GDPR in 2026: Why data protection is a strategic asset — not just a compliance exercise

Most organisations we work with have done their GDPR work. The problem is they did it in 2018.

Records of processing activities were drawn up, privacy notices published on the website, and someone in IT was tasked with "keeping an eye on GDPR." Since then, the business has changed — new systems introduced, suppliers replaced, AI tools adopted — but the data protection documentation sits untouched, a time capsule from another decade.

It is a situation we encounter regularly, whether the client is a Nordic family business or a multi-jurisdictional group operating across several countries. And it creates risks that extend well beyond regulatory fines.

In 2025, European supervisory authorities issued approximately €1.2 billion in GDPR fines — broadly matching the previous year's total and reversing a brief downward trend. More strikingly, notified personal data breaches rose by 22 per cent year on year, averaging over 400 breach notifications per day for the first time since the GDPR took effect in 2018.¹

GDPR compliance decides deals

We see it most clearly in transaction work. When we conduct due diligence on acquisition targets, data protection practice has become a standard item in the review — on a par with tax exposure and employment law liabilities. An organisation with a current record of processing activities, up-to-date data processing agreements (DPAs), and a documented accountability structure signals operational maturity. It reduces the risk premium and accelerates closing. Conversely, we have seen transactions where deficient data protection became a price-reducing factor — or worse, an obstacle that delayed completion by months. These are not hypothetical scenarios. They are concrete business consequences we have dealt with in client engagements over the past twelve months.

The same dynamic applies in public procurement. Contracting authorities and larger enterprises now set explicit data protection requirements as qualification criteria. The organisation that already has its documentation in order gains time and credibility. The one that has to start from scratch loses both. The Ministry of Finance has published dedicated guidance on data protection in public procurement, clarifying that contracting authorities must impose requirements regarding data processing agreements, records of processing activities, and data protection impact assessments already at the tendering stage.²

Shadow AI: the blind spot in your GDPR compliance

Employees' use of AI tools without organisational approval or oversight — so-called "shadow AI" — is already a prominent data protection concern. Separately, Gartner predicts that by 2030, more than 40 per cent of enterprises will experience security or compliance incidents linked to unauthorised shadow AI.² And the scale of unsanctioned use is staggering: research indicates that up to 71 per cent of employees now use personal AI tools at work without IT approval.³

From a GDPR perspective, every such tool that processes personal data without a documented legal basis, without a data processing agreement, and without a data protection impact assessment (DPIA) under Article 35 constitutes a compliance exposure. The risk is compounded by the fact that only 17 per cent of companies have technical controls capable of preventing employees from uploading confidential data to public AI platforms.

What to do about it: Conduct an inventory of AI tools in use across the organisation, establish a clear AI acceptable use policy, and carry out DPIAs for any tool that processes personal data. These are straightforward steps that dramatically reduce exposure.

Three recurring GDPR gaps we see in practice

After eight years of GDPR enforcement, three deficiencies recur with predictable regularity.

Documentation that no longer reflects reality. The record of processing activities required under Article 30 describes how the business operated at a given point in time. Since then, the organisation has adopted new CRM systems, changed cloud providers, and started using AI tools that process personal data in ways never documented. The gap between documentation and reality widens with every year it goes unaddressed.

Missing or non-compliant data processing agreements. It is surprisingly common for organisations to use external service providers — for payroll, digital marketing, IT operations — without agreements that satisfy Article 28. It is an exposure that is simple to remediate but costly if discovered at the wrong moment.

Nobody owns the issue. Data protection does not necessarily require a formal Data Protection Officer in every organisation, but it does require someone with the mandate, time, and competence to drive the work forward. When accountability is unclear, the issue falls between the cracks — and resurfaces only when it has already become a problem.

What leadership teams should do now: a practical GDPR checklist for 2026

Data protection work does not need to be a monumental project. A structured approach can close the most critical gaps within weeks, not months.

Start with a gap analysis. Map the personal data you actually process today, the legal basis for each processing activity, and the technical and organisational safeguards in place. The result gives you a clear picture of where the vulnerabilities lie.

Update what needs updating. Your record of processing activities, privacy notices, and data processing agreements should reflect your current operations — not the business you ran five years ago.

Anchor accountability at board level. Data protection is a strategic risk management issue, not an IT issue. It belongs on the leadership team's agenda, with clear ownership and reporting lines.

Review your AI exposure. Inventory the AI tools your organisation uses — sanctioned and unsanctioned — and ensure each one that processes personal data has a documented legal basis, a DPA, and, where required, a completed DPIA.

EDPB enforcement focus 2026: transparency under the spotlight

The European Data Protection Board's coordinated enforcement action for 2026 focuses on transparency and information obligations under Articles 12, 13, and 14 of the GDPR.⁴ This means that data protection authorities across Europe will specifically examine how organisations inform data subjects about the processing of their data — including privacy notices, consent mechanisms, and internal procedures.

This is not a routine exercise. Previous coordinated actions — on Data Protection Officers (2023), the right of access (2024), and the right to erasure (2025) — have led to targeted investigations and follow-up enforcement at both national and EU level. Given that transparency sits at the foundation of all data subject rights, the 2026 action may well produce the most far-reaching scrutiny yet.

Five questions for the leadership team — where do you stand?

Does your record of processing activities (Article 30) reflect the systems and service providers you actually use today?
Do you have data processing agreements with all external providers that process personal data — including AI tools?
Does someone in your organisation have explicit responsibility and dedicated time for data protection?
Have you completed a DPIA for your AI tools that process personal data?
Could you produce current documentation within 48 hours if required for a procurement process or due diligence review?

If the answer to any of these questions is "no" or "I'm not sure," you have identified your starting point.

At DKCO, we help organisations move from outdated documentation to a data protection framework that actually works — and that creates value in transactions, public procurement, and investor relations. Get in touch for an initial conversation, or GDPR advisory.

Sources:

Dan Karlsson

Partner, CEO, Attorney

+358 20 527 4001

Klaus Lehtonen

Associate

+358 20 527 4022