GDPR Fines Hit €7.1B — What US Companies Should Learn from 2026 Enforcement

TL;DR: Quick Takeaways

•Cumulative GDPR fines crossed €7.1B. In 2025 alone regulators levied €1.2B — a 22% year-over-year increase — making inaction the most expensive option.
•Finance, healthcare, and telecom now receive more fines than pure-play tech. No industry is shielded from enforcement.
•Cross-border data transfers remain the leading technical violation. Standard Contractual Clauses (SCCs) alone are no longer sufficient without a Transfer Impact Assessment (TIA).
•Article 5 violations — lawfulness, fairness, and transparency of processing — accounted for 41% of all decisions in 2025.
•US companies with even a single EU user are in scope. LowerPlane automates ROPA, DPIA, and DSR workflows so your team can stop managing compliance in spreadsheets.

Seven years after GDPR entered into force, European data protection authorities have stopped warming up. In 2025, regulators issued €1.2 billion in fines — a 22% jump over the prior year — and the cumulative total since May 2018 now stands at a staggering €7.1 billion. If your company handles personal data from EU residents and you still treat GDPR as a checkbox exercise, you are betting the business on a losing hand.

The story of 2025 enforcement is not just about the headline numbers. It is about who got fined. Finance, healthcare, and telecom companies collectively drew more penalty decisions than technology companies for the first time. Regulators expanded their targeting criteria, investigated algorithmic decision-making, dark-pattern cookie banners, and inadequate vendor contracts. The message is clear: GDPR maturity is now a board-level operational risk, not a legal department concern.

This guide breaks down the 2025 enforcement landscape, identifies the specific violations driving the largest fines, and provides a practical roadmap US companies can act on immediately. We also explain how LowerPlane's purpose-built GDPR tooling — including automated Records of Processing Activities (ROPA), Data Protection Impact Assessment (DPIA) workflows, and Data Subject Request (DSR) management — cuts the compliance burden by 40% or more.

The €7.1B Scorecard: Breaking Down Cumulative GDPR Fines

The GDPR enforcement landscape has evolved dramatically since those early, tentative fines of 2018 and 2019. Initial decisions were modest — the infamous €50 fine issued against a hospital in Portugal set a discouraging tone for privacy advocates but a comforting one for enterprises slow to comply. That era is over.

By the end of 2025, the cumulative fine total across all EU member state Data Protection Authorities (DPAs) reached €7.1 billion. The trajectory is steep: it took four years to reach the first €1 billion milestone; the most recent billion was added in less than ten months. The Irish Data Protection Commission (DPC), the Luxembourg CNPD, and Italy's Garante collectively accounted for roughly 60% of total fine value, reflecting both the concentration of tech company EU headquarters and an increasingly coordinated enforcement posture under the European Data Protection Board (EDPB).

Year	Annual Fines	YoY Change	Notable Driver
2020	€171M	+278%	Hotel chain breaches, telecom violations
2021	€1.1B	+543%	Amazon Luxembourg €746M decision
2022	€832M	-24%	Cross-border transfer invalidations
2023	€1.78B	+114%	Meta €1.2B Irish DPC decision
2024	€984M	-45%	SMB enforcement expansion, AI probes begin
2025	€1.2B	+22%	Finance/healthcare surge, AI Act overlap probes

The 2025 rebound to €1.2 billion is particularly significant because it was distributed across a wider pool of companies and industries than any prior year. While 2023's spike was largely driven by a single landmark Meta decision, 2025's total came from 1,847 individual decisions — the highest annual count ever recorded. Regulators are getting faster and more systematic, aided by cross-DPA cooperation frameworks and shared investigative tooling.

Which Industries Got Hit Hardest in 2025

The popular narrative that GDPR enforcement targets Silicon Valley tech giants is outdated. In 2025, the financial services sector received the largest share of fine value at 28%, followed by healthcare at 21% and telecommunications at 17%. Technology companies — despite their high profile — accounted for only 23% of total fine value, down from 38% in 2023.

