In this article, we’ll look at what that means across a few key areas: proving consent for direct marketing, recurring weaknesses in breach response, new privacy risks tied to AI-generated content, the limits of video surveillance and audio recording, and the broader enforcement trend toward practical, evidence-based compliance.

Direct Marketing Under GDPR: You Need to Be Able to Prove Consent

One of the clearest recent reminders came from Lithuania’s State Data Protection Inspectorate (VDAI). In a case against DirectMarketing OU, the authority upheld a complaint after the company refused to give a data subject a copy of the call recording it relied on as proof that he had agreed to receive direct marketing calls.

The facts matter here. After receiving a marketing call, the individual asked how his personal data had been obtained, what data was being processed, and where the alleged consent came from.

The company said he had taken part in a survey on 9 April 2024 and had agreed to marketing calls, but it still refused to provide the recording. Its argument was that the recording was an internal document and that a name and phone number were not enough to verify identity. VDAI did not accept that position.

The decision is a useful example of how GDPR works in practice, not just on paper:

• Consent must be provable
  If consent is your legal basis for direct marketing, you need evidence that shows it was actually obtained.
• The proof needs to hold up under scrutiny
  It should be possible to show when consent was collected, through which channel, and what exactly the person agreed to.
• A call recording can be personal data
  If consent was obtained during a phone call, that recording may itself fall under GDPR.
• Access rights still apply to consent evidence
  Under Article 15(3) GDPR, if a data subject asks for a copy of their personal data, an organization may have to provide the recording it relies on as proof.
• Identity checks have limits
  VDAI also pointed to Article 12(6) GDPR, which means extra information to verify identity can only be requested when it is actually necessary and proportionate.
• Calling it an internal document is not enough
  If a company is using a record to justify direct marketing, it cannot simply hide behind internal labeling once that proof is challenged.

That is the bigger lesson here. Under GDPR, collecting consent and proving consent are part of the same compliance chain. If the evidence is weak, inaccessible, or treated casually, the legal basis becomes much harder to defend.

For organizations, that usually comes down to a few basics:

• properly documenting how consent is collected,
• keeping records that can actually be retrieved later,
• making sure those records are tied to a clear consent event,
• and having internal procedures for handling access requests without confusion or delay.

GDPR Breach Trends Show Where Organizations Still Fail

If you strip away the legal language, a lot of GDPR breaches still come from very ordinary failures. Someone sends data to the wrong place. A security issue is spotted too late. An incident gets stuck between teams while the reporting clock keeps running.

That is pretty much what VDAI’s 2025 personal data breach statistics show. The authority recorded 223 breach notifications affecting 1,249,409 data subjects. 58% were tied to human error. Another 29% came from cybersecurity incidents. And only 63% were reported within GDPR’s 72-hour deadline.

None of that points to some exotic compliance problem. It points to basics that still go wrong:

• Human error is still doing a lot of damage
  Training, access discipline, and everyday handling of personal data still matter more than many teams like to think.
• Cybersecurity incidents remain a major part of the picture
  GDPR compliance is not separate from security. Weak systems and weak controls show up fast in breach statistics.
• Late reporting is still a problem
  When only 63% of breaches are reported on time, it usually means the issue was not escalated quickly enough or nobody was fully clear on who had to act.

The takeaway is not complicated: breach readiness is still an operational issue. Policies matter, of course, but they do not help much when staff are undertrained, responsibilities are blurry, or incident response slows down at the exact moment it needs to move. In practice, that is where many organizations still fail.

AI-Generated Images Are Creating New Privacy Risks

AI-generated images and videos are no longer just a technology story. Privacy regulators are starting to treat them as a real data protection issue too.

That was the message behind a recent joint statement backed by the European Data Protection Board (EDPB) and coordinated by the Global Privacy Assembly’s International Enforcement Cooperation Working Group. It was signed by 61 data protection authorities, which already tells you this is not being treated as a niche concern.

The issue is fairly easy to see. AI tools can now generate realistic images and videos of identifiable individuals without their knowledge or consent. That changes the privacy discussion quite a bit. The risk is no longer limited to how data is collected or stored. It also extends to how a person’s likeness can be recreated, manipulated, or misused.

