VinciWorks has published research showing that AI and automated decision-making have become the main GDPR concern for compliance and data protection professionals. The survey also found widespread uncertainty over whether organisations' risk assessments are up to date.
Based on responses from 198 professionals, the research suggests concern over newer forms of data use is rising even as many organisations struggle with more basic compliance controls. More than half of respondents could not confirm that their GDPR risk position reflects how their organisation currently operates.
Nearly one in three respondents, or 31%, said they did not know when their organisation last reviewed its main GDPR risk assessments. Another 18% said those assessments had not been reviewed for more than a year, while 5% said reviews take place only when required.
That gap sits alongside relatively strong self-reported confidence. A majority of respondents, 54%, said they were fairly confident in their organisation's GDPR compliance programme, while 16% said they were very confident. A further 24.2% said they were somewhat confident.
AI focus
When asked which GDPR issue feels most challenging now, 42.9% selected AI and automated decision-making. Supplier and processor management came next at 21.8%, followed by staff awareness and training at 19.4%.
Other long-running compliance concerns ranked lower. International transfers were cited by 8.2% of respondents, while data subject rights requests were named by 7.6%.
"AI has progressed from being a faraway, future concern to the central data and cyber compliance challenge right now. The problem is that many are applying GDPR thinking that was designed for static systems to technology that changes continuously. A DPIA written when a tool was first procured might not reflect what that tool is doing six months later, and regulators are increasingly focused on exactly that kind of governance lag," said Nick Henderson-Mayo, head of compliance at VinciWorks.
European regulators have already acted in cases involving automated decisions and AI tools. In one case, the Hamburg Commissioner for Data Protection fined a financial services provider €492,000 for rejecting credit card applications using algorithms alone, without human oversight or adequate explanation, in breach of Article 22 of GDPR.
In another, the Italian data protection authority imposed a €5 million fine on Luka, the company behind the AI chatbot Replika, over a range of GDPR failings, including inadequate age-verification mechanisms. Those cases indicate that scrutiny of AI-related processing is extending beyond the largest technology groups.
Training gaps
The findings also point to weaknesses in staff training. Only 22.3% of respondents said their data protection training is very effective, while 51.6% described it as acceptable but in need of improvement.
Another 11.2% said their training is not very effective, and 9% said their organisation has no data protection training at all. A further 5.9% said they were not sure.
That matters as regulators continue to impose larger penalties following cyber and data protection failures. Analysis published by Slaughter and May found that the average Information Commissioner's Office fine rose from about £380,000 in 2024 to just under £3 million in 2025, with all major penalties linked to cyber-attacks.
The same analysis found that the National Cyber Security Centre recorded a 50% increase in highly significant cyber incidents in 2025 compared with the previous year. Separately, DLA Piper's 2026 GDPR Fines and Data Breach Survey found that European data protection authorities received an average of 443 breach notifications a day in 2025, up 22% on the previous year.
Cumulative GDPR fines across Europe since 2018 now exceed €7.1 billion, according to the survey, with more than 60% of the total imposed since January 2023. Those figures provide a backdrop to the finding that many organisations remain unsure when core compliance documents were last tested.
For companies deploying AI systems, the issue is not limited to headline-grabbing generative tools. Automated decision-making in credit, recruitment, customer screening and other operational systems can trigger obligations under GDPR, particularly where decisions are made without meaningful human involvement.
Risk assessments and data protection impact assessments are meant to help organisations identify how personal data is used, where harms may arise and whether safeguards still match the technology in place. If those documents are out of date, internal confidence in compliance may not match actual exposure.
"Nine per cent of organisations having no data protection training eight years after GDPR came into force is a serious exposure. But the quality of training matters too. Regulators investigating a breach will go straight to training records: who was trained, when, and whether what they were taught was relevant to the decisions they were making. Tick-box training that was last updated in 2019 could be evidence of a problem," said Henderson-Mayo.