Even years after the GDPR came into force, many companies make serious data protection mistakes. We present the 15 most common violations and how to remedy them in a legally compliant manner.
Data Protection Is Not a Project but an Ongoing Obligation
The General Data Protection Regulation (GDPR) has applied directly in all EU Member States since May 2018. Nevertheless, the audit reports of supervisory authorities paint a sobering picture: many companies, particularly in the SME sector, show significant deficiencies in implementation. Fines continue to rise. In Germany alone, data protection authorities imposed fines in the tens of millions of euros in 2024.
The good news: most mistakes are avoidable if you know the typical pitfalls and address them systematically. Below, we present the 15 most common GDPR mistakes and show concrete solutions.
The 15 Most Common GDPR Mistakes
Mistake 1: Missing or Incomplete Privacy Policy
Every website, app and online form requires a complete privacy policy pursuant to Art. 13 and 14 GDPR. Common deficiencies include missing details of the controller, incomplete listing of processing purposes or outdated legal bases.
Solution: Review your privacy policy at least every six months. Each new processing activity, such as a new analytics tool or newsletter service, must be included promptly.
Mistake 2: Non-Compliant Consent Management
Cookie banners that only display an "Accept All" button or use pre-ticked checkboxes violate the GDPR and the TDDDG (formerly TTDSG). Supervisory authorities and courts are increasingly taking action against so-called "dark patterns".
Solution: Implement a consent management platform (CMP) such as Usercentrics, Cookiebot or Borlabs Cookie that offers equivalent options to accept and reject. Ensure that no tracking cookies are actually set before consent is given.
Mistake 3: Missing or Deficient Data Processing Agreements (DPA)
Every service provider that processes personal data on your behalf requires a data processing agreement pursuant to Art. 28 GDPR. This includes cloud providers, IT service providers, payroll bureaux, newsletter services and many more.
Solution: Create a complete list of all processors. Check whether an effective DPA is in place for each one. Many providers offer standardised DPAs, which you should nevertheless review against your specific requirements.
Mistake 4: Missing Record of Processing Activities
The record of processing activities (ROPA) pursuant to Art. 30 GDPR is mandatory for virtually all companies. It documents all data processing operations and forms the basis for any data protection compliance demonstration.
Solution: Create a structured ROPA containing at least the following information: name of the processing activity, purpose, categories of data subjects and data, recipients, transfers to third countries, retention periods and technical and organisational measures. Update it whenever changes occur.
Mistake 5: Inadequate Handling of Employee Data
The processing of employee data is subject to strict requirements under § 26 BDSG. Common mistakes include the private use of messenger services for business communication, unlawful monitoring of emails or missing consents for employee photos on the website.
Solution: Prepare an internal policy on data processing in the employment relationship. Clearly regulate the use of IT systems and obtain effective consents for non-essential processing activities.
Mistake 6: No Data Protection Impact Assessment (DPIA)
A DPIA pursuant to Art. 35 GDPR is mandatory for processing activities that pose a high risk to the rights and freedoms of natural persons. Supervisory authorities have published so-called positive lists identifying specific processing operations for which a DPIA must be conducted.
Solution: Check against the positive list of your competent supervisory authority whether a DPIA is required for your processing activities. This is regularly the case for video surveillance, scoring procedures or extensive profiling.
Mistake 7: Unlawful Data Transfers to