Key Takeaways:
- The number of organizations notifying their GDPR regulator of a data breach surged by 22% to a daily average of 443 in 2025.
- Geopolitical unrest and AI-enabled threats may be behind the increase in breaches of personally identifiable information (PII).
- Germany, the Netherlands, and Poland retained their leading positions for the highest number of data breaches notified in 2025.
- The total sum of GDPR fines issued over the past 12 months held steady at €1.2bn ($1.4bn).
- The Irish Data Protection Commission accounts for the majority of the total sum of GDPR fines, with €4bn in penalties.
Introduction to GDPR Breach Notifications
The number of organizations notifying their GDPR regulator of a data breach has seen a significant increase, with a 22% surge to a daily average of 443 in 2025, according to a report by DLA Piper. This increase bucks a long-term trend that had seen average daily notifications plateauing, and it’s the first time since 2018 that the figure has exceeded 400. The report, which has been analyzing GDPR regulatory activity every year since the data protection regulation came into being in 2018, highlights the growing concern of data breaches and the importance of organizations taking measures to protect personally identifiable information (PII).
Causes of the Increase in Breaches
The increase in breaches can be attributed to various factors, including geopolitical unrest and AI-enabled threats. According to Ross McKean, partner and chair of DLA Piper’s UK data protection and cybersecurity practice, cyber-threat volumes have reached unprecedented levels. The law firm suggests that the rise in breaches may be linked to the increasing use of AI-enabled threats, which can be more sophisticated and difficult to detect. Additionally, geopolitical unrest may also be contributing to the increase in breaches, as organizations may be more vulnerable to cyber-attacks during times of uncertainty.
Country-Specific Breach Notifications
Germany, the Netherlands, and Poland retained their leading positions for the highest number of data breaches notified in 2025. These countries have consistently been among the top countries for breach notifications, and the latest figures suggest that they continue to be vulnerable to data breaches. The report highlights the importance of organizations in these countries taking measures to protect PII and ensure compliance with GDPR regulations.
GDPR Fines
Despite the uptick in breach volumes, the total sum of GDPR fines issued over the past 12 months held steady compared to previous years. Some €1.2bn ($1.4bn) in penalty notices was issued across Europe, bringing the total since May 2018 to €7.1bn ($8.4bn). The Irish Data Protection Commission accounts for the majority of this sum, with €4bn in penalties. The commission also imposed the highest fine in 2025, a €530m penalty levied against TikTok for transferring user data to China, breaching the GDPR’s international data transfer restrictions.
Controversy Surrounding GDPR Fines
There has been controversy over the Irish Data Protection Commission’s handling of some cases, with critics claiming that it has become a bottleneck as the "lead authority" in many cases. Some have also suggested that it has been too soft on organizations that infringe the GDPR, setting fines too low and favoring "amicable resolution," which allows lawyers to argue their way out of punishment for violations. These dissenting voices have grown stronger after the regulator appointed a former Meta lobbyist as one of its commissioners in September 2025. The controversy highlights the need for greater transparency and consistency in the application of GDPR fines.
Conclusion and Recommendations
The report highlights the importance of organizations taking measures to protect PII and ensure compliance with GDPR regulations. With the increasing threat of cyber-attacks and data breaches, organizations must optimize their cyber defenses and operational resilience. The report also underscores the need for regulators to be more transparent and consistent in their application of GDPR fines. As McKean noted, "Confirmation of such a significant increase in personal data breach notifications in black and white is, for me, the quieting canary. Coupled with the slew of new cybersecurity laws impacting business, some of which impose personal liability on members of management bodies, our report underscores the urgency and need for organizations to optimize cyber defenses and operational resilience."
