25 EU Regulators Are About to Audit Your Privacy Notices — Here’s What to Fix Before They Arrive
Key Takeaways
- EDPB 2026 Enforcement Targets Transparency. Approximately 25 EU data protection authorities will audit GDPR information obligations under Articles 5(1)(a), 12, 13, and 14 using questionnaires and investigations.
- Most Privacy Notices Fail Regulatory Tests. Organizations commonly lack layered notices, just-in-time disclosures at collection points, and documented legal bases including legitimate interest assessments.
- Enforcement Escalates With Record Fines. GDPR fines reached €1.2 billion in 2025 amid a 22% rise in breach notifications, with transparency violations among the most cited grounds.
- AI Exponentially Increases Compliance Gaps. AI agents processing personal data create new automated decision-making disclosure and explainability obligations under GDPR and the EU AI Act that few organizations have mapped.
Imagine a DPA investigator contacts your organization with a structured questionnaire. The questions are specific: Can you demonstrate that data subjects receive clear, concise information about every purpose for which their data is processed? Can you show that your privacy notices cover all legal bases, including legitimate interest assessments? Can you produce evidence that just-in-time disclosures are provided at each point of data collection — not just on your website, but in your apps, your forms, your email workflows, and your AI-powered tools?
The Knock Is Coming — And Most Organizations Are Not Ready
This is not a hypothetical. The European Data Protection Board announced in March 2026 that its 2026 Coordinated Enforcement Framework action will focus on transparency and information obligations under GDPR. Approximately 25 data protection authorities across the EU and EEA will assess how controllers meet these obligations, using enforcement actions and fact-finding activities, with results expected to guide targeted follow-up actions across sectors.
The DLA Piper GDPR Fines and Data Breach Survey (2026 edition) documented €1.2 billion in GDPR fines during 2025, with a 22% annual increase in breach notifications averaging 443 per day. Enforcement is now focused on Articles 5(1)(a) — lawfulness, fairness, and transparency — and 5(1)(f) — integrity and confidentiality. The EDPB’s coordinated action lands directly on the first of those two pressure points.
5 Key Takeaways
1. The EDPB’s 2026 Coordinated Enforcement Framework targets transparency.
Around 25 data protection authorities will simultaneously assess how controllers meet GDPR information and transparency obligations — using investigations, questionnaires, and fact-finding that can lead to formal enforcement actions. The scope covers Articles 5(1)(a), 12, 13, and 14. GDPR compliance teams that have not explicitly mapped their organization against these articles cannot assess their exposure.
2. This follows a pattern of escalation — not soft guidance.
Previous CEF cycles focused on the right of access (2022), DPO roles (2023), and the right to erasure (2025). Each produced targeted follow-up enforcement actions. The transparency focus for 2026 signals DPAs expect widespread gaps — and the enforcement data supports that expectation: transparency violations under Article 5(1)(a) are among the most frequently cited grounds in formal GDPR decisions.
3. GDPR fines reached €1.2 billion in 2025 with breach notifications rising 22%.
The enforcement environment is hotter than at any point since the regulation took effect. Data privacy violations under Articles 5(1)(a) and 5(1)(f) are a growing focus of formal decisions — which is precisely where the EDPB’s 2026 coordinated action lands. Organizations with transparency gaps are walking into an enforcement cycle built to find them.
4. Most privacy notices fail the test regulators are actually applying.
The gap between “we have a privacy policy” and demonstrable compliance with layered notices, just-in-time disclosures, and purpose-specific legal bases is where enforcement actions originate. The 2026 Thales Data Threat Report found only 33% of organizations have complete knowledge of where their data is stored — and you cannot accurately describe processing you cannot locate.
5. AI systems amplify the transparency challenge exponentially.
Every AI agent processing personal data creates documentation, explainability, and transparency obligations that most organizations have not mapped. The AI data governance gap intersects directly with the EDPB’s transparency enforcement and EU AI Act milestones arriving simultaneously in 2026.
What Data Compliance Standards Matter?
