GDPR Enforcement Tracker 2026: Who Got Fined for Data and Prospecting (and Why)

Last updated: 2026-06-18

Knowing the GDPR exists is not the same as knowing what actually gets enforced. This tracker answers the more useful question for a B2B team: who got fined, for what, and what those patterns mean for how you handle prospecting data. It pulls the 2026 enforcement picture into one place, the totals, the biggest cases, the sectors under scrutiny, and the recurring triggers, and turns it into a read on where your own exposure really sits.

The thesis is that enforcement is not random; it clusters around a handful of failures, most of which trace back to how data is sourced, documented, kept accurate, and deleted on request. The organizations that get into trouble are rarely the ones that prospect; they are the ones that cannot account for the data they prospect on. Reading the enforcement record is the cheapest way to learn what to fix before it becomes your case.

The 2026 enforcement totals

The headline numbers come from the DLA Piper GDPR Fines and Data Breach Survey published in January 2026. Cumulative fines since the regulation took effect in May 2018 have reached 7.1 billion euros, with roughly 1.2 billion issued in 2025 alone, broadly matching the prior year rather than slowing. Breach notifications are climbing too: the same analysis reported personal-data breaches in Europe running at around 443 per day, a 22 percent jump year over year.

The trend matters more than the total. The majority of cumulative fines have landed in the most recent years, and the annual figure has settled at the billion-plus level, which means enforcement is now a steady operating cost of the regulatory environment, not a rare event. For a B2B team, the practical reading is that the probability and cost of a data-handling failure have both risen, and the era of GDPR as a paper exercise is firmly over.

These totals are worth keeping in front of a leadership team precisely because they convert an abstract obligation into a quantified, rising risk. A board understands a billion-plus in annual fines and 443 breaches a day in a way it does not understand a clause number. That framing is what justifies investing in the data discipline that actually reduces exposure, detailed in the GDPR sanctions guide.

It also helps to separate the fine from the full cost of an enforcement event. The headline penalty is only part of it: an investigation consumes legal and executive time, often forces a freeze or overhaul of data operations, and carries a reputational cost with the exact buyers a B2B company is trying to win. For a seller, a publicized data-handling failure undermines trust at the worst possible moment, which is why the true cost of landing on this tracker is a multiple of the fine itself.

Breach notifications deserve their own emphasis because they are the leading edge of enforcement. A breach is often what first brings a regulator to look at an organization, and once they look, weak legal basis or poor records turn a security incident into a compliance case. At 443 notifications a day, the volume means breaches are no longer rare exceptions but a routine trigger, and a B2B data operation that cannot survive that closer look is exposed the moment anything goes wrong.

Where the biggest fines land

Enforcement is concentrated, not evenly spread. Ireland leads the cumulative table by a wide margin, with aggregate fines from its supervisory authority reaching roughly 4 billion euros, a reflection of where large multinationals base their European operations rather than where the rules are toughest. France and other active authorities follow. The single largest penalties have gone to big platforms, but the volume of smaller fines is spread across the whole economy.

The country leaderboard is easy to misread. A jurisdiction dominating the total reflects corporate domicile, not local strictness, and enforcement is pan-European and converging: a data practice that fails an audit in one member state is unlikely to pass in another. The safe planning assumption for any team operating across the EU is therefore the strictest reasonable interpretation, applied everywhere, rather than betting on a lenient local regulator.

For a mid-market or smaller B2B company, the lesson is not the headline mega-fines, which involve consumer platforms at a scale few will reach, but the long tail of ordinary penalties for ordinary failures: poor consent records, unanswerable data-subject requests, unaccountable data sourcing. Those are the cases that look like yours, and they are the ones this tracker is built to help you avoid. The cold-outreach specifics sit in the GDPR cold emailing guide.

The concentration of mega-fines on consumer platforms can lull B2B teams into a false sense of safety, so it is worth stating the asymmetry plainly. A platform can absorb a large fine as a cost of doing business; a mid-market company often cannot absorb even a mid-sized one, nor the operational disruption that comes with it. Proportionally, ordinary companies have more to lose from an ordinary fine, which makes the cheap preventive discipline a far better trade for them than for the giants.

Which sectors are under scrutiny

The enforcement focus is broadening beyond the obvious targets. DLA Piper's analysis notes financial services and energy companies coming under increasing scrutiny for GDPR violations, alongside the technology and media platforms that dominated early enforcement. The pattern is that any data-intensive sector, anywhere personal data is central to operations, is now in scope, which for B2B means sales and marketing data handling is squarely on the map.

This broadening matters because it removes the comfort of "we are not a big tech platform, so we are not a target." Regulators have shown they will pursue ordinary companies in ordinary sectors for ordinary data failures, and the spread of breach notifications across the economy confirms it. A B2B seller holding contact and account data on thousands of individuals is handling exactly the kind of personal data that draws scrutiny when it is mishandled.

