GDPR Fines Surge Nearly 400% in Q1 2026 as France and UK Drive Enforcement

GDPR enforcement in the first quarter of 2026 has accelerated sharply. Between January and March, European supervisory authorities imposed a total of €68.18 million in fines - a nearly 400% increase compared to the €13.8 million recorded during the same period in 2025. The surge signals a renewed tempo of enforcement activity after a period in which quarterly totals had been comparatively modest.

France and the United Kingdom were responsible for 94% of the Q1 total. France's CNIL imposed €47 million in penalties across multiple decisions, headlined by a €27 million fine against Free Mobile and a €15 million fine against Free for failures in subscriber data security following a breach in October 2024 that exposed personal data relating to 24 million subscriber contracts, including IBANs. The CNIL also fined France Travail (formerly Pôle Emploi) €5 million for failing to ensure the security of job seekers' data. In the UK, the ICO imposed €16.89 million (£14.47 million) in penalties, including a landmark fine against Reddit for processing children's personal data without a lawful basis and without implementing adequate age assurance measures.

The data sits alongside DLA Piper's January 2026 finding that cumulative GDPR fines since May 2018 now exceed €7.1 billion, with €1.2 billion issued during 2025 alone. The CMS GDPR Enforcement Tracker now records over 2,245 documented fines - a figure that continues to climb as enforcement expands beyond Big Tech and into telecoms, employment services, and online platforms.

For compliance teams, the Q1 data confirms that data security failures and inadequate protections for vulnerable groups - particularly children - remain the highest-risk areas for enforcement action. The sustained increase in breach notifications, now averaging 443 per day across Europe, means regulators have more material to work with than at any point since the GDPR took effect.

Acompli perspective: A 400% quarter-on-quarter increase in fines is difficult to dismiss as statistical noise. The enforcement pattern is consistent: regulators are targeting organisations that failed to implement adequate security measures and that could not demonstrate accountability when a breach occurred. The defences that matter are the ones that exist before the incident - documented risk management frameworks, accurate records of processing, and data mapping that lets you assess impact quickly. If your breach response plan has not been tested against the 72-hour notification window, the Q1 2026 numbers are a prompt to do so now.