What the EDPB Is Actually Looking For
The transparency obligation under GDPR is not a single requirement. It is a layered set of duties spanning Articles 5(1)(a), 12, 13, and 14 that collectively require controllers to provide information that is concise, transparent, intelligible, easily accessible, and in clear and plain language.
In practice, the EDPB’s investigation will assess several dimensions. Controllers must demonstrate that data subjects are informed about the identity and contact details of the controller, the purposes and legal bases for processing (including legitimate interest assessments where applicable), the categories of personal data processed, the recipients or categories of recipients, retention periods, and data subject rights. This information must be provided at the time of collection (Article 13) or within a reasonable period when data is obtained indirectly (Article 14).
The 2026 Thales Data Threat Report found that only 33% of organizations have complete knowledge of where their data is stored and only 39% can classify all data. When organizations cannot locate or classify their data, they cannot accurately describe their processing activities in privacy notices. The transparency obligation demands specificity that most organizations’ data governance infrastructure cannot support.
Why Previous CEF Cycles Should Concern You
The Coordinated Enforcement Framework is not new. The EDPB has run it annually since 2022, each cycle following a consistent pattern: coordinated investigation, aggregated findings, published guidance, and then targeted enforcement in subsequent years.
The 2022 CEF focused on the right of access under Article 15. The 2023 cycle examined the role of data protection officers. The 2025 cycle targeted the right to erasure under Article 17. Each cycle produced insights that DPAs subsequently used to inform enforcement priorities and formal decisions.
The transparency focus for 2026 signals DPAs expect to find widespread gaps — and the enforcement data supports that expectation. Analysis from Aphaia indicates that transparency violations are among the most frequently cited grounds in GDPR enforcement decisions, yet remain among the least consistently implemented controls in most organizations’ compliance programs.
The Privacy Notice Gap: Where Organizations Actually Fail
The gap between what organizations believe they have and what regulators expect is structural. Most organizations have a privacy policy on their website. Far fewer have implemented the full set of transparency measures that GDPR actually requires.
Layered notices are missing or incomplete. Article 12 requires information to be provided in a concise, transparent, and easily accessible form. For complex processing activities, the EDPB has long recommended layered notices — a short first layer with essential information, linked to detailed supplementary layers. Most organizations have a single, monolithic privacy policy that fails both the conciseness and accessibility tests.
Just-in-time disclosures are absent. When personal data is collected through forms, apps, chatbots, or AI-powered tools, transparency requires that relevant information is provided at the point of collection — not buried in a general privacy policy three clicks away. Most organizations now exchange sensitive data across multiple distinct channels — secure email, file sharing, SFTP, MFT, APIs, web forms, and AI integrations. Each channel carries distinct transparency obligations that a single privacy policy cannot satisfy.
Legal basis documentation is vague. Article 13(1)(c) requires controllers to state the legal basis for each processing activity. Many organizations default to “legitimate interest” without documenting the balancing test, or cite “consent” for processing where consent is neither freely given nor withdrawable. When a DPA investigator asks to see the legitimate interest assessment for a specific processing activity, the absence of documentation is itself a finding.
Purpose specifications are too broad. Stating that personal data is processed “to improve our services” fails the specificity test. Each purpose must be specific enough that a data subject can understand what is being done with their data and why. The 2026 DTEX/Ponemon Insider Threat Report found that 92% of organizations say GenAI has changed how employees share information — yet most privacy notices have not been updated to reflect AI-powered processing activities at all.
AI Makes the Transparency Problem Exponentially Harder
The EDPB’s transparency enforcement action arrives just as organizations are deploying AI systems that create entirely new categories of transparency obligations — and most have not mapped them.
Every AI agent that processes personal data creates obligations under both GDPR and the forthcoming EU AI Act. Under GDPR, organizations must disclose the existence of automated decision-making (Article 13(2)(f)), provide meaningful information about the logic involved, and explain the significance and envisaged consequences for the data subject. Under the EU AI Act, high-risk AI systems face additional transparency and documentation requirements by August 2026.