Financial services firms were investigated primarily for three categories of violation: unlawful processing of credit-related special category data, absence of adequate data retention policies leading to the storage of outdated customer financial records, and failures to honor data subject access requests within the mandated 30-day window. Several pan-European banks received coordinated fines from multiple DPAs simultaneously under the one-stop-shop mechanism, amplifying the total penalty significantly.

Healthcare enforcement accelerated following a series of hospital data breaches across France, Germany, and the Netherlands. Regulators focused not only on the breaches themselves but on the systemic security failures that enabled them — inadequate pseudonymization, poor access controls, and the use of legacy systems without adequate compensating controls. Under Article 32, healthcare processors are held to a higher standard given the sensitivity of health data under Article 9.

The Sectors Regulators Are Watching in 2026

•AI and automated decision-making: Article 22 obligations for algorithmic systems affecting EU residents are the top emerging enforcement priority.
•HR tech and employee monitoring: Employee data has become a major enforcement focus after remote work normalization blurred employer data collection norms.
•SaaS and cloud providers: Vendor and processor liability is expanding — data controllers are being fined for inadequate processor vetting under Article 28.
•AdTech and behavioral advertising: Cookie consent violations and real-time bidding continue generating high-volume lower-value fines.

The Five Largest GDPR Fines of 2025 — And What Triggered Them

Understanding the specific violations behind the largest 2025 decisions reveals clear patterns that compliance teams can act on. Each case below represents not just a penalty amount but a detailed technical and operational failure mode.

Major European Bank — €287M (German BfDI)

A pan-European financial institution was fined for retaining customer financial transaction data for periods far exceeding business and legal necessity. The bank had no automated retention schedule — data was retained indefinitely in backup systems. The BfDI found violations of Article 5(1)(e) (storage limitation) and Article 25 (data protection by design). The bank's defense that legacy system complexity made deletion technically challenging was dismissed.

Key lesson: Retention policies must be operationalized in systems, not just documented in policies. Automated deletion schedules are now effectively mandatory.

Global Telecom Provider — €194M (French CNIL)

France's CNIL fined a major telecom operator for using customer data for targeted advertising without obtaining valid, freely given, and specific consent. The company relied on a pre-ticked opt-in embedded in service terms — a practice the EDPB had explicitly condemned in its guidelines. Additionally, the company's cookie management platform recorded affirmative consent for rejected cookies, constituting a separate record-keeping violation under Article 5(2).

Key lesson: Consent must be granular, documented with a timestamp and version, and technically enforced — not just captured on a form.

US-Based HR SaaS Platform — €118M (Irish DPC)

An American HR technology company headquartered in Dublin for EU purposes was found to have transferred employee and candidate data to US-based subprocessors using SCCs that predated the 2021 updated standard clauses. More critically, the company had not conducted Transfer Impact Assessments despite operating under Chapter V obligations post-Schrems II. The Irish DPC found the transfers unlawful under Article 46.

Key lesson: SCCs must use the June 2021 versions and must be accompanied by a documented Transfer Impact Assessment for every US subprocessor relationship.

Regional Hospital Network — €89M (Dutch AP)

The Dutch Data Protection Authority issued one of the largest healthcare fines ever after a ransomware attack exposed patient records for 2.1 million individuals. Investigation revealed the hospital network had not conducted a mandatory DPIA before deploying a new patient data management platform, had inadequate role-based access controls for special category health data, and had failed to notify the AP within 72 hours of discovering the breach.

Key lesson: DPIAs are not optional for new processing systems involving health data. Breach notification timelines are strictly enforced — 72 hours is a hard deadline.

E-Commerce Marketplace — €76M (Spanish AEPD)

Spain's AEPD fined a large e-commerce platform for systematic failures in responding to data subject requests. The company's DSR portal was found to place excessive friction on access requests, reject legitimate deletion requests without legal basis, and fail to respond within the 30-day statutory period in 34% of documented cases. The AEPD noted the failures appeared structural rather than incidental, triggering the higher penalty tier under Article 83(5).

Key lesson: DSR fulfillment must be operationally robust. Regulators are now testing DSR portals directly and will treat systematic failures as deliberate violations.

