The number of organizations notifying their GDPR regulator of a data breach surged by 22% to a daily average of 443 in 2025, according to DLA Piper.
The global law firm has been analyzing GDPR regulatory activity every year since the data protection regulation came into being in 2018.
The past 12 months bucked a long-term trend that has seen average daily notifications plateauing and it’s the first time since 2018 that the figure has exceeded 400, DLA Piper noted.
Germany, the Netherlands and Poland retained their leading positions for the highest number of data breaches notified in 2025.
Geopolitical unrest and AI-enabled threats may be behind the increase in breaches of personally identifiable information (PII), which is regulated by the GDPR, the law firm suggested.
Ross McKean, partner and chair of DLA Piper’s UK data protection and cybersecurity practice, claimed that cyber-threat volumes have reached unprecedented levels.
“The [breach] statistic resonates with DLA Piper’s cybersecurity team’s experience following one of our busiest years helping our clients to navigate cyber-attacks and data breaches,” he continued.
“Confirmation of such a significant increase in personal data breach notifications in black and white is, for me, the quieting canary. Coupled with the slew of new cybersecurity laws impacting business, some of which impose personal liability on members of management bodies, our report underscores the urgency and need for organizations to optimize cyber defenses and operational resilience.”
GDPR Fines Hold Steady
Despite the uptick in breach volumes, the total sum of GDPR fines issued over the past 12 months held steady compared to previous years.
Some €1.2bn ($1.4bn) in penalty notices was issued across Europe, bringing the total since May 2018 to €7.1bn ($8.4bn). Unsurprisingly, considering most foreign tech giants have their European operations headquartered in low-tax Ireland, the Irish Data Protection Commission accounts for the majority of this sum (€4bn).
Read more on breach notifications: GDPR Fines Total €1.2bn in 2024
The Dublin-based regulator also imposed the highest fine in 2025: a €530m penalty levied against TikTok for transferring user data to China, breaching the GDPR’s international data transfer restrictions.
“The fact that combined GDPR fines held steady at €1.2bn shows regulators remain highly active, particularly in areas such as information security, international data transfers, transparency and the complex interplay between AI innovation and data protection laws,” noted McKean.
However, there has been controversy over the Irish Data Protection Commission’s handling of some cases. Critics claim that as the “lead authority” in many cases, it has become something of a bottleneck.
Some have also suggested that it has been too soft on organizations that infringe the GDPR, setting fines too low and favoring “amicable resolution,” which allows lawyers to argue their way out of punishment for violations.
These dissenting voices have grown stronger after the regulator appointed a former Meta lobbyist as one of its commissioners in September 2025.
