Reading time: 7 minutes
The European Data Protection Board has published its Work Programme for 2026–2027 (hereinafter: the “Programme”), adopted on 11 February 2026, The Programme provides not only strategic directions but also concrete tools to support organisations’ day-to-day compliance. This article summarises the consultation results and the key plans set out in the European Data Protection Board’s Programme.
Background
In its 2024–2027 strategy, the European Data Protection Board identified four interlinked priorities. These include strengthening the consistent application of data protection rules and further priority is deepening supporting organisations in complying with the law. A cooperation among data protection authorities, particularly in cross-border cases. The strategy also emphasises ensuring that data protection is effective in a fast-evolving digital environment affecting multiple regulatory areas, including applications of artificial intelligence. Moreover, the European Data Protection Board aims to actively foster and shape international dialogue on privacy and personal data protection. The Programme supports the implementation of the European Data Protection Board’s 2024–2027 strategy, based on the identified priorities and the most important needs of stakeholders.
Main elements of the programme
The Programme builds on the consistent application of Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) and sets out the European Data Protection Board’s activities for 2026–2027 along four pillars: harmonisation and compliance, a common culture of enforcement, challenges in the digital regulatory environment, and global data protection dialogue.
Harmonisation and legal clarity
The European Data Protection Board will continue to issue detailed yet accessible guidance on topics considered critical by stakeholders during events and consultations, such as anonymisation and pseudonymisation, data processing based on legitimate interests, “consent or pay” models, and targeted updates on guidance for data protection officers.
The European Data Protection Board also intends to facilitate GDPR compliance with new practical tools, particularly for small and medium-sized enterprises (SMEs), including templates and guidance. To this end, a public consultation was conducted between 5 November and 3 December 2025 to identify which practical templates would most effectively support GDPR compliance.
The consultation highlighted the greatest demand for templates on records of processing activities, data protection impact assessments, legitimate interest assessments, privacy notices, transfer impact assessments, data processing agreements, data breach notification forms, and risk assessment templates. The European Data Protection Board has prioritised three templates in the Programme—legitimate interest assessment, records of processing activities, and privacy notices—to provide consistent, practical support, especially for organisations with limited resources.
In addition, the European Data Protection Board supports controllers and processors in developing and implementing compliance measures, for instance, through opinions on certification schemes, codes of conduct, and accreditation.
Stronger enforcement culture and cooperation
The second pillar aims to ensure consistency in the application and enforcement of the GDPR and to enhance cooperation among its members. The European Data Protection Board will continue to support the development of cooperation and enforcement tools and promote the sharing of expertise. Efforts will also focus on giving greater attention to priority issues and creating consistency.
In line with these objectives, the European Data Protection Board will focus on the consistent application of the GDPR and effective cooperation between authorities. To this end, it will update, among other things, its guidelines on handling cross-border cases, its principles on imposing fines, and its rules on mutual assistance and emergency procedures. As part of its action on the Coordinated Enforcement Framework (CEF), in 2026 it will focus on fulfilling the obligations under Articles 12-14 of the GDPR regarding transparent information, communication and measures for the exercise of data subjects’ rights. Where necessary, it will set up working groups to provide operational platforms for cases requiring cooperation on enforcement matters. To ensure the effective functioning of the consistency mechanism, it will adopt opinions addressed to national supervisory authorities with a view to supporting consistent decision-making.
Data protection at the intersection of digital legislation
The European Data Protection Board’s priority is to ensure coherence across EU digital legislation. In the rapidly evolving technological and market environment, data protection interacts closely with multiple other EU laws, such as the AI Regulation. This increases the importance of consistent interpretation, coordinated action by authorities, and clear guidance. The European Data Protection Board collaborates with other regulators, including competition and consumer protection authorities, to support the new cross-regulatory environment. Key technological topics include generative AI, telemetry and diagnostic data, and blockchain-related data protection issues.
Global data protection dialogue and data transfers
The European Data Protection Board continues to promote global dialogue on privacy and data protection, focusing on international cooperation between its members and third-country authorities, especially those with EU adequacy decisions.
Conclusion: more support, greater legal certainty
A key message of the Programme is that GDPR compliance is not merely a matter of regulatory oversight, but a process that can be actively supported and structured. Templates, harmonised guidance, and enhanced authority cooperation aim to make GDPR application more predictable and practical. At the same time, each organisation must tailor its data processing documents and procedures to its own business processes and risks. The European Data Protection Board seeks to strengthen fundamental rights, support organisational compliance, and ensure that European data protection remains coherent and competitive in a fast-changing digital environment.
Photo source: pexels.com, MART PRODUCTION