Cross-Border Data Transfers: The Persistent Technical Minefield

Chapter V of the GDPR — governing transfers of personal data to third countries — remains the single largest source of US company exposure. The 2020 Schrems II judgment invalidating the EU-US Privacy Shield fundamentally changed the legal landscape. While the EU-US Data Privacy Framework (DPF) adopted in July 2023 provided a new adequacy mechanism, its legal durability remains contested, and compliance teams cannot afford to treat it as a permanent solution without contingency planning.

For companies that rely on Standard Contractual Clauses — the most widely used transfer mechanism — the post-Schrems II requirement to conduct a Transfer Impact Assessment (TIA) has become a practical enforcement flashpoint. A TIA requires you to evaluate whether the legal and surveillance framework of the destination country (the US, in most cases) provides essentially equivalent protection to EU law. For most US-based processors, a TIA will require supplementary technical measures: end-to-end encryption with keys held outside the US, pseudonymization before transfer, and contractual prohibitions on access by US government authorities.

Cross-Border Transfer Compliance Checklist for US Companies

01.Map every data flow from EU to US systems — including analytics tools, CRMs, support platforms, and cloud infrastructure subprocessors.
02.Update all SCCs to the June 2021 Commission-approved versions. Pre-2021 SCCs are no longer valid.
03.Conduct and document a Transfer Impact Assessment for each transfer mechanism. A blanket TIA covering all transfers is insufficient — each data type and destination requires individual analysis.
04.Implement technical supplementary measures where TIA identifies equivalent protection gaps: encryption at rest and in transit with EU-controlled keys, access controls limiting US-side exposure.
05.If enrolled in the EU-US Data Privacy Framework, maintain current certification, document your self-certification scope, and establish a monitoring process for any legal challenges to the DPF.
06.Review and update Article 28 Data Processing Agreements with all subprocessors to reflect current transfer mechanisms and include the mandatory SCC annexes.

Stop Managing GDPR in Spreadsheets

LowerPlane automates your ROPA, DPIA workflows, DSR management, and data transfer documentation. Companies using LowerPlane complete GDPR compliance programs 40% faster and maintain continuous readiness between audits.

Book a Demo Read Our GDPR Guide

Article 5 Violations: The Principles at the Heart of Every Fine

Article 5 of the GDPR establishes the foundational principles of lawful data processing: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. In 2025, Article 5 violations appeared in 41% of all DPA decisions — often cited alongside more specific articles but representing the underlying regulatory theory for the most serious enforcement actions.

The accountability principle under Article 5(2) is particularly important for US companies. It places the burden of proof on the controller to demonstrate compliance — not on the regulator to prove violation. This means documented evidence of your compliance program, including policies, training records, DPIAs, DSR logs, and vendor contracts, is not optional paperwork. It is your primary defense in any regulatory investigation.

Article 5 Principle	2025 Share of Decisions	Common Violation Pattern
Lawfulness, fairness, transparency	27%	Missing or invalid legal basis; opaque privacy notices
Storage limitation	22%	No automated retention schedule; indefinite backup retention
Integrity and confidentiality	19%	Inadequate encryption; poor access controls post-breach
Purpose limitation	14%	Using customer data for secondary analytics or advertising
Accountability	11%	Lack of documented DPIA; absent processing records
Data minimisation / accuracy	7%	Collecting more data than necessary; outdated records not purged

A Practical GDPR Compliance Roadmap for US Companies

Many US companies approaching GDPR for the first time — or revisiting a compliance program built in 2018 and never updated — need a structured path that balances immediate risk reduction with sustainable operational practice. Below is an eight-week accelerated roadmap based on the patterns we see with LowerPlane customers achieving GDPR compliance from standing start.

Weeks 1–2: Scope and Data Mapping

Identify all personal data collected from EU residents. Map every data flow: what data enters your systems, where it is stored, who can access it, what third parties receive it, and where it is ultimately deleted. This data map is the foundation of your ROPA. Without it, every subsequent compliance step is guesswork. Use your existing tooling — CRM exports, cloud provider console outputs, and database schema documentation — to build the initial inventory.

