This article accompanies Hour 1: Global Privacy Law Updates in our full-day CPD programme on XpertAcademy. Completion of the full one-hour session, including the related learning materials, contributes to the one-hour CPD certificate issued for that session. You can access the course here: CPD Event A: Full-Day Regulatory Privacy Training.
The annual reports published by the Data Protection Commission and the European Data Protection Board are often read as annual snapshots: how many complaints were received, how many fines were issued, which cases attracted headlines, and whether breach notifications went up or down.
That is useful, but it is not enough.
For DPOs, legal teams, governance leads and senior decision-makers, the more important question is what the reports show over time. A single enforcement year can be distorted by one large platform case. A single fall in breach notifications may not mean the control environment has improved. A new EDPB opinion may not immediately change every local regulator’s enforcement priorities, but it can change what "reasonable" and "explainable" look like in the next investigation.
The three-year period from 2023 to 2025 shows a clear direction of travel. The DPC’s work has not simply become "more enforcement-heavy" or "less enforcement-heavy". It has become broader, more European, more operational, more technical and more dependent on evidence. The EDPB’s role has also changed in practical terms. It is no longer only a forum for consistency and dispute resolution in major cases. It is increasingly shaping the environment in which national regulators, including the DPC, interpret GDPR alongside AI, online safety, digital markets, digital services, international transfers and children’s rights online.
That does not mean the EDPB controls the DPC. The DPC remains Ireland’s independent supervisory authority. It has its own domestic casework, breach handling, guidance, supervision, prosecution work, legislative consultation role and Irish regulatory relationships. But in the areas that matter most for multinational technology, cross-border complaints, AI, children’s data, international transfers and European consistency, the DPC is operating inside a much stronger European regulatory system than it was even a few years ago.
This article looks across the DPC annual reports for 2023, 2024 and 2025, then places that picture beside the EDPB’s work over the same period. The aim is not to recap every statistic. The aim is to help DPOs and senior leaders understand the pressures that are building, where those pressures come from, and what they suggest about the future shape of privacy governance.
The short version is this: DPO work is being pulled in three directions at once. It must stay close to ordinary operational controls, such as complaints, DSARs and breach records. It must also absorb more technical issues, especially AI, biometrics, transfers and age assurance. And it must do both inside a more coordinated European regulatory environment where Irish decisions, EDPB guidance and wider digital regulation increasingly shape each other.
This article is general guidance, not legal advice.
The three-year DPC pattern: from landmark enforcement to evidence pressure
The DPC’s 2023 report was dominated by landmark enforcement. The report recorded EUR 1.55 billion in fines and major decisions including the Meta transfers decision and the TikTok children’s data decision. Both were Irish-led cases, but both were also shaped by the GDPR cooperation and consistency mechanisms. The Meta and TikTok decisions were subject to Article 65 EDPB dispute resolution before the DPC adopted its final decisions.
The 2024 report still showed significant enforcement, with EUR 652 million in fines and decisions involving organisations such as LinkedIn, Meta Platforms Ireland Limited, Sligo County Council and Maynooth University. But the report also showed a regulator increasingly focused on operating-model issues: AI training and personal data, biometrics, sensitive health data, DPO engagement, breach discipline, subject access pressure, BCRs and legislative oversight. It also showed the DPC actively using the EDPB system to seek Europe-wide clarity on AI models.
The 2025 report then moves the picture again. The fine total remained substantial, at EUR 530,773,000, dominated by the TikTok transfer decision concerning EEA user data transfers to China. But the sharper signal in 2025 is not the fine total. It is the 45% increase in new cases from individuals, the DPC’s comment that many cases involved AI use by complainants, the rise in cross-border complaint conclusions, the growth in legislative consultation, the continued wrong-recipient breach pattern, and the DPC’s visible participation in EDPB meetings, subgroups, BCR work and mutual assistance.
