The UK Information Commissioner’s Office “softly, softly” approach has been exposed once more with a new report showing GDPR fines in the EU topped €1.2bn (£1bn) in 2025, and have now surpassed €7.1bn (£6.2bn) since the regulation came into force in May 2018, compared to just £65m in the UK.
According to the latest “GDPR Fines & Data Breach Survey” published by DLA Piper, from January 28 2025 to the present, Europe’s data protection authorities received an average of 443 personal data breach notifications a day.
That is up 22% on the previous year, and marks the first time daily reports have pushed past 400 since the regulation came into force. Meanwhile, total fines have inched up from £996m in 2024.
The ICO’s record is not quite so impressive: UK GDPR-specific fines reached just £1.1m in 2024, although last year saw a better performance, with penalties rising to £19.6m from seven major cases, including a notable October settlement involving Capita. Even so, most are being appealed.
The DLA Piper report blames EU geopolitics, repeated cyber incidents, and cheap attack tools, with regulatory overload sitting in the background. Organisations are now juggling GDPR alongside a growing set of incident reporting regimes under new laws such as NIS2 and DORA.
In terms of enforcement, Ireland once again dominates the league table, with fines issued by the Irish Data Protection Commission now reaching €4.04bn since GDPR came into force, accounting for well over half of all fines issued across Europe during that period. France and Luxembourg are next in line, but quite a way back, showing how much of GDPR enforcement is being driven by a handful of regulators.
The Irish DPC also handed down the biggest single penalty of 2025, a €530m fine against TikTok over unlawful international data transfers, although the current record, set two years earlier, remains the €1.2bn penalty against Meta. Tech giants remain the biggest miscreants, with the report noting that this sector accounts for nine of the ten largest GDPR fines so far.
DLA Piper UK data, privacy, and cybersecurity practice chair Ross McKean said that the numbers should be read as a warning, not just another set of stats. “Confirmation of such a significant increase in personal data breach notifications in black and white is, for me, the quieting canary
“Coupled with the slew of new cybersecurity laws impacting business, some of which impose personal liability on members of management bodies, our report underscores the urgency and need for organisations to optimise cyber defences and operational resilience.”
Related stories
Decision Marketing at 15: Puppy or vicious watchdog?
ICO slammed over ‘slap on the wrist’ for PO data breach
MPs urged to investigate ICO ‘collapse in enforcement’
Lawmakers urged to act on ‘severe’ failings of the ICO
Complaints to the ICO soar as performance takes a hit
Be the first to comment on "ICO inaction exposed again as EU GDPR fines top €7bn"