GDPR fines pushed past the £1 billion (€1.2 billion) mark in 2025 as Europe’s regulators were deluged with more than 400 data breach notifications a day, according to a new survey that suggests the post-plateau era of enforcement has well and truly arrived.
The figures come from the latest GDPR Fines and Data Breach Survey published by DLA Piper, which puts total fines issued across Europe last year at roughly £1 billion (€1.2 billion), up from £996 million in 2024. While that year-on-year increase is modest, regulators have now handed down €7.1 billion (£6.2 billion) in penalties since GDPR came into force in May 2018.
The fines may look familiar, but breach reporting does not. From 28 January 2025 to the present, Europe’s data protection authorities received an average of 443 personal data breach notifications a day. That’s up 22 percent on the year before, and marks the first time daily reports have pushed past 400 since the regulation came into force.
The firm avoids pointing to a single root cause. Rather than offering a neat explanation, the survey describes several things going wrong at once: geopolitics, repeated cyber incidents, and attack tooling that’s now easy to obtain, with regulatory overload sitting in the background. Organizations are now juggling GDPR alongside a widening set of incident reporting regimes under laws such as NIS2 and DORA, which have raised the baseline for what needs to be disclosed – and how quickly.
Ross McKean, chair of DLA Piper’s UK data, privacy, and cybersecurity practice, said that the numbers should be read as a warning, not just another set of stats. “Confirmation of such a significant increase in personal data breach notifications in black and white is, for me, the quieting canary,” he said.
“Coupled with the slew of new cybersecurity laws impacting business, some of which impose personal liability on members of management bodies, our report underscores the urgency and need for organizations to optimize cyber defences and operational resilience.”
On the enforcement side, the familiar names remain at the