Seen across three years, the DPC’s direction is not simply a move from one enforcement topic to another. It is a move from headline enforcement as the dominant external signal to a broader pressure environment where organisations must be able to explain ordinary privacy decisions under more complex conditions.
| DPC signal | 2023 | 2024 | 2025 | What it suggests |
|---|---|---|---|---|
| New cases from individuals | 11,200, up 20% on 2022 | 11,091 | 16,160, up 45% on 2024 | Individual pressure is not fading. Complaint readiness and evidence quality matter more. |
| Cases concluded | 11,147 | 10,510 | 11,734 | The regulator is handling significant volume, but organisations should still expect scrutiny where records are weak. |
| Valid breach notifications | 6,991, up 20% on 2022 | 7,781, up 11% on 2023 | 6,521, down 16% on 2024 | Breach numbers move, but wrong-recipient correspondence remains a persistent control issue. |
| Wrong-recipient breach pattern | 52% of the total | 50% of notifications | Around half of notifications | Administrative controls remain a serious privacy governance weakness. |
| Cross-border complaints | 156 valid complaints received as LSA | 145 valid cross-border complaints concluded | 208 valid cross-border complaints concluded | Ireland’s cross-border role remains central and is not limited to headline platform inquiries. |
| Legislative consultation | Over 37 pieces of proposed legislation | Over 56 | Over 77 | Privacy is increasingly embedded in wider law, digital regulation and public-policy design. |
| EDPB / European cooperation | Article 65 dispute resolution in major cases; more than 150 EDPB meetings | AI opinion request; EDPB and international functions established; Article 61 assistance | Over 140 EDPB meetings; 13 EDPB subgroups; 1,015 Article 61 requests | The DPC’s work is increasingly Europeanised in both formal and practical ways. |
For senior decision-makers, the table is useful because it prevents two common misunderstandings.
It should be read as a directional comparison rather than a perfect like-for-like statistical table. In particular, the DPC reports some cross-border measures as complaints received and others as complaints concluded. The useful point is not a neat arithmetic trend. It is that cross-border work remains central to the DPC’s role while domestic complaint, breach and rights-handling pressure continues in parallel.
The first misunderstanding is that fine totals tell the whole story. They do not. A year with a very large platform fine may look more severe than a year with heavier complaint pressure, more AI complexity and more regulatory coordination. For most organisations, the latter may be more practically relevant.
The second misunderstanding is that privacy risk is mostly about novel technology. It is not. The reports show high-profile AI, transfer and platform issues, but they also show ordinary operational failures: delayed access responses, weak explanations, misdirected correspondence, incomplete evidence, unclear ownership, and DPOs without enough organisational support.
The future pressure is therefore double-sided. Organisations must deal with AI, transfers, cross-border regulation and digital-law complexity. They must also get ordinary privacy operations under better control.
2023: the landmark enforcement year also exposed the European machinery
The DPC’s 2023 report will be remembered for the scale of enforcement. The Meta transfers decision resulted in a EUR 1.2 billion fine. The TikTok children’s data decision resulted in fines totalling EUR 345 million. The DPC also reported national decisions involving Bank of Ireland and Centric Health, with issues ranging from app-related data breaches to ransomware affecting patient data.
But 2023 matters for another reason. It showed the European machinery behind Irish-led cross-border regulation.
The Meta transfers decision and TikTok children’s data decision were not simply DPC decisions in isolation. They were subject to the Article 65 dispute resolution process at EDPB level. In the Meta transfers matter, the EDPB’s binding decision addressed whether additional corrective measures were warranted, including an administrative fine and compliance order. In the TikTok matter, the EDPB’s binding decision related to the processing of children’s personal data by TikTok, including design practices affecting 13 to 17-year-old users and issues relating to children under 13.
That is a direct form of EDPB influence. Where the Irish DPC acts as Lead Supervisory Authority in a cross-border case and other supervisory authorities raise relevant and reasoned objections that are not resolved, the Article 65 mechanism can shape the final result. The DPC may lead the inquiry, but the decision sits inside a European process.
That distinction matters for organisations headquartered or regulated through Ireland. A major cross-border case is not assessed only through an Irish domestic lens. Other supervisory authorities may object. The EDPB may resolve disputes. The final outcome can reflect the wider European interpretation of GDPR.