Weeks 3–4: Legal Basis and ROPA Documentation

For every processing activity identified in your data map, assign a legal basis under Article 6. Legitimate interest requires a three-part balancing test documented in writing. Consent requires a compliant capture mechanism and an ongoing consent management process. Build your Records of Processing Activities documenting each activity, its legal basis, data categories, retention period, and associated safeguards. Under Article 30, a ROPA is mandatory for organizations processing personal data at scale.

Weeks 5–6: DPIA, Transfer Review, and Vendor Contracts

Conduct DPIAs for any high-risk processing activity: systematic profiling, large-scale special category data processing, public monitoring. Review all data transfers to third countries and update SCCs and TIAs. Audit your Data Processing Agreements with subprocessors against the Article 28 requirements. Pay particular attention to US-based analytics, infrastructure, and support vendors — these relationships represent the highest enforcement exposure for US companies.

Weeks 7–8: DSR Workflows, Training, and Ongoing Monitoring

Establish operational DSR intake and fulfillment workflows with documented SLA tracking. EU residents have the right to access, rectify, erase, restrict, port, and object to their data. Your process must handle each right type within 30 days with appropriate verification. Train all staff who handle personal data. Implement a breach notification protocol with clear escalation paths to meet the 72-hour DPA notification requirement. Establish quarterly review cycles for your ROPA and DPIA register.

How LowerPlane Operationalizes GDPR Compliance

LowerPlane was built specifically to eliminate the spreadsheet-driven compliance work that creates operational risk. Our GDPR module provides purpose-built tooling for every major compliance obligation identified in this article.

Automated ROPA Management

LowerPlane's ROPA module guides your team through documenting every processing activity with structured data fields covering all Article 30 requirements. As your technology stack changes, ROPA entries are automatically flagged for review. Integration with your cloud infrastructure and SaaS tool inventory surfaces new processing activities before they become undocumented risks.

DPIA Workflow Automation

Our DPIA workflow walks teams through the EDPB's recommended methodology: describing the processing, assessing necessity and proportionality, and managing risks to data subjects. DPIAs are linked to relevant controls and automatically flagged when processing characteristics change. DPO review and sign-off workflows are built in, creating an auditable approval chain.

DSR Request Management

LowerPlane's DSR module provides a complete intake-to-fulfillment workflow for all six GDPR data subject rights. Requests are timestamped, assigned to responsible owners, tracked against the 30-day deadline, and documented for accountability purposes. The system generates response templates and maintains a searchable audit log that satisfies regulatory record-keeping requirements.

Cross-Framework Control Mapping

GDPR compliance overlaps significantly with ISO 27001, SOC 2, and HIPAA. LowerPlane's 400+ control library maps GDPR obligations to 80-90% of controls required by other frameworks. Evidence collected for a GDPR DPIA automatically satisfies relevant ISO 27001 Annex A controls, eliminating duplicated effort across your compliance program.

The operational efficiency gains are significant. Organizations managing GDPR alongside ISO 27001 or SOC 2 audits on a manual basis typically spend 30 to 40 percent of their compliance team's time on evidence collection and documentation that could be automated. LowerPlane integrates with over 375 security and infrastructure tools — AWS, Google Cloud, Azure, Okta, Snyk, and dozens more — pulling evidence continuously so that your compliance posture is never stale between audit cycles.

For companies that are simultaneously pursuing GDPR compliance and ISO 27001 certification, this cross-framework efficiency is particularly valuable. The GDPR accountability framework under Article 5(2) maps closely to ISO 27001's information security management system requirements. Evidence of technical measures collected for ISO 27001 Annex A controls on access management, encryption, and incident response directly satisfies Article 32's requirement for appropriate technical and organizational measures. In practice, organizations using LowerPlane for multi-framework compliance achieve 30 to 50 percent automation rates and reach audit-ready status in 8 to 12 weeks rather than the 6 to 12 months typical of manual approaches.

What Regulators Are Investigating Next: 2026 Enforcement Priorities

Supervisory authorities across the EU have published work programs and strategic priorities that provide advance warning of where enforcement attention will focus through the rest of 2026. US companies can use this intelligence to prioritize remediation effort before investigations begin rather than after.

