Skip to content

GDPR at 7: What the Latest EDPB Report Means for Data Privacy and AI

Rebecca Johnson

Why compliance is no longer about policies – and how VinciWorks is helping organisations step up

This year marks seven years since the General Data Protection Regulation (GDPR) came into force – and the latest report from the European Data Protection Board (EDPB) makes one thing clear: ticking a box isn’t enough.

Data privacy has moved far beyond written policies. Today, it’s about proving that privacy and risk management are embedded into day-to-day operations, including how organisations adopt and use artificial intelligence (AI).

At Axiom GRC, we’re working with our specialist compliance experts at VinciWorks to help organisations close the gap between intent and action, and move towards proactive, evidence-led data protection.

The new data privacy reality

The EDPB’s report paints a picture of a changing compliance landscape. While some organisations have evolved their practices, many still struggle with outdated consent mechanisms, superficial data protection impact assessments (DPIAs) and limited accountability documentation.

Crucially, regulators are not standing still.

The next chapter of the GDPR includes reforms designed to accelerate enforcement, improve cross-border coordination, and close jurisdictional gaps – particularly in large-scale, high-impact cases. The goal? Faster, more decisive action where it matters most.

And increasingly, that means AI.

AI and GDPR: What organisations need to know

The EDPB’s recent opinion on training AI models using personal data has signalled a shift in regulatory attention towards the developers of AI tools and the organisations deploying them.

If you’re using an AI-powered tool within your business, claiming you don’t know how it was trained is no longer acceptable.

Regulators now expect deployers to:

  • Assess whether the AI model was trained lawfully
  • Identify if personal data was used without a valid basis
  • Consider whether any existing sanctions against the provider affect your ongoing use
  • Conduct a meaningful DPIA and implement clear mitigation measures

Most models won’t meet the threshold for anonymisation. While legitimate interest may still be used as a legal basis, organisations must prove that individual rights are being protected and that the processing is justified, fair and transparent.

What this means in practice

As part of Axiom GRC, VinciWorks is already helping businesses implement these principles.

This includes:

  • Updating data protection programmes to reflect current risk
  • Conducting robust DPIAs for new systems and tools
  • Rolling out practical, up-to-date GDPR training across the workforce
  • Implementing governance frameworks to monitor AI deployment and use
  • Managing risk around shadow AI and uncontrolled tool adoption
  • Ensuring data protection principles like transparency and minimisation are built in from the start

Organisations are being urged to do their due diligence before enforcement catches up.

Looking ahead: GDPR is evolving

Upcoming GDPR reforms are expected to:

  • Strengthen enforcement mechanisms across the EU
  • Reduce delays in large-scale investigations
  • Increase pressure on businesses to show that compliance is having a measurable impact

With the EU AI Act coming into force, the stakes are rising further. For violations, fines of up to 7% of global turnover are on the table, and regulators are likely to take a tougher line on AI-related privacy risks.

Building resilience through integrated governance

The message is clear: data privacy, AI risk, and regulatory compliance can no longer be tackled in isolation.

At Axiom GRC, we’re helping organisations take a joined-up approach – combining technology, legal expertise, and human insight through our organisations, including VinciWorks, to build systems that meet regulatory requirements and enable long-term business resilience.

Whether you’re reviewing your data protection programme, implementing new AI tools, or simply trying to understand where your risks lie, now is the time to act.

Find out how VinciWorks, part of Axiom GRC, can help you strengthen your compliance strategy:

Compliance E-Learning