2023 also showed a different kind of European influence: coordinated attention to the role of the DPO. The DPC participated in the EDPB Coordinated Enforcement Framework action on the designation and position of Data Protection Officers. The DPC’s own annual report stressed that DPOs are a key component of Ireland’s compliance record and need support from senior management, including regular and direct communication lines into the management board. In its national work, the DPC identified issues around DPO resources, conflicts of interest and the tasks of the DPO. Approximately a third of respondents said they did not have sufficient resources to fulfil the DPO role.
This is not a side issue. It is one of the most important signals for senior leadership. The DPO is not simply a named compliance contact. The DPO model is part of the organisation’s evidence system. If the DPO is under-resourced, structurally conflicted, isolated from decision-making or involved too late, the organisation’s ability to explain its privacy position weakens.
The 2023 lesson is therefore not only that large fines are possible. It is that cross-border enforcement, DPO resourcing and European consistency were already converging.
2024: the DPC pushed AI questions into the European layer
The DPC’s 2024 report is a bridge year. The enforcement totals remained substantial, but the more important strategic signal was the DPC’s role in AI.
The DPC states that it led efforts to provide greater clarity on the application of data protection requirements to AI model training and development. It requested an Article 64(2) opinion from the EDPB on AI model development. The EDPB adopted Opinion 28/2024 in December 2024, addressing when and how AI models can be considered anonymous, whether and how legitimate interests may be used as a legal basis in development and deployment, and what happens where an AI model was developed using unlawfully processed personal data.
This is not EDPB influence in the simple sense of "Europe telling Ireland what to do". It is more interesting than that. The Irish DPC identified that AI model development raised systemic and Europe-wide questions, then used the EDPB mechanism to create a common European position.
For DPOs, this matters because the path from uncertainty to expectation can move quickly. Before an opinion is adopted, an organisation may argue that the regulatory position is developing. After the opinion, the argument changes. The organisation may still need case-specific analysis, but it can no longer act as though there is no European regulatory frame.
The AI opinion also shows how privacy governance is becoming more technical and more evidential. The questions are not limited to "do we have an AI policy?" They include whether a model is truly anonymous, whether personal data can be extracted from it, whether individuals could reasonably expect the processing, whether legitimate interests have been properly assessed, whether mitigating measures are real, and whether unlawful processing in development affects later deployment.
Those are difficult questions for organisations that do not have an AI use-case register, a data source record, vendor evidence, model documentation, DPIA discipline, deployment controls, logging, retention rules and a review cycle.
The DPC’s 2024 report also showed the operational spread of privacy regulation. It recorded 11,091 new cases, 7,781 valid breach notifications, 50% of which arose from correspondence sent to the wrong recipient, and 32,152 total contacts, with subject access requests identified as the most common reason individuals contacted the DPC. It also noted new national and cross-border inquiries focused on biometrics, AI training and personal data, and sensitive health data.
That combination is important. AI is becoming more technical, but the DPC’s ordinary workload is still driven by rights, breaches, complaints and accountability. The future DPO function has to handle both. It cannot be a narrow AI governance function, and it cannot be an old-style compliance mailbox.
2025: the pressure becomes volume, complexity and joined-up regulation
The DPC’s 2025 report is the clearest sign that privacy pressure is broadening.
The DPC received 16,160 new cases from individuals, a 45% increase on 2024, and concluded 11,734 cases, a 12% increase. It concluded 208 valid cross-border complaints as EU or EEA Lead Supervisory Authority, a 43% increase on 2024. It received 6,521 valid breach notifications, down 16% on 2024, but around half of those notifications still arose from correspondence being sent to the wrong recipient.
The DPC also reported input and observations on over 77 pieces of proposed legislation. That figure was 56 in 2024 and 37 in 2023. This is one of the most important but least flashy trends. It tells us that data protection is increasingly woven into law-making, public administration, digital regulation, sector reform, online safety, AI, biometrics, public services, children, education, health and vulnerable adults.