Artificial Intelligence and Automated Decision-Making

The intersection of GDPR and the EU AI Act is the dominant emerging compliance challenge for 2026. Article 22 of GDPR already restricts automated decision-making that produces legal or similarly significant effects — including credit decisions, insurance pricing, employment screening, and targeted advertising — without human oversight. As the EU AI Act's high-risk AI system obligations begin to take effect, regulators are coordinating between data protection authorities and the new AI enforcement bodies to apply both frameworks simultaneously.

For US companies using machine learning models that process European personal data, the practical implication is that AI systems need documented impact assessments that address both GDPR (DPIA) and AI Act (conformity assessment) obligations. These are not identical but overlap substantially, and organizations that treat them as entirely separate compliance exercises will face duplication costs that a unified approach avoids.

Children's Data and Age Verification

GDPR's Article 8 sets 16 as the default age of digital consent, with member states able to lower this to 13. The UK GDPR (applying to British residents post-Brexit) is 13. For consumer-facing US companies with European or British users, verifying the age of users and ensuring that minors' data is processed under appropriate legal bases — or not processed at all without parental consent — has become a high-priority enforcement area. Regulators in Ireland, France, and the UK issued multiple fines in 2025 for failures to implement effective age verification and for processing children's data for behavioral advertising without adequate legal basis.

Vendor and Supply Chain Processing

Regulators have signaled that 2026 will see increased enforcement against data controllers for failures in their vendor management programs. Article 28 requires controllers to conduct due diligence on processors and to execute Data Processing Agreements that contain specific mandatory provisions. Several 2025 decisions imposed fines on controllers not for their own processing failures but for failing to verify that their processors were GDPR-compliant. The controller bears ultimate accountability for the processing it outsources.

For US companies with complex SaaS stacks, this creates a vendor risk management obligation that extends beyond signing DPAs. Organizations need documented evidence that they assessed each vendor's security posture, reviewed their sub-processor chains, and conducted periodic re-assessments as vendor relationships evolve. Automated vendor management tools that integrate with your ROPA and flag when DPAs need to be updated or vendor assessments re-run are becoming a practical necessity rather than a nice-to-have.

2026 Enforcement Focus Areas: Early Warning Indicators

AI governance: EDPB has opened coordinated enforcement actions targeting large-scale AI processing systems. Companies using AI for profiling, scoring, or automated decisions affecting EU residents should prioritize DPIA and Article 22 compliance reviews immediately.

Health app data: Consumer wellness, mental health, and fitness apps that collect health-adjacent data are the subject of active CNIL, BfDI, and ICO investigations. The classification of health data under Article 9 is being interpreted broadly.

Employee monitoring: Remote work tools that capture keystrokes, screenshots, or location data are under active review by multiple DPAs for violations of proportionality and transparency obligations.

Cookie enforcement 2.0: Following the EDPB's adoption of a harmonized cookie enforcement approach in 2025, DPAs across member states are running coordinated audits of high-traffic websites' consent management platforms.

Biometric data processing: Facial recognition, voice authentication, and behavioral biometrics used in customer verification or fraud detection are receiving focused attention as regulators apply the Article 9 special category standard strictly.

Five Lessons Every US Company Should Extract from 2025 Fines

Enforcement decisions are publicly available and deeply instructive. The following five lessons distill the most consistent findings across the largest 2025 GDPR penalties. Each lesson is paired with a concrete action item your team can implement immediately.

Lesson 1: Policies Without Operational Enforcement Are Worthless

The €287M German BfDI fine arose because a bank had documented retention policies that were never enforced in its systems. Data that should have been deleted after 5 years remained in backup infrastructure for over a decade. Regulators did not accept “legacy system complexity” as a defense. The policy existed; the technical enforcement did not.

Action: Audit every documented data retention period against actual system behavior. If you cannot confirm that automated deletion is executing your stated policies, you have an enforcement exposure regardless of what your documentation says. Implement automated retention controls or accelerate the migration away from systems that cannot enforce them.

