GDPR fines pushed past the £1 billion (€1.2 billion) mark in 2025 as Europe’s regulators were deluged with more than 400 data breach notifications a day, according to a new survey that suggests the post-plateau era of enforcement has well and truly arrived.
The figures come from the latest GDPR Fines and Data Breach Survey published by DLA Piper, which puts total fines issued across Europe last year at roughly £1 billion (€1.2 billion), up from £996 million in 2024. While that year-on-year increase is modest, regulators have now handed down €7.1 billion (£6.2 billion) in penalties since GDPR came into force in May 2018.
The fines may look familiar, but breach reporting does not. From 28 January 2025 to the present, Europe’s data protection authorities received an average of 443 personal data breach notifications a day. That’s up 22 percent on the year before, and marks the first time daily reports have pushed past 400 since the regulation came into force.
The firm avoids pointing to a single root cause. Rather than offering a neat explanation, the survey describes several things going wrong at once: geopolitics, repeated cyber incidents, and attack tooling that’s now easy to obtain, with regulatory overload sitting in the background. Organizations are now juggling GDPR alongside a widening set of incident reporting regimes under laws such as NIS2 and DORA, which have raised the baseline for what needs to be disclosed – and how quickly.
Ross McKean, chair of DLA Piper’s UK data, privacy, and cybersecurity practice, said that the numbers should be read as a warning, not just another set of stats. “Confirmation of such a significant increase in personal data breach notifications in black and white is, for me, the quieting canary,” he said.
“Coupled with the slew of new cybersecurity laws impacting business, some of which impose personal liability on members of management bodies, our report underscores the urgency and need for organizations to optimize cyber defences and operational resilience.”
On the enforcement side, the familiar names remain at the top of the leaderboard. Ireland once again dominates the tables, with aggregate fines issued by the Irish Data Protection Commission now reaching €4.04 billion since GDPR began, accounting for well over half of all fines issued across Europe during that period. France and Luxembourg are next in line, but a long way back, showing how much of GDPR enforcement is being driven by a small number of regulators.
Ireland also handed down the biggest single penalty of 2025, a €530 million fine against TikTok over unlawful international data transfers. That still wasn’t enough to unseat the current record, set two years earlier when regulators hit Meta with a €1.2 billion sanction. Big tech remains the favorite target, with DLA Piper noting that nine of the ten largest GDPR fines on the books have landed there.
Seven years in, and GDPR appears to be finding its stride. The penalties are routine, the breach reports are back on the rise, and the paperwork is as relentless as ever. ®