March 2026 - In an increasingly digital and complex data environment, the GDPR continues to play a central role for organisations, even eight years after taking effect. Transparency is once again in the spotlight, with data protection authorities and EU regulatory bodies reinforcing that compliance goes beyond simply informing data subjects, and that organisations are expected to ensure transparency by design and by default.

1. Coordinated enforcement framework

On 19 March, the European Data Protection Board (EDPB) launched its Coordinated Enforcement Framework action for 2026. Following the 2025 coordinated action on the right to erasure, this year’s initiative focuses on compliance with transparency and information obligations under the GDPR. With 25 data protection authorities (DPAs) across Europe taking part, the initiative further confirms renewed emphasis on this area.

Participating DPAs will carry out focused assessments of whether data controllers comply with their transparency obligations under the GDPR and will soon begin contacting controllers from different sectors across Europe, either through enforcement actions or fact-finding exercises.

2. Digital omnibus

The Digital Omnibus Proposal has already become the subject of debate, with the EDPB and the European Data Protection Supervisor (EDPS) issuing a joint opinion in February 2026 on proposed amendments to the GDPR, also targeting transparency.

The EDPB and the EDPS welcome the objective of simplifying information requirements and reducing administrative burden, in particular for SMEs, including through a derogation from the duty to provide information where the data subject already has that information readily available. At the same time, the EDPB and the EDPS note that the proposal to modify the wording of Article 13(4) of the GDPR may lead to uncertainty and divergent interpretations.

In this context, the EDPB and the EDPS call for clearer definitions of “not data-intensive activity” and “clear and circumscribed relationship”. They also question whether the proposed “reasonable grounds to assume” test would preserve the same level of protection or deliver meaningful simplification, and therefore recommend deleting it.

Moreover, the EDPB and the EDPS recommend specifying that the controller should still be required to provide all information listed in Article 13 of the GDPR at the data subject’s request, and that data subjects should be informed of this possibility.

3. Practical considerations for organisations

Overall, these updates show a clear direction: transparency is not only being revisited at the regulatory level, but also increasingly looked at from an enforcement perspective.

Considering the above, organisations should continue to pay close attention to how they meet their transparency obligations towards data subjects. In practice, this requires moving beyond formal compliance and ensuring that transparency is properly considered across all processing activities (privacy by design and by default).

In particular, organisations may consider the following practical steps:

  • Conduct a targeted GDPR gap analysis, with a specific focus on privacy notices, to ensure that the information provided is accurate, complete, and aligned with actual processing activities (i.e., to ensure consistency across internal documentation, including policies, records of processing activities, and contractual arrangements, etc.);
  • Review employee-facing transparency documentation, especially in the context of electronic monitoring, IT usage policies, and workplace surveillance tools (i.e., CCTV, GPS, access cards), where expectations around clarity and proportionality are particularly high (i.e., LIA, specific retention periods, consultation of representatives of employees);
  • Reassess website privacy notices and cookie-related policies, ensuring that layered notices are clear, easily accessible, and tailored to the user journey;
  • Ensure consistency across documents, including internal policies, records of processing activities (ROPA), and contractual arrangements;
  • Assess the use of AI-driven tools and automated decision-making processes and ensure that relevant information is clearly reflected in privacy notices and internal policies.