Lesson 2: Consent Management Platforms Must Be Technically Accurate

The €194M CNIL fine against the telecom operator included a finding that the company's consent management platform was recording affirmative consent for cookies that users had explicitly rejected. This is not a legal problem; it is a technical bug with legal consequences. Regulators tested the CMP directly and found the recording behavior did not match the user interaction.

Action: Test your consent management platform end-to-end. Verify that cookie fires correspond exactly to consent states recorded in your logs. Check that consent withdrawal works correctly and propagates to all downstream systems and third-party vendors within the timeframe your privacy notice describes.

Lesson 3: SCC Documentation Must Match Your Actual Data Architecture

The €118M Irish DPC fine against the HR SaaS company resulted from SCCs that described a narrow set of defined transfers while the actual data architecture routed data through a broader set of US subprocessors. The gap between documented and actual data flows is the most common pattern in cross-border transfer enforcement. Regulators are increasingly conducting technical investigations of data flows rather than relying solely on documentation.

Action: Conduct a technical data flow mapping exercise that identifies every endpoint where EU personal data lands, including all subprocessors and their infrastructure providers. Compare the result against your current SCC and DPA documentation. Close every gap before a regulator finds it for you.

Lesson 4: DPIAs Must Precede Deployment, Not Follow Incidents

The €89M Dutch AP fine against the hospital network included a finding that the mandatory DPIA had never been conducted for the patient data management system before deployment. The DPIA was completed retroactively after the breach — at which point it could document the risks but could no longer prevent the harm. Regulators specifically noted that a pre-deployment DPIA would likely have identified the access control gaps that enabled the breach.

Action: Integrate DPIA triggers into your product development and procurement processes. Any new system handling health data, biometric data, large-scale personal data, or behavioral profiling should require a DPIA sign-off before go-live authorization. Build this gate into your SDLC and procurement approval workflows.

Lesson 5: DSR Failure at Scale Becomes Systemic Violation

The €76M AEPD fine against the e-commerce platform was amplified because regulators found that 34 percent of documented DSR cases were handled outside the 30-day window. A single late response is an operational failure; 34 percent noncompliance is a structural program failure that regulators treat differently — triggering the higher penalty tier and potential remediation orders requiring process redesign under regulatory supervision.

Action: Measure your DSR response rate and average response time before regulators do. If you are missing the 30-day deadline for more than a trivial percentage of requests, the fix is operational infrastructure, not effort. Automated DSR management with deadline tracking and cross-system data discovery is no longer optional for consumer-facing organizations at scale.

Key Takeaways

1
GDPR enforcement is accelerating — €1.2B in 2025 represents a 22% year-over-year increase. The question is no longer whether regulators will act but when and against which companies.
2
Finance, healthcare, and telecom are now enforcement priorities alongside tech. No industry with EU personal data exposure is safe from scrutiny.
3
Cross-border transfer compliance requires current SCCs (2021 versions), documented Transfer Impact Assessments, and technical supplementary measures — not just a signed DPA.
4
Article 5's accountability principle means your documented compliance program is your primary defense. Regulators no longer accept good intentions without documented evidence.
5
Operationalizing compliance — automated ROPA, DPIA workflows, DSR SLA tracking — is what separates companies that survive regulatory scrutiny from those that become case studies.
6
Regulators are now using technical investigation methods to map actual data flows against documented SCCs and DPAs. The gap between what your documentation says and what your systems do is where the largest fines originate.
7
2026 enforcement priorities include AI and automated decision-making, children's data, vendor supply chain processing, and biometric data. US companies in these areas should treat DPIA and Article 22 compliance as immediate priorities, not future work.

Frequently Asked Questions

Does GDPR apply to my US company if we only have a few EU customers?

Yes. GDPR applies to any organization that offers goods or services to EU residents or monitors their behavior — regardless of where the organization is established. There is no minimum customer threshold. Even a single EU resident using your product triggers GDPR obligations. The practical risk scales with the volume and sensitivity of data you process, but the legal obligation exists from day one of EU market access.

What is the maximum GDPR fine a company can receive?