The practical implication is to treat your prospecting data operation as a regulated activity, not a back-office afterthought. The sector trend says the question is not whether your industry is watched but whether your data handling would survive a look, which depends on provenance, accuracy, and your ability to honor rights. The legal-basis foundation for that is in the GDPR and B2B data enrichment guide.

The recurring triggers

Strip the cases down and the triggers repeat. The common threads behind data-handling penalties are: an inadequate or undocumented legal basis for processing; insufficient security leading to a breach; failures to honor data-subject rights, especially access and erasure, within the deadline; and an inability to demonstrate accountability, the records and provenance that prove you handled data correctly. Most of these are not exotic legal traps; they are operational data failures.

Notice how many of these trace to data quality and documentation rather than to legal text. You cannot defend a legal basis for a record whose source you cannot state; you cannot answer an erasure request if you cannot find every copy of a person's data; you cannot demonstrate accountability with a database you do not understand. The enforcement record keeps punishing the same underlying weakness: organizations that prospect on data they cannot account for.

This reframes compliance work away from policy documents and toward data operations. The teams least exposed are not those with the longest privacy policy but those who can state where each prospect record came from, when it was last verified, and how they would delete it on request. The data-subject-rights mechanics behind this are in the data subject rights guide.

One more pattern worth noting: enforcement increasingly rewards being able to demonstrate good faith. Regulators distinguish between an organization that cannot account for its data at all and one that can show documented sourcing, a reasonable legal basis, and a working process for rights requests, even if something went wrong. Accountability is not just a legal box; it is the difference between a manageable finding and a headline penalty, and it rests entirely on the quality of your data records.

It is striking how few of the triggers are about the act of prospecting itself. Sending a compliant message to a properly sourced, lawful-basis contact is rarely what draws a fine; mishandling the data behind it is. That distinction is liberating: a B2B team does not have to choose between growth and compliance, it has to choose accountable data over unaccountable data, which improves both at once.

What it means for your prospecting data

Put the patterns together and the defensive posture is clear: prospect on data you can account for. That means a documentable source for every record, fields fresh enough to be accurate, a legal basis you can produce, and the ability to find, update, and delete a person's data on request. None of that is about prospecting less; it is about prospecting on a foundation that would survive scrutiny, which is also the foundation that performs better commercially.

This is where Derrick fits, and the boundary matters: Derrick does not make you GDPR-compliant, compliance is your organization's responsibility and depends on your processes, legal basis, and governance. What Derrick does is strengthen the data foundation those processes rely on, by finding and verifying contact data and refreshing company and profile information on demand inside Google Sheets, so the records you prospect on are current, sourced, and re-verifiable rather than aged and opaque. Fresh, traceable data makes a legal basis easier to defend and a rights request easier to answer, but the accountability stays with you.

Keep your prospecting data fresh, sourced, and re-verifiable with Derrick, free for 100 credits per month, directly in Google Sheets. Use the enforcement patterns above to audit your own posture, then close the data gaps that turn ordinary companies into enforcement cases. The full compliance framework is in the GDPR and B2B prospecting report.

A simple self-audit turns this tracker into action. For a sample of your prospect records, can you state the source? Do you know when each field was last verified? Could you produce a legal basis if asked, and find and delete every copy of a person's data within the deadline? Each no maps directly to one of the recurring triggers above, and closing those gaps is cheaper than any single fine in this report. Run the audit before a regulator or a data subject runs it for you.

Methodology and sources

This tracker aggregates primary, citable sources: the DLA Piper GDPR Fines and Data Breach Survey (January 2026) for cumulative and annual fine totals, the country leaderboard, breach-notification rates, and the sector-scrutiny trend; and the CNIL and the European Data Protection Board for enforcement priorities and the coordinated focus on data-subject rights. Where a figure could only be traced to a data or enrichment vendor's marketing, we did not cite it, and we cite the primary supervisory or survey source only. Nothing here is legal advice; treat the patterns as a prompt to assess your own posture, and consult qualified counsel for your specific situation.

A closing thought. Enforcement data is, in effect, a free list of the mistakes that cost other companies millions, and almost all of them reduce to the same thing: handling personal data you cannot account for. The cheapest compliance investment is to learn from the record rather than join it, and the practical core of that is unglamorous data discipline, knowing your sources, keeping data fresh, and being able to honor a request. Get that right and the rising enforcement numbers in this tracker describe a risk other companies are carrying, not you. The record is published; the only question is whether you read it as a warning now or discover it as a defendant later, and the difference is entirely in the data discipline you put in place today.