Data Protection Authorities prioritise transparency in 2026: What organisations should do now

25 February 2026

EDPB’s 2026 enforcement focus means it’s time to revisit your privacy notices—AI use included

Intro

In October 2025, the European Data Protection Board (EDPB) announced that transparency and information obligations under Articles 12–14 GDPR will be the focus of its 2026 Coordinated Enforcement Action (CEA). This means Data Protection Authorities (DPAs) across Europe will be examining how well organisations explain their processing activities to individuals. With transparency already a foundational GDPR principle, this new enforcement priority signals a more intense regulatory spotlight—one that organisations should prepare for now by ensuring their privacy notices are accurate, comprehensive, and adapted to modern technologies such as artificial intelligence.

Details

According to the EDPB, the 2026 enforcement action will see national DPAs scrutinising how controllers communicate with data subjects, with a particular emphasis on clarity, accessibility, and completeness of information. This includes examining whether individuals are told what data is collected, the purposes of processing, the lawful bases relied upon, retention periods, and with whom their data is shared.

The enforcement initiative will follow the EDPB’s established Coordinated Enforcement Framework, whereby national-level investigations are performed in parallel and the results combined for EU‑wide analysis. Past CEA themes—such as cloud use, Data Protection Officers, and data subject rights—have resulted in detailed findings and practical regulatory expectations, and transparency is expected to receive similar attention.

What makes this enforcement cycle particularly significant is the evolving technological landscape. The last few years have seen widespread adoption of AI-driven tools: automated decision-making, machine‑learning personalisation, biometric analysis, and generative AI systems embedded in everyday operations. Yet many organisations have struggled to reflect these practices in their privacy notices. Several DPAs have already indicated that more granular disclosures may be required.

With DPAs likely to issue questionnaires, request documentation, or initiate follow-up investigations, organisations should expect more regulatory contact than usual. The forthcoming transparency-focused CEA may lead to guidance, corrective measures, and—for those with gaps—enforcement action.

Transparency has featured strongly in the work of the Irish Data Protection Commission (DPC). Examples include the DPC’s decision regarding LinkedIn, which final decision found an infringement of Article 5. 1 (a) GDPR, in that LinkedIn did not meet its transparency obligations in respect of the information it provided to data subjects. This decision is subject to an appeal by LinkedIn.  Further the DPC issued a decision in relation to the Department to Health in June 2023 which included on infringement of Article 14 GDPR.

Takeaways

• Review your privacy notices now. Ensure they fully reflect your current processing activities—including any AI or automated decision‑making systems.

• Prioritise clarity and accessibility. The EDPB is focusing on whether individuals can genuinely understand how their data is used.

• Update disclosures linked to AI. Clearly explain purposes, data sources, outputs, risks, and human oversight.

• Accountability: Maintain clear records of how your organisation complies with its transparency and information obligations.

  
  

Further Reading

• EDPB announcement on transparency-focused 2026 CEA 

For any queries on this article or how Rock Consultancy can support your organisation, please contact us at info@rockconsultancy.ie