The Kiteworks 2026 Forecast Report found that 100% of surveyed organizations have agentic AI on their roadmap, yet 63% cannot enforce purpose limitations on AI agents. When an AI agent processes personal data without purpose binding, the controller cannot accurately describe the processing purpose in a transparency notice — creating a compliance gap that compounds with every undocumented AI interaction.
The 2026 Thales Data Threat Report found that 70% of respondents cite rapid change in the AI ecosystem as the most concerning AI-related risk. Transparency obligations demand that privacy notices reflect current processing activities. When the AI landscape shifts quarterly, annual privacy notice reviews are structurally inadequate.
The US State Privacy Patchwork Amplifies the Challenge
The EDPB’s enforcement action does not exist in isolation. Organizations processing personal data across jurisdictions face converging transparency obligations from multiple regulatory regimes simultaneously.
In the United States, 19 states now have comprehensive state data privacy laws in effect, including new entries like Indiana, Kentucky, and Rhode Island that came into force in January 2026. California’s CPPA finalized Automated Decision-Making Technology regulations with enforcement beginning January 2027, adding AI-specific transparency obligations for organizations serving California residents.
For organizations operating across the EU and US simultaneously, the transparency challenge is not just meeting one standard — it is maintaining consistent, accurate notices across jurisdictions where requirements differ in detail but overlap in principle. The Black Kite 2026 Third-Party Breach Report documented that among the top 50 shared vendors, 62% had corporate credentials in stealer logs and 80% showed phishing exposure — meaning the organizations most likely to trigger a breach notification are also the ones whose transparency practices will face the most regulatory scrutiny in the aftermath.
How Kiteworks Helps Organizations Demonstrate Transparency Compliance
Every sensitive data exchange through the Kiteworks Private Data Network — email, file sharing, SFTP, MFT, web forms, APIs, and AI integrations — is logged in a single, unified audit trail that documents who accessed what data, when, under what policy, and through which channel. This chain-of-custody documentation provides the evidentiary foundation DPA investigators require: not a claim of transparency, but a record of every data processing activity that a privacy notice describes.
Kiteworks compliance dashboards provide continuous visibility into regulatory posture across GDPR, HIPAA, CMMC, and other frameworks, enabling organizations to shift from reactive audit preparation to proactive compliance management. When the EDPB questionnaire arrives, Kiteworks provides the evidence — not a narrative, but a log.
For AI governance specifically, the Kiteworks Secure MCP Server and AI Data Gateway ensure that every AI interaction with personal data is governed, logged, and auditable — supporting the transparency obligations that AI-powered processing creates under both GDPR Article 13(2)(f) and the EU AI Act’s documentation requirements.
What Organizations Need to Fix Before the DPA Investigator Arrives
First, audit your privacy notices against Article 13 and 14 requirements — not against your own policy template, but against the actual regulatory text. For every processing activity, verify the notice specifies purpose, legal basis (with legitimate interest assessments documented), categories of data, recipients, retention periods, and data subject rights.
Second, implement layered and just-in-time transparency. Your website privacy policy is necessary but not sufficient. Every data collection point — web forms, chatbots, email workflows, file sharing portals, AI-powered tools — needs contextual disclosure at the moment of collection. Most enterprises exchange sensitive data across seven or more distinct channels; each is a transparency obligation.
Third, map your AI processing activities against transparency requirements. If AI agents process personal data, your privacy notices must disclose the existence of automated decision-making, the logic involved, and the consequences. The EDPB’s transparency enforcement and the EU AI Act’s documentation requirements converge on the same demand: explain what your systems do with personal data, to regulators and data subjects alike.
Fourth, prepare your evidence packages now. When the DPA questionnaire arrives, you need to produce records of processing activities (ROPA), legitimate interest assessments, consent records, data protection impact assessments, and audit trails — not create them. The Thales report found just 6% of organizations that failed an audit report no breach history, versus 30% of those that passed. Audit readiness is breach prevention.