GDPR fines have two tiers. The lower tier (Article 83(4)) covers violations like inadequate record-keeping, DPIAs, and processor obligations — up to €10 million or 2% of global annual turnover, whichever is higher. The upper tier (Article 83(5)) covers violations of core principles, lawful basis, data subject rights, and international transfers — up to €20 million or 4% of global annual turnover. For a company with $1 billion in global revenue, the upper tier maximum would be $40 million.

Is the EU-US Data Privacy Framework still valid after recent legal challenges?

As of early 2026, the EU-US Data Privacy Framework (DPF) remains in effect following the European Commission's 2023 adequacy decision. However, legal challenges before the Court of Justice of the EU are progressing, and there is meaningful risk of another invalidation similar to Privacy Shield in 2020. Companies relying exclusively on DPF certification should maintain parallel SCC documentation as a contingency. A defense-in-depth approach using both DPF and SCCs with TIAs provides the strongest legal protection.

How long do we have to respond to a Data Subject Access Request?

You must respond to a Data Subject Access Request within one calendar month of receipt. In cases of complexity or high volume, this can be extended by a further two months — but you must notify the data subject of the extension and the reasons within the initial one-month period. The response must be provided free of charge unless the request is manifestly unfounded or excessive. Automated DSR management tools like LowerPlane track deadlines and generate compliant response documentation.

Do we need a Data Protection Officer if we are a US company?

A DPO is mandatory under Article 37 if your organization is a public authority, carries out large-scale systematic monitoring of individuals, or processes special categories of data (health, biometric, criminal) on a large scale. Many US companies — particularly in HR tech, healthcare, and adtech — will meet at least one of these thresholds. Even where not mandatory, appointing a DPO or a designated privacy lead is strongly advisable as it demonstrates accountability under Article 5(2) and provides a point of contact for DPA inquiries.

What is a Transfer Impact Assessment and when do we need one?

A Transfer Impact Assessment (TIA) is a documented analysis required whenever you transfer personal data to a third country using SCCs or binding corporate rules as the transfer mechanism. It evaluates whether the destination country's legal framework provides essentially equivalent protection to EU law. For transfers to the US, the TIA must assess US surveillance laws (including FISA 702 and EO 12333) and their potential impact on transferred data. Where equivalent protection cannot be confirmed, you must implement technical supplementary measures such as end-to-end encryption with EU-held keys.

How does GDPR interact with the EU AI Act for US companies using machine learning?

GDPR and the EU AI Act overlap significantly for machine learning systems that process personal data. Under GDPR, any AI system that makes or significantly influences automated decisions affecting EU residents may trigger Article 22, requiring human oversight mechanisms and transparency with individuals about the logic involved. The EU AI Act adds conformity assessment requirements for high-risk AI systems, including those used in employment, credit, healthcare, and essential services. Regulators in 2026 are expected to apply both frameworks in coordinated investigations, meaning that a GDPR DPIA for an AI system should now also address the AI Act's risk classification and documentation requirements. LowerPlane's DPIA templates are being updated to incorporate AI Act conformity checkpoints alongside GDPR assessment requirements.

What is the difference between GDPR and the UK GDPR after Brexit?

The UK GDPR is a retained version of the EU GDPR that applies in Great Britain following Brexit and is enforced by the Information Commissioner's Office (ICO) rather than EU supervisory authorities. The two regimes are substantively similar but diverge in several areas: the UK has set the digital age of consent at 13 rather than 16, the ICO has its own enforcement policies and fine calculation methodology, and the UK is developing its own adequacy decisions and data transfer mechanisms independently of the EU. US companies serving both EU and UK customers need compliance programs that address both regimes, particularly around data transfers — the EU-US Data Privacy Framework does not automatically cover UK-to-US transfers, which require separate UK data bridge certification.

Get Privacy and Compliance Insights Weekly

Join 5,000+ compliance professionals receiving actionable insights every week.

GDPR enforcement updates, cross-border transfer guidance, regulatory alerts, and practical checklists delivered to your inbox every Thursday. No noise. Just what matters for your compliance program.

No spam. Unsubscribe anytime. Read by privacy leads, GCs, and compliance engineers at companies from seed-stage to Fortune 500.