The General Data Protection Regulation reaches its tenth anniversary in 2026, and the European Data Protection Board marked the milestone by reviewing how far the EU’s data protection landscape has evolved since the regulation came into force. The occasion is anything but ceremonial: at the same time, the European Commission’s Digital Omnibus package has put the first substantial GDPR reform proposals on the table, drawing on lessons from a decade of enforcement.

The reform package targets practical pain points. SME relief measures would extend the Records of Processing Activities exemption from organisations under 250 employees to those under 750. Breach notification procedures would be streamlined, and websites would be required to accept and honour universal consent preference signals, a measure that builds on enforcement actions like the French CNIL’s EUR 100 million fine against Google for making cookie rejection harder than acceptance.

Running alongside the GDPR anniversary is the EU AI Act compliance deadline of 2 August 2026 for high-risk AI systems. From that date, additional transparency obligations apply, including disclosure requirements when users interact with AI systems and when AI-generated content is incorporated into products or services. Organisations that have been slow to map their AI deployments against Act obligations are running out of runway.

The convergence of GDPR reform, AI Act enforcement, and an increasingly strict approach to consent and dark patterns means data protection compliance in the second half of 2026 is more complex than at any point in the past decade. If your organisation needs help reviewing its privacy posture or preparing for the AI Act requirements, contact Excello Digital to discuss how we can support your compliance work.