The DPC’s 2025 timeline also shows how joined-up the regulatory environment has become. The DPC signed a joint declaration on AI with data protection authorities from Australia, Korea, France and the UK. An EDPB statement on age assurance co-drafted by the DPC was published. The DPC announced an inquiry into X Internet Unlimited Company concerning EU or EEA user data for generative AI model training. It fined TikTok EUR 530 million and ordered corrective measures following an inquiry into transfers of EEA user data to China. It concluded its Department of Social Protection biometrics decision. It entered a cooperation agreement with Coimisiún na Meán and issued a joint statement on children’s safety and personal data online.
None of those items sits neatly in a single privacy silo. AI model training raises personal data, legitimate interests, transparency, fairness, model governance and possible cross-border issues. Age assurance raises children’s rights, online safety, data minimisation, proportionality, digital service design and verification. Biometrics raise special category data, lawful basis, necessity, DPIA quality and retention. International transfers raise SCCs, TIAs, supplementary measures, group access, cloud infrastructure, support access and geopolitical risk.
That is why the 2025 report should be read as an operating-model warning. The DPO function has to be close enough to live decisions to understand the facts. Senior leadership has to receive enough visibility to understand where privacy risk is material. Legal, procurement, product, security, HR, marketing, IT and operations have to understand when their work creates a privacy governance issue.
If privacy is only consulted after a system has been bought, an AI use case has been piloted, a transfer has begun, a customer complaint has escalated, or a breach has already occurred, the organisation is always trying to explain backwards.
The 2025 direction of travel is forward-looking evidence: identify the use case, understand the decision, record the rationale, show the controls, review the position, and escalate where the model no longer fits.
Has the EDPB influenced the DPC’s direction?
Yes, but the influence is not one single thing.
There are at least four different forms of influence, and they should not be collapsed into each other.
| Form of influence | What it looks like | Example | What it means in practice |
|---|---|---|---|
| Direct dispute resolution | The EDPB resolves disputes under Article 65 where a Lead Supervisory Authority and concerned supervisory authorities cannot resolve objections. | Meta transfers and TikTok children’s data in 2023. | Major Irish-led cross-border outcomes may be materially shaped by the wider European supervisory community. |
| Consistency opinions | The DPC can ask the EDPB to provide an opinion on a matter of general application under Article 64(2). | Opinion 28/2024 on AI models, requested by the Irish DPC. | Irish regulatory questions can become Europe-wide benchmarks that then influence future assessments. |
| Coordinated enforcement and shared methods | EDPB members coordinate fact-finding or enforcement focus on common topics. | 2023 DPO CEF action; 2024 right of access CEF action; 2025 right of erasure CEF action. | Local DPC attention can reflect Europe-wide priorities and common methodologies. |
| Guidance, subgroups and cross-regulatory work | The DPC participates in EDPB meetings, subgroups and guidance work, and the EDPB issues guidance on digital regulatory interplay. | DPC work on children and age assurance; DPC participation in EDPB subgroups; EDPB DSA/GDPR, DMA/GDPR and forthcoming AI Act/GDPR work. | Expectations become harmonised through guidance and shared interpretation, not only through fines. |
The direct influence is clearest in Article 65 decisions. In those cases, the EDPB can determine disputed issues that affect the final outcome of an Irish-led cross-border inquiry.
The more subtle influence is arguably more important for the future. Through Article 64 opinions, coordinated enforcement, subgroups, templates, stakeholder events and guidance, the EDPB shapes the language that national regulators and organisations use to assess compliance. It changes the frame before a formal enforcement decision arrives.
At the same time, the DPC is not merely receiving direction from Europe. It is also helping to shape it. The DPC requested the AI models opinion. It has been involved in EDPB children and age assurance work. It participated in more than 140 EDPB meetings in 2025 and was represented on 13 EDPB subgroups. It also acts as Lead Supervisory Authority for many cross-border matters because of Ireland’s role as the European base for major technology companies.
So the better description is not that the EDPB has "taken over" the DPC’s direction. It is that the DPC and EDPB now operate in a feedback loop. Irish cases and questions feed into European consistency work. European consistency work then shapes how Irish and other European regulators assess future cases.