The statement highlights several obvious risk areas:

• non-consensual intimate images
• defamatory content
• other harmful AI-generated media involving identifiable individuals

The concerns become even sharper when children or other vulnerable groups are involved. The statement specifically points to risks such as cyberbullying and exploitation, which makes this more than a general AI ethics discussion. It is a practical privacy issue.

For organizations developing or using these systems, the message is not especially subtle. The statement calls for:

• strong safeguards
• meaningful transparency
• accessible mechanisms for protecting data subject rights
• proper assessment of risks to children and other vulnerable groups

What makes this relevant for businesses is how quickly these tools are becoming mainstream. AI image and video features are already appearing in widely used platforms, which lowers the barrier to creating synthetic content involving real people.

The broader takeaway is simple enough: once AI-generated content can convincingly depict real individuals, privacy risk moves much closer to the center. For organizations, that means consent, transparency, and data subject rights cannot be bolted on later. They need to be part of the system from the start.

Video Surveillance and Audio Recording Under GDPR: Key Compliance Lessons

A recent enforcement case out of Lithuania is a good reminder that surveillance under GDPR is not automatically a problem — but overdoing it is.

In February 2026, VDAI fined Biržai Hospital €6,000 after finding that some of its monitoring practices went too far. The authority accepted video surveillance in common areas such as entrances, corridors, and the lobby as lawful for safety purposes.

But it drew the line at cameras in operating theatres, emergency examination rooms, and the geriatric day-care unit, where monitoring captured patient examination areas and staff workplaces. In those spaces, privacy interests outweighed the hospital’s justification.

The audio recording point is just as important. VDAI found that recording sound inside the hospital, including in operating theatres, was not necessary for safety or work organization and created an obvious risk of capturing sensitive health data.

The case also flagged some very practical GDPR failures:

• retention periods were unclear and excessive
• access to recordings was not properly controlled
• the hospital did not fully cooperate during the investigation

There is also a broader compliance point here. Under Article 35 GDPR, a DPIA is mandatory where processing is likely to create a high risk to people’s rights and freedoms — for example, in cases of systematic monitoring, employee monitoring, or health data processing. The March review also notes that failing to carry out a DPIA where it is required is itself a GDPR violation.

The lesson is fairly straightforward: surveillance may be lawful, but only where it is necessary, proportionate, and tightly controlled. Once monitoring becomes intrusive, poorly justified, or badly governed, the GDPR risk rises fast.

What Privacy Regulators Are Focusing On

If you want a quick read on where enforcement is heading, VDAI’s priorities are useful. Not because they predict everything, but because they show what regulators are choosing to look at right now.

VDAI plans to carry out:

• 15 scheduled inspections
• 10 monitoring activities
• 15 follow-up reviews in organizations where earlier deficiencies were found or corrective measures were ordered

The monitoring side is especially telling. VDAI says it will focus on technical and organisational security measures, including:

• access rights management
• backup procedures for information, software, and systems
• event logging and audit logs

That is the part worth paying attention to. These are not broad policy questions. They are the controls that show whether an organization can actually manage access, recover data, and trace what happened inside its systems. VDAI also plans to check whether organizations really implemented earlier instructions, which matters just as much as the initial inspection.

So the message here is not abstract. In march 2026, regulators are spending time on the parts of GDPR compliance that leave evidence behind: who had access, whether systems were backed up, whether logs were kept, and whether old gaps were actually fixed.

If your compliance setup still depends too heavily on policies alone, this is the year to check the basics — access controls, backups, logs, and whether previous remediation work was fully carried through.

How a CMP Helps Organizations Stay GDPR-Compliant

At this point, the pattern is pretty clear: a lot of GDPR risk shows up when consent is hard to prove, disclosures drift out of date, or the website changes faster than compliance settings do. That is the gap a Consent Management Platform (CMP) is meant to close.

With CookieScript, the most relevant value is not just showing a banner. It is making consent management easier to run, review, and keep consistent over time.

For proof of consent and accountability:

• User consents recording helps keep a usable record of consent choices.
• Advanced reporting gives teams a clearer view of consent activity for audit and compliance checks.

