Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

Skadden’s GDPR Risk Compass: A Data-Driven Starting Point for Enforcement Risk Discussions

Skadden Publication / Cybersecurity and Data Privacy Update

Nicola Kerr-Shaw David A. Simon William E. Ridgway Susanne Werry Aleksander J. Aleksiev Alex Smallwood

Executive Summary

  • What’s new: Our 2026 GDPR Risk Compass analyzes enforcement data from across regulators to help companies quantify GDPR enforcement risk across the EU and UK.
  • Why it matters: The Compass divides the regulators into four risk-based quadrants, based on the number and size of the fines issued in recent years.
  • What to do next: When assessing their GDPR compliance programs and interacting with regulators, organizations should consider the enforcement approach of the relevant regulator.

__________

When assessing General Data Protection Regulation (GDPR) compliance obligations and responding to GDPR investigations, it’s important to understand both the letter of the law and the enforcement approach of the regulators you’re dealing with.

Using data released in 2024, 2025 and 2026 by the European Data Protection Board and the UK Information Commissioner’s Office, our 2026 GDPR Risk Compass divides regulators into four distinct quadrants, based on the number and size of the fines issued in recent years.

 
  • Category 1 (high impact, low frequency). The regulators in this quadrant issue a low number of fines — but when they hit, they hit hard. When dealing with these regulators, the best strategy is often to remain below their radar. This group includes regulators in Ireland, the Netherlands and the UK; they are focused on long-running, high-stakes enforcement actions against global tech giants, alongside a cluster of Nordic regulators (Denmark, Finland, Norway, Sweden).
  • Category 2 (high impact, high frequency). The Category 2 regulators are aggressive, high-stakes regulators that issue large quantities of big fines — these are the regulators that cause the most concern for companies. They are mostly found in Western European countries such as France and Italy, though a few other countries such as Poland also make the list.
  • Category 3 (low impact, high frequency). These regulators issue a larger number of fines and can consume a lot of companies’ time with investigations. While those investigations can have a significant reputational impact, the resulting fines are usually small. They are primarily clustered in Central Europe (Austria, Germany, Hungary, Romania).
  • Category 4 (low impact, low frequency). These regulators rarely issue fines, and even when they do, they don’t issue big ones. They can mainly be found in smaller EU countries such as Lichtenstein and Malta.

The Compass doesn’t tell the whole story.

  • It currently only provides a snapshot based on data released in 2024, 2025 and 2026. We will update it as new data becomes available.
  • Regulators’ past enforcement behavior won’t necessarily predict their behavior in future cases.
  • GDPR compliance is about more than just avoiding fines. An investigation can bring reputational risks, private damages litigation, orders to cease data processing and legal defence costs, even if it never ends up in a fine.

Nonetheless, the GDPR Risk Compass should serve as a useful starting point to frame conversations around GDPR risk. For organizations operating in the EU and the UK, the Compass can help calibrate enforcement GDPR risk levels across regulators.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP