- 31% did not know when their main GDPR risk assessments were last reviewed.
-
- 18% reported no review in over a year.
-
- 5% said reviews only happen when strictly required.
Why AI Is the New Compliance Flashpoint
Nick Henderson-Mayo, Head of Compliance at VinciWorks, captured the urgency perfectly:“AI has progressed from being a faraway, future concern to the central data and cyber compliance challenge right now. The problem is that many are applying GDPR thinking that was designed for static systems to technology that changes continuously. A DPIA written when a tool was first procured might not reflect what that tool is doing six months later, and regulators are increasingly focused on exactly that kind of governance lag.”This sentiment reflects a broader reality: AI systems evolve rapidly, and traditional Data Protection Impact Assessments (DPIAs) can quickly become obsolete. Regulators are taking notice, with enforcement actions already targeting automated decision-making.
Notable Enforcement Actions
-
- The Hamburg Commissioner for Data Protection fined a financial services provider €492,000 for using algorithms alone to reject credit card applications, without meaningful human oversight or adequate explanations—breaching Article 22 of the GDPR.
-
- The Italian data protection authority hit the company behind the AI chatbot Replika with a €5 million fine over multiple GDPR issues, including inadequate age-verification mechanisms.
Training Gaps Compound the Risks
The survey also exposed weaknesses in one of the most fundamental areas of compliance: staff training. Only 22.3% rated their data protection training as “very effective,” while over half (51.6%) called it acceptable but needing improvement. Alarmingly:-
- 11.2% said training is not very effective.
-
- 9% reported no data protection training at all.
-
- 5.9% were unsure about their organization’s training status.
“Nine per cent of organisations having no data protection training eight years after GDPR came into force is a serious exposure. But the quality of training matters too. Regulators investigating a breach will go straight to training records: who was trained, when, and whether what they were taught was relevant to the decisions they were making. Tick-box training that was last updated in 2019 could be evidence of a problem.”
The Broader Enforcement Backdrop
These findings come amid escalating regulatory pressure and rising breach volumes:-
- Analysis from Slaughter and May showed the average UK ICO fine jumping from around £380,000 in 2024 to nearly £3 million in 2025, largely tied to cyber incidents.
-
- The UK’s National Cyber Security Centre recorded a 50% increase in highly significant cyber incidents in 2025.
-
- DLA Piper’s survey noted an average of 443 breach notifications per day to European authorities in 2025—a 22% rise year-over-year.
-
- Cumulative GDPR fines across Europe now exceed €7.1 billion since 2018, with over 60% imposed since January 2023.
Practical Implications for Organizations
For businesses integrating AI, the challenges extend far beyond generative tools like ChatGPT. Any system making decisions about individuals—whether in hiring, lending, or customer service—can trigger specific GDPR obligations, especially under Article 22 on automated individual decision-making. Recommended Actions to Strengthen Compliance:-
- Review and Refresh DPIAs Regularly: Treat risk assessments as living documents. Schedule quarterly reviews for AI systems and document changes in processing activities.
-
- Enhance Human Oversight: Ensure meaningful human intervention in automated decisions, with clear explanations available to data subjects.
-
- Invest in Targeted Training: Move beyond tick-box sessions to role-specific, up-to-date programs that address AI risks and decision-making scenarios.
-
- Strengthen Vendor Management: Conduct thorough due diligence on AI suppliers and maintain robust processor agreements.
-
- Document Everything: Maintain audit-ready records of training, assessments, and decision rationales to demonstrate accountability during investigations.
