GDPR and AI: What Every Business Must Know Before a Fine Arrives
About This Law Official Name: Regulation (EU) 2016/679, General Data Protection Regulation (GDPR) Adopted: April 27, 2016 Entered into Force: May 25, 2018 (all 27 EU member states simultaneously) UK Equivalent: UK GDPR retained under Data Protection Act 2018. Near-identical obligations, enforced by ICO. UK fines: GBP 17.5M or 4% global turnover. Jurisdiction: All 27 EU member states directly. Extraterritorial: applies globally to any organisation processing personal data of individuals located in the EU. Cumulative Fines (June 2026): EUR 7.1 billion across 2,800+ documented decisions. Q1 2026: EUR 68.18M in 3 months. France now second-largest enforcer after Ireland. Key AI-Specific Rule: Article 22: Right not to be subject to solely automated decisions with legal or similarly significant effects. DPIAs mandatory for high-risk AI processing. EDPB 2026 AI Ruling: AI models trained on personal data cannot in all cases be considered anonymous. The burden of proof is on the controller to demonstrate anonymisation. Maximum Penalties: EUR 20M or 4% global annual turnover (serious violations); EUR 10M or 2% (technical violations). Whichever is higher. Enforcement Body: 27 national DPAs. EDPB coordinates cross-border enforcement. Introduction GDPR cumulative fines crossed EUR 7.1 billion in early 2026, with more than 60% of that total imposed since January 2023 alone. The first quarter of 2026 alone produced EUR 68.18 million in fines, a pace of roughly EUR 757,600 per day. France’s CNIL imposed a EUR 42 million combined fine on Free Mobile and Free SAS in January 2026 for a data breach affecting 24 million subscriber records. The regulatory machine is not slowing down. It is accelerating. The GDPR was not written with AI in mind, but it governs every AI system that processes personal data of EU residents. Your AI hiring tool, your AI credit scorer, your AI customer service bot: every single one is subject to GDPR with fines reaching EUR 20 million or 4% of global turnover. And in a landmark statement, the European Data Protection Board (EDPB) has ruled that AI models trained on personal data cannot, in all cases, be considered anonymous. That single line resets the compliance burden for every organisation whose AI has ever touched EU personal data. Keep reading to learn the six GDPR obligations every AI deployer must meet, and the steps to address the EDPB anonymisation ruling before it becomes the basis of an enforcement action against your business. What Is GDPR and Why Does It Cover AI? GDPR is a directly applicable EU regulation that became enforceable on May 25, 2018, replacing the 1995 Data Protection Directive. Its jurisdiction is anchored to where the data subject is located, not where the company is based: if your AI processes personal data of a person located in the EU, GDPR applies to you regardless of where your company is headquartered. The GDPR creates a compliance thread through the entire AI lifecycle. Training data, validation data, model weights derived from personal data, and inference-time decisions about identifiable individuals are all in scope. The EDPB has made this explicit: if personal data contributed to training an AI model, that model is subject to GDPR obligations, even when you believe the personal data has been removed from the final model. France’s CNIL, Germany’s BfDI, and Ireland’s DPC are the most active AI enforcement authorities in 2026. CNIL became the second-largest enforcer globally in 2025, behind only Ireland’s DPC. The EDPB Anonymisation Ruling: A Game-Changer for AI Training The most significant GDPR development of 2026 for AI businesses is the EDPB’s ruling on AI model anonymisation. The EDPB has stated that AI models trained on personal data cannot, in all cases, be considered anonymous. Many organisations trained AI models on personal data, removed the raw data from production systems, and treated the trained model as outside GDPR scope. The EDPB’s position challenges this. The model itself, through inference attacks or memorisation, may retain information that allows re-identification. The burden is now on the data controller to demonstrate that anonymisation is effective. The practical implication: if you cannot demonstrate with confidence that your AI model does not retain personally identifiable information, GDPR applies to the model itself, not just the training data. Build anonymisation assessments into your DPIA process and document them before deployment. Article 22: The Rule That Changes Everything About Automated Decisions Article 22 of GDPR gives individuals the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Three key obligations follow from Article 22. First, if you make a solely automated decision with significant effects on an individual, you must have a valid legal basis: explicit consent, contractual necessity, or specific legal authorisation. Second, individuals must be able to request human review. Third, individuals must be able to contest the decision. Courts and regulators have confirmed that credit scoring, insurance pricing, employment screening, and loan decisions all trigger Article 22. A Berlin bank was fined EUR 300,000 in 2023 for rejecting a credit card application via an automated process without providing an explanation. The individual could not challenge or understand the decision: a textbook Article 22 violation that can happen to businesses of any size. Data Protection Impact Assessments for AI: When They Are Mandatory A DPIA is mandatory when your AI system poses a high risk to individuals’s rights and freedoms. Several categories of AI processing trigger this automatically. Under the EDPB’s anonymisation ruling, add a new category: any AI system trained on personal data where you cannot affirmatively demonstrate that the model retains no re-identifiable information. Concerned your AI systems may already have GDPR exposure, including under the EDPB anonymisation ruling? Book a free GDPR AI compliance audit. Our specialists review your AI stack and identify gaps before they become enforcement actions. The 6 GDPR Obligations Every AI Deployer Must Meet GDPR and the EU AI Act: Double Compliance in 2026 For businesses subject to both GDPR and the EU AI Act, the two frameworks overlap significantly. Note that the EU AI Act Omnibus (May 7,




