Study finds organisations overconfident in their GDPR risk management positions

A new survey of 198 compliance and data protection professionals conducted by VinciWorks at the end of May 2026 found that artificial intelligence (AI) and automated decision-making (ADM) have become the most significant General Data Protection Regulation (GDPR) challenges, according to 43% of respondents. The emergence of AI-related challenges comes as basic risk management efforts are faltering eight years after the GDPR's introduction.

The findings reveal that 31% of professionals are unaware of when their organisation last reviewed its main GDPR risk assessments, 18% have not conducted a review for over a year, and 5% only perform reviews when prompted. As a consequence, 54% cannot verify the accuracy of their current risk position, despite 70% expressing confidence in their compliance setup. 

Regarding cultural awareness and development, only 22% rate their data protection training as very effective, and 9% have no training protocol in place. A further 52% suggested that training was okay but could be better. 

Training announcement: Freevacy provides comprehensive training for new and existing practitioners on the changes introduced by the DUA Act to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Privacy and Electronic Communications Regulations 2003 (PEC-Regulations). Our courses are always up to date and provide a forum for learning and discussing how to ensure your data protection processes remain compliant. Find out more.