The General Data Protection Regulation has been in effect since May 2018, yet the same compliance failures appear repeatedly across the organisations we work with. These are not obscure technical violations. They are fundamental gaps in how organisations handle personal data, and they represent real regulatory risk. The ICO has shown increasing willingness to issue fines and enforcement notices, and the organisations most at risk are those that treated GDPR as a one-time project rather than an ongoing obligation.
The most common mistake is relying on consent as the lawful basis when legitimate interest would be more appropriate. Many organisations implemented consent mechanisms everywhere because it felt safer, without conducting the balancing test required for legitimate interest. The result is consent fatigue for users, operational complexity for the business, and a fragile compliance position that collapses when someone withdraws consent for processing that is actually necessary for the contract.
GDPR is not a one-time project. It is a continuous obligation that must be embedded in how your organisation operates.
Data retention is the second persistent failure. Organisations defined retention policies in 2018 but never implemented the automated deletion processes to enforce them. Years later, databases contain personal data far beyond its stated retention period. This is not just a compliance risk; it is a security risk. Data you no longer need but still store is data that can be breached. We help clients implement automated retention enforcement that purges data according to their stated policies.
The Persistent Mistakes
Records of processing activities, required under Article 30, are frequently incomplete or outdated. They should reflect every processing activity the organisation performs, including the purposes, categories of data, recipients, retention periods, and technical measures. In practice, we find that records created in 2018 have not been updated to reflect new products, new data flows, or new third-party processors. An outdated ROPA is almost as bad as no ROPA at all.
Subject access requests continue to cause problems, particularly around the one-month response deadline. Organisations without a defined SAR process often scramble to locate data across multiple systems, leading to missed deadlines and incomplete responses. An effective SAR process requires knowing where personal data is stored across all systems, having a defined workflow for receiving, triaging, and responding to requests, and allocating the resources to handle requests within the statutory timeframe.
- Review lawful bases for each processing activity, moving from consent to legitimate interest where appropriate
- Implement automated data retention enforcement to match your stated policies
- Update records of processing activities whenever new data flows are introduced
- Establish a defined SAR process with clear ownership and response workflows
- Conduct regular data protection audits rather than relying on the 2018 baseline
- Embed privacy by design into your development and product processes
The fix for all of these issues is the same: embed data protection into your operational processes rather than treating it as a separate compliance function. Privacy by design means considering data protection implications when building new systems. Regular audits of processing activities keep your records current. Automated retention enforcement removes the reliance on manual deletion. These practices make compliance a natural outcome of good operations rather than a separate burden.