Fifth, establish a review cadence that matches your processing changes. If your AI deployment roadmap adds new processing activities quarterly, annual privacy notice reviews create a structural transparency gap. Build the review cycle into your AI deployment governance so that no new processing activity goes live without a corresponding transparency update.
The EDPB’s coordinated enforcement action is not an ambush — it has been announced, its scope is published, and its investigative methods are consistent with prior CEF cycles. The organizations that prepare now will demonstrate compliance. The organizations that do not will generate the enforcement statistics that fill next year’s DLA Piper survey.
To learn more about protecting your data and demonstrating transparency compliance, schedule a custom demo today.
Frequently Asked Questions
No. The EDPB’s 2026 coordinated enforcement examines whether controllers provide layered notices, just-in-time disclosures at each data collection point, and purpose-specific legal basis documentation. A single data privacy policy cannot satisfy the contextual transparency obligations arising from forms, apps, email workflows, and AI tools — each data collection channel carries its own Article 13 obligation.
GDPR applies to any organization processing EU personal data, regardless of establishment. US-based organizations should audit their Article 13 and 14 compliance, ensure privacy notices cover all processing purposes and legal bases, and prepare evidence packages including ROPA and legitimate interest assessments. Only 39% of organizations can classify all their data per the 2026 Thales report — a gap that directly undermines transparency compliance.
GDPR Article 13(2)(f) requires disclosure of automated decision-making and meaningful information about the logic involved. AI chatbots, copilots, and agents that process personal data trigger this obligation. The Kiteworks 2026 Forecast found 63% of organizations cannot enforce purpose limitations on AI agents — meaning most cannot accurately describe AI processing in transparency notices. The AI Data Gateway and Secure MCP Server provide the governance and audit infrastructure to close this gap.
Both converge on the same requirement: explain what systems do with personal data. GDPR demands transparency about processing purposes, legal bases, and automated decision-making. The EU AI Act adds documentation, conformity assessment, and human-oversight requirements. Map AI use cases against both frameworks simultaneously using a unified audit trail and compliance dashboard — building separate evidence packages for each framework duplicates effort and creates inconsistencies regulators will find.
DPA investigators will typically request records of processing activities (ROPA), privacy notices for all processing activities, legitimate interest assessments, DPIAs, consent records, and evidence that transparency measures are implemented at each data collection point. Prepare these proactively — the DLA Piper GDPR survey found that audit failures correlate directly with breach history, and the Kiteworks Private Data Network generates the consolidated, exportable evidence packages that make DPA responses a documentation exercise rather than a scramble.
Additional Resources
- Blog Post The Tug-of-War Over Your Data: How the CLOUD and SHIELD Acts Pit Security vs. Privacy
- Blog Post Secure Sensitive Data by Mapping DSPM to Your Compliance Goals
- Brief Top 3 FERPA Violations and How to Avoid Them
- Blog Post Executive Order 14117: Protecting Americans’ Bulk Sensitive Personal Data
- Blog Post Need NIS2 Compliance? Start With ISO 27001
Frequently Asked Questions
The 2026 CEF targets transparency and information obligations under GDPR Articles 5(1)(a), 12, 13, and 14. Approximately 25 EU and EEA data protection authorities will use investigations, questionnaires, and fact-finding to assess compliance, with results guiding targeted enforcement actions.
Most organizations rely on a single monolithic privacy policy that lacks layered notices, just-in-time disclosures at every data collection point (forms, apps, email, AI tools), and specific documentation of legal bases including legitimate interest assessments. Regulators require concise, intelligible, and purpose-specific information under Article 12.
AI agents processing personal data trigger Article 13(2)(f) requirements to disclose automated decision-making, the logic involved, and envisaged consequences. Many organizations have not mapped these activities, and the EU AI Act adds further documentation requirements by August 2026, compounding the challenge.
Controllers should have ready records of processing activities (ROPA), privacy notices covering all channels, legitimate interest assessments, DPIAs, consent records, and audit trails demonstrating just-in-time disclosures. Proactive preparation using unified logging and compliance dashboards helps avoid enforcement actions.