KYC vs AML: Key Differences Explained
Learn the key differences between KYC and AML, how they work together, and why both are essential for financial crime compliance.
GDPR fines have passed €7.1 billion. Learn why organisations still get fined in 2026, which violations matter most, and how to reduce compliance risk.
In 2026, GDPR enforcement no longer waits for a landmark case to make headlines. European data protection authorities now issue penalty decisions on a near-weekly basis, and most of the organisations receiving them assumed they were reasonably compliant right up until the fine arrived.
A GDPR fine is an administrative penalty imposed by a data protection authority under Article 83 of the regulation once it confirms a breach of one or more GDPR obligations.
It is what happens when a documented legal basis, a working consent flow, or an independent DPO exists on paper but not in daily practice. It is why the same underlying violation can cost a small business a few thousand euros and cost a multinational hundreds of millions, depending on turnover and severity. It is what regulators now treat as routine enforcement rather than exceptional punishment. It is why the organisations still getting fined in 2026 are rarely the ones that ignored GDPR outright, but the ones that implemented it incompletely.
Building that implementation properly starts with the people responsible for it, which is exactly what our DPO training to prevent fines programme is built around.
In this blog, you will learn how much GDPR enforcement has grown in 2026, which violations are generating the largest penalties, what recent French and EU decisions reveal about regulator priorities, and what organisations can do now to reduce their own exposure.
Cumulative GDPR penalties have now passed €7.1 billion since 2018, with about €1.2 billion issued in 2025 alone. Waiting until a breach or investigation to review compliance is no longer defensible. Structured DPO training can help compliance teams identify legal triggers, close documentation gaps, strengthen breach response, and understand regulator expectations before fines become a real risk.
The numbers behind 2026 enforcement describe a regulatory system that has moved well past its early, cautious years. According to the latest DLA Piper GDPR Fines and Data Breach Survey, cumulative GDPR penalties issued since May 2018 have surpassed €7.1 billion, with roughly €1.2 billion in fines issued during 2025 alone. DLA Piper also reports that European data protection authorities now receive an average of 443 breach notifications per day, a 22 percent year-on-year increase.
Ireland’s Data Protection Commission remains the largest single enforcer by value, largely because many major technology companies have their European headquarters in Ireland. France has also become one of Europe’s most significant GDPR enforcement markets, with CNIL decisions affecting technology, advertising, finance, healthcare, and public-sector organizations. For live fine tracking and country-level enforcement comparisons, the GDPR Enforcement Tracker provides a searchable database of GDPR penalties across Europe.
On 26 May 2026, the CNIL fined IQVIA Operations France €5 million for failing to implement adequate safeguards around its health data warehouses, a decision that underscores how closely France's regulator now scrutinises sensitive Article 9 data processing when health information is centralised at scale for research and commercial analytics. The case did not involve a dramatic breach of millions of records. It involved a healthcare analytics provider whose safeguards had not kept pace with the scale of the data it was managing, which is precisely the kind of gradual, structural failure that produces most enforcement action today.
The same pattern shows up in the Criteo case. The CNIL fined the adtech company €40 million in 2023 for failing to verify that partner sites had obtained valid consent before placing tracking cookies, and in March 2026 France's Conseil d'État rejected Criteo's appeal outright. Neither company set out to violate GDPR. Both were caught by a governance gap between what their processing actually required and what their internal controls actually delivered, which is the exact gap a properly resourced compliance programme is meant to close.
A handful of decisions account for a disproportionate share of the cumulative total, and the table below places the largest cases in context.
|
Organisation |
Fine |
Regulator / Year |
Grounds |
|
Meta Platforms Ireland |
€1.2 billion |
Irish DPC, 2023 |
Unlawful EU-US data transfers |
|
TikTok |
€530 million |
Irish DPC, 2025 |
Unlawful EU-China data transfers |
|
Amazon Europe Core |
€746 million |
Luxembourg CNPD, 2021 |
Ad targeting without valid consent; annulled on procedure in 2026, violations upheld |
|
|
€325 million |
CNIL, 2025 |
Cookie consent violations |
|
Shein |
€150 million |
CNIL, 2025 |
Cookie consent violations |
|
Criteo |
€40 million |
CNIL, 2023 |
Failure to verify partner-site consent; appeal rejected 2026 |
Nine of the ten largest GDPR fines on record have been imposed on technology and social media companies, which explains why enforcement still reads to many businesses as a Big Tech problem. The underlying violation categories, weak consent, unlawful transfers, and insufficient legal basis apply just as directly to a mid-sized French employer running a customer database as they do to a global platform.

Four violation categories account for roughly 94 percent of all GDPR fines issued to date. Unlawful processing under Article 6, covering insufficient legal basis and weak consent mechanisms, remains the single largest source of enforcement action at around 34 percent of the total. The remaining share splits across security failures, transparency and information obligations, and data subject rights violations.
Almost every major 2026 decision shares a common root cause: documentation that describes what should happen rather than what actually happens. A privacy notice that lists a legal basis nobody re-verified after the processing changed. A consent banner that was compliant when it launched but was never re-audited as new tracking tools were added. A DPO appointment that satisfies the letter of Article 37 without the independence the role legally requires. Regulators are no longer accepting the existence of a policy document as evidence of compliance, and the CNIL's IQVIA decision made that distinction explicit by focusing on the operational safeguards actually in place, not the safeguards described in internal documentation.
Become a Confident Data Protection Officer.
Develop the knowledge and practical skills required to perform the Data Protection Officer (DPO) role. Learn GDPR governance, privacy programme management, DPIAs, breach response, regulatory engagement, and data protection strategy through a flexible online course. Receive a recognized PDF certificate at no extra cost.
Start Your DPO Journey →A clear picture of what GDPR requires from organisations in practice, rather than in theory, is the single most effective way to close the documentation gap described above. That means a documented and current legal basis for every processing activity, a consent mechanism that can withstand a regulator testing it directly rather than reading about it, a data protection officer appointed with genuine independence where Article 37 requires one, and a breach response process that can meet the 72-hour notification deadline under Article 33 without scrambling to reconstruct what happened after the fact.
None of these requirements are new. What has changed in 2026 is the willingness of regulators to test them directly rather than accept a policy binder as proof, and the willingness of appellate courts to uphold the resulting fines once they are tested.
The EU AI Act adds a second regulatory layer for organisations using AI, but its obligations apply in phases. Many provisions become applicable in August 2026, while some high-risk AI requirements have later transition dates. The key point for GDPR teams is not that every AI Act obligation arrives at once, but that AI governance, personal data use, transparency, and automated decision-making are now converging into one compliance risk area.
It is worth understanding how little of the headline enforcement total has actually been collected, since it changes how organisations should think about risk. Ireland’s Data Protection Commission states on its official fines page that more than €4 billion in fines have been levied through its inquiries, but only about €20 million has been collected so far. The DPC also explains that fines generally do not become payable until confirmed by a court, which helps explain why major penalties can remain suspended, appealed, or tied up in litigation for years.
Meta’s €1.2 billion fine remains one of the clearest examples of how headline exposure and payment timing can diverge. The DPC’s Meta decision on EU-US data transfers announced the €1.2 billion administrative fine alongside corrective measures, but large cross-border GDPR cases often continue through appeals long after the public announcement. Amazon’s €746 million case shows the same point from another angle. In March 2026, Reuters reported that a Luxembourg court overturned the fine and required the CNPD to reassess the case after finding that the authority had not adequately assessed intent, negligence, and sanction proportionality. The CNPD later stated that its enforcement action had still secured changes to Amazon’s data-processing practices.
None of this should read as reassurance. A fine under appeal still requires legal resources, board attention, and public disclosure long before any payment is due. A procedural annulment also does not always mean the underlying risk has disappeared; it may mean the case returns for reassessment with the process corrected. Treating an appeal as the end of the story, rather than the start of a longer and more expensive one, is itself a common and costly misjudgment.
Start by re-verifying the legal basis behind every processing activity your organisation runs today, rather than relying on an assessment completed when the activity first launched. Test your consent mechanisms the way a regulator would, by walking through the actual user flow rather than reading the policy that describes it. Confirm that any DPO appointment includes the independence and reporting line Article 37 requires in substance, not only in the appointment letter. Rehearse your breach notification process against the 72-hour deadline before an actual incident forces you to do it under pressure. And revisit your AI-related processing now, ahead of the EU AI Act's August 2026 enforcement date, rather than treating it as a separate project for later in the year.
The organisations still absorbing GDPR fines in 2026 are, almost without exception, the ones that built compliance once and stopped checking it. Enforcement has matured, regulators are testing operational reality rather than paperwork, and the appeals process has proven far slower and less forgiving than most businesses assumed.
If your organization has not reassessed its data protection governance against current enforcement patterns, do not wait for a CNIL audit or breach investigation to reveal the gap. Start with a structured Data Protection Officer DPO Training to understand when a DPO appointment becomes mandatory in France, how independence should be structured, and what responsibilities the role must carry before enforcement pressure turns a governance weakness into a regulatory problem.