For clearer user choice and transparency:

• Cookie Banner helps present consent choices in a visible, structured way.
• 42 languages makes that experience easier to localize for different audiences.
• geo targeting helps show the right consent setup based on the user’s location.
• Cookie Banner sharing can help keep consent experiences consistent across multiple websites.

For keeping the setup accurate over time:

• Cookie Scanner helps identify cookies and tracking technologies on the site.
• Automatic monthly scans reduce the risk of the setup going stale as new scripts are added.
• Automatic script blocking and Third-party cookie blocking help control what runs before consent is given.

For ad tech and measurement environments:

• Google Consent Mode v2 helps align consent choices with Google’s advertising and analytics ecosystem.
• IAB TCF 2.3 integration is relevant for organizations working within broader ad tech frameworks.

For supporting documentation:

• the Privacy Policy Generator can help teams create or update privacy disclosures,
• and the Cookie Policy Generator helps keep cookie-related disclosures aligned with what is actually in use.

A CMP will not fix every GDPR problem on its own. But it does make one of the most operational parts of compliance — collecting consent, storing records, keeping disclosures current, and managing changes over time — much easier to handle without chaos.

CookieScript is a Google-certified CMP and is currently included in Google’s Gold tier. It is also among the more affordable options on the market, with pricing starting at €8 per domain per month for basic features and €19 per domain per month for full compliance.

Conclusion

The bigger picture here is pretty simple: regulators are paying less attention to polished compliance language and more attention to what companies can actually prove.

If consent records are messy, breach response is slow, or intrusive monitoring is poorly justified, that is where things start to unravel. The same goes for AI tools — this is one of those areas where moving fast without thinking through privacy risks is just asking for trouble.

Frequently Asked Questions

How do I keep up with GDPR changes in 2026?

The main themes worth watching are pretty practical: proving consent, handling data subject requests properly, tightening breach response, being careful with surveillance, and paying more attention to privacy risks around AI. In other words, regulators are looking less at what companies say in policies and more at what they can actually show in practice. That is where tools like CookieScript can help on the consent side, especially with User consents recording, Advanced reporting, Cookie Scanner, and Automatic monthly scans, which make it easier to keep consent management organized over time.

How can I prove consent for direct marketing?

You need more than a general claim that consent was collected. You should be able to show when it was given, how it was obtained, and what the person agreed to. That is exactly why having a usable record matters. CookieScript helps here with User consents recording, Advanced reporting, and cookie banner, which make consent easier to collect, store, and review later if questions come up.

What causes most GDPR breaches right now?

A lot of them still come down to basics: human error, cybersecurity incidents, and late reporting. That is what makes breach trends so frustrating — the weak spots are often familiar. CookieScript is not a full breach response tool, but it can help reduce one part of the mess by giving teams better visibility into tracking technologies through Cookie Scanner, Automatic monthly scans, Automatic script blocking, and Third-party cookie blocking. That makes it easier to keep unnecessary or risky scripts under control.

When do I actually need a DPIA under GDPR?

Usually when processing is likely to create a high risk to people’s rights and freedoms. That can include systematic monitoring, intrusive surveillance, employee monitoring, or processing that involves health data or other sensitive data. A DPIA is really about spotting the privacy risk before the setup goes live. On the website compliance side, CookieScript can support that process by making tracking more visible through Cookie Scanner, Automatic monthly scans, and clearer disclosures through the Privacy Policy Generator and Cookie Policy Generator.

What are regulators checking most in 2026?

A lot of attention is going to the operational side of compliance: access controls, backups, audit logs, and whether earlier compliance issues were actually fixed. That tells you what regulators care about right now — not just policy wording, but whether controls are in place and working. For consent and transparency, CookieScript helps with the kind of evidence regulators expect to see, especially through User consents recording, Advanced reporting, geo targeting, and cookie banner sharing across multiple sites.

Can AI-generated images create GDPR problems?

Yes, especially when they involve identifiable individuals who were depicted without their knowledge or consent. The risk gets even more serious when children or other vulnerable groups are involved. CookieScript does not solve AI governance on its own, but it can help with the transparency and consent layer around embedded third-party tools through cookie banner, GEO targeting, Automatic script blocking, and clear disclosures generated with the Privacy Policy Generator and Cookie Policy Generator. That at least helps organizations stay clearer about what is running on the site and what users are agreeing to.