This article presents an analysis of data protection authorities’ (DPAs) enforcement actions undertaken since the implementation of the General Data Protection Regulation (GDPR) in May 2018. The analysis shows that corporations fail to adopt transparent data processing practices and appropriate technical and organisational measures to secure personal data. By focusing on two specific DPAs, the Spanish AEPD and the British ICO, we make practical suggestions on how to foster the healthy development of the European digital ecosystem and the deployment of trustworthy artificial intelligence in big data environments in the face of growing cybersecurity risks.