For organisations, that means Irish privacy governance cannot be understood only by watching DPC decisions. DPOs also need to track EDPB outputs, especially where they touch AI, children’s data, access rights, erasure, international transfers, legitimate interests, anonymisation, pseudonymisation, digital services, digital markets and cross-regulatory cooperation.
The EDPB’s own three-year arc: from binding decisions to practical clarity
The EDPB’s 2023 Annual Report emphasised binding decisions, one urgent binding decision, the election of Anu Talus as Chair, and the launch of the EDPB Data Protection Guide for small business. In practical terms, 2023 was about the EDPB’s role in shaping common interpretations of key GDPR principles and making those principles more accessible.
The 2024 Annual Report then marked a move into strategy, guidance and cross-regulatory positioning. The EDPB adopted its 2024-2027 strategy, reported a significant increase in Article 64(2) consistency opinions, and adopted opinions on topics including consent-or-pay models, facial recognition at airports and the use of personal data to train AI models. It also emphasised cross-regulatory cooperation with the DMA, DSA, AI Act, Data Governance Act and Data Act.
The 2025 Annual Report goes further again. Its theme is "clarity in action", with a focus on supporting stakeholders through guidance and dialogue. The EDPB adopted the Helsinki Statement on Enhanced Clarity, Support and Engagement. It worked on simplification, templates, FAQs, stakeholder consultation, cross-regulatory cooperation, DSA/GDPR guidance, DMA/GDPR joint guidelines and work with the European Commission on AI Act and data protection interplay guidance for 2026.
This is a meaningful development. The EDPB is not only deciding disputes or writing specialist guidance. It is trying to make GDPR more usable in a regulatory environment where data protection intersects with AI, digital services, digital markets, data sharing, online safety, competition, cybersecurity and sector regulation.
For organisations, that may sound like good news. In some ways it is. Clearer guidance, templates and dialogue should make compliance more navigable. But it also raises expectations. The more practical the guidance becomes, the less credible it is for organisations to rely on vague uncertainty.
When the EDPB explains how GDPR interacts with AI models, pseudonymisation, DSA obligations, DMA obligations or cross-regulatory governance, senior teams should treat that as an early signal. It may not be enforcement yet, but it may inform future enforcement, supervision or complaint assessment.
The future is not "more privacy". It is more joined-up accountability
One of the risks in reading annual reports is to conclude that the answer is simply "do more privacy". That is not specific enough.
The direction of travel points to more joined-up accountability. This means the organisation can explain not only what the privacy team did, but how privacy was built into decision-making across the organisation.
For AI, joined-up accountability means the AI register, DPIA, vendor assessment, security review, product owner, model documentation, prompt and upload rules, logging, human oversight, retention and review triggers must connect. It is not enough to say that AI is "low risk" or that the supplier has provided assurances.
For DSARs and complaints, joined-up accountability means the organisation can show searches, decision records, redaction reasoning, exemption analysis, timelines, escalation and quality review. It is not enough to rely on informal knowledge or a privacy mailbox.
For breaches, joined-up accountability means notification decisions are supported by facts, technical evidence, containment records, risk analysis and lessons learned. It is not enough to count down 72 hours and file a report.
For children’s data, joined-up accountability means transparency, age assurance, safety, default settings, parental roles, safeguarding, product design and marketing discipline are considered together. It is not enough to have a child-friendly privacy notice if the underlying service design is not appropriate.
For transfers, joined-up accountability means SCCs, TIAs, supplementary measures, BCRs, group access, vendor support, cloud hosting, AI training, logs and onward transfer risk are connected to the operating model. It is not enough to have a template transfer assessment that no longer reflects the live system.
For DPOs, joined-up accountability means the DPO has the independence, expertise, time, access, senior-management support and escalation route needed to perform the role. It is not enough to name someone as DPO while leaving them structurally unable to influence decisions.
This is the practical future DPOs need to prepare for. The work is becoming less about isolated compliance tasks and more about whether the organisation can join its privacy evidence into a coherent operating model.
What this means for senior decision-makers
Senior decision-makers do not need to read every page of every DPC and EDPB report. But they do need to understand what those reports are telling them about governance pressure.
The first message is that regulatory direction is becoming more interconnected. The DPC’s work now sits alongside EDPB consistency, Irish digital regulation, EU AI Act implementation, DSA and DMA interplay, online safety, cybersecurity, sector regulation and international cooperation. That means privacy risk may appear in projects that do not look like privacy projects at the start.
The second message is that operational privacy weaknesses remain expensive and reputationally damaging. The same themes keep recurring: wrong-recipient correspondence, poor access request handling, weak breach records, under-supported DPOs, unclear decisions, inadequate DPIAs and poor evidence of controls.
The third message is that AI governance cannot be left to innovation teams alone. The DPC’s AI work, the EDPB AI opinion and the 2025 increase in AI-related complaint complexity all point in the same direction. Senior teams need to know what AI is being used, what data it can reach, what records exist, what decisions it influences, what vendor terms apply and what review cycle keeps the position current.
The fourth message is that international transfers remain a live board issue. The 2023 Meta transfers decision and the 2025 TikTok China transfer decision show that transfer risk remains serious. Organisations with group structures, cloud providers, overseas support, AI vendors, analytics platforms or global operating models need transfer governance that reflects the live facts.
The fifth message is that the DPO model may need review. If the organisation’s privacy environment has changed but the DPO arrangement has not, there may be a mismatch. The DPO may be expected to cover AI, DSARs, breaches, transfers, supplier governance, board reporting, product review, regulator contact and staff advice without enough capacity or authority. That is not just a resourcing issue. It is an accountability issue.
The question for senior leadership is therefore not "are we compliant?" It is more practical:
Can we explain our privacy decisions, show our evidence, identify our owners and escalate where the current model no longer fits?
If the answer is weak, the response should be practical rather than cosmetic. Review whether the DPO has direct access to senior management, whether any operational role creates conflict, whether recommendations and challenges are documented, who accepts residual risk, and how unresolved issues reach the board or executive team.
What DPOs should do with this three-year view
For DPOs, the three-year DPC and EDPB pattern can be turned into a useful governance tool.
Start by treating regulator reports as forward-looking signals, not historical reading. The point is not to produce a long legal update. The point is to translate the signal into organisational questions.
If the DPC says cases have increased sharply, ask whether complaint and DSAR files would withstand external review. If breach notifications still show wrong-recipient correspondence, ask whether controls have changed or whether the organisation is simply logging the same type of error repeatedly. If the DPC and EDPB are focusing on AI model training, ask whether AI use cases are governed as processing activities rather than technology purchases. If the EDPB is working on DSA/GDPR, DMA/GDPR and AI Act/GDPR interplay, ask which parts of the organisation need to understand that overlap.
The second step is to create a regulator signal log. This does not need to be complicated. A useful log records the regulator source, the issue, the organisational area affected, the evidence expected, the owner, the next review date and whether a board or executive update is needed.
The third step is to link that signal log to board reporting. Board packs often contain privacy metrics, but those metrics can be too static. A stronger report explains what has changed externally, what that means internally, what evidence exists, what is missing and what decisions senior leadership may need to make.
The fourth step is to review the DPO model itself. The DPC’s 2023 and 2024 materials make clear that DPO effectiveness depends on resourcing, independence, senior-management access and practical impact. The EDPB’s DPO coordinated enforcement work reinforces the same point. A DPO who cannot access decision-makers, obtain records, challenge assumptions or secure timely input from business owners cannot carry the future privacy environment.
The fifth step is to connect specialist areas. AI, breach, DSAR, transfers, children, vendors and board reporting should not be separate compliance islands. Each creates evidence that may be needed in the others. A DSAR may expose AI or vendor issues. A breach may expose weak transfer governance. A children’s service may raise DPIA, age assurance, online safety and transparency questions. A transfer review may expose weak group accountability. The DPO function needs enough visibility to see those connections.
What the next few years are likely to look like
The next phase of DPC and EDPB pressure is likely to be more European, more technical and more operational at the same time.
AI will continue to be a major theme, but the focus will not be limited to foundation model providers. Deployers, procurers and users of AI systems will need to show how they govern use cases, data sources, prompts, logs, retention, human oversight, bias, transparency and vendor change. The DPC’s inquiries and the EDPB’s AI work suggest that privacy teams should expect AI questions to appear in complaints, DPIAs, DSARs, breach reviews, procurement and board assurance.
Children’s data will remain a joined-up regulatory issue. Age assurance, online safety, transparency, design, sharenting, safeguarding and platform accountability are likely to continue to overlap. The DPC’s work with Coimisiún na Meán and its involvement in EDPB age assurance work point toward more coordinated expectations.
International transfers will remain live. The DPC’s major decisions on Meta transfers and TikTok transfers show that transfers are not a settled background issue. The future pressure will likely sit in cloud access, AI model training, group support, remote administration, China, US, vendor chains, BCRs, SCCs, TIAs and supplementary measures.
Rights handling will remain a practical test. The EDPB’s coordinated enforcement work on DPOs, access and erasure, combined with DPC contact and complaint patterns, suggests continued focus on whether organisations can handle individual rights consistently and explainably.
Breach governance will remain stubbornly ordinary. Cyber incidents will matter, but so will misdirected correspondence, weak administrative controls, portal errors, poor publication checks and human error. The organisations that improve will be the ones that treat breach records as control intelligence, not just notification paperwork.
The EDPB will likely continue to make GDPR more practical and more connected to other digital laws. That will help organisations that want clarity. It will also make it harder for organisations to rely on generic uncertainty when specific guidance, templates, opinions and cross-regulatory materials exist.
For DPOs, the practical conclusion is that the role is becoming more strategic, not less. It requires legal judgement, technical understanding, governance skill, evidence discipline, escalation confidence and the ability to translate regulatory direction into operational action.
For senior leaders, the conclusion is equally direct: if privacy has become more connected, the privacy operating model must become more connected too.
Bringing it together
The DPC’s annual reports for 2023, 2024 and 2025 show a regulator dealing with landmark enforcement, major cross-border cases, complaint pressure, breach notifications, AI, biometrics, children’s data, international transfers, DPO engagement, legislative consultation and European cooperation.
The EDPB’s annual reports over the same period show a European body moving from major binding decisions and common interpretations toward practical clarity, stakeholder dialogue, cross-regulatory cooperation and more usable GDPR guidance.
Read together, the direction is clear. Privacy governance is becoming more European, more technical and more evidence-led. But it is also becoming more practical. The future pressure will not only come from fines. It will come from the need to explain decisions, show records, connect controls, evidence DPO involvement and demonstrate that the operating model can carry the work.
The organisations best placed for that future will not be the ones with the longest policies. They will be the ones with a DPO model, evidence discipline and senior governance structure that can connect regulatory direction to real decisions.
This article is intended to support the learning covered in Hour 1 of our XpertAcademy CPD programme. The relevant CPD certificate is issued for completion of the full one-hour session on XpertAcademy, rather than for reading this article on its own. You can return to the course here: CPD Event A: Full-Day Regulatory Privacy Training.
Sources consulted
- DPC 2025 press release: Data Protection Commission Publishes Annual Report for 2025 and Results of "Sharenting" Survey
- DPC 2025 summary page: Data Protection Commission Annual Report 2025
- DPC 2024 press release: Data Protection Commission publishes 2024 Annual Report
- DPC 2024 summary page: Data Protection Commission Annual Report 2024
- DPC 2023 press release: Data Protection Commission publishes 2023 Annual Report
- DPC 2023 PDF: Data Protection Commission Annual Report 2023
- EDPB 2025 annual report article: EDPB annual report 2025: supporting stakeholders through guidance and dialogue
- EDPB 2024 annual report article: EDPB annual report 2024: protecting personal data in a changing landscape
- EDPB 2023 annual report article: EDPB Annual Report 2023: Safeguarding individuals’ digital rights
- EDPB Binding Decision 1/2023: Meta Platforms Ireland data transfers
- EDPB Binding Decision 2/2023: TikTok Technology Limited children’s data
- EDPB Opinion 28/2024: AI models and personal data
- EDPB AI models article: EDPB opinion on AI models: GDPR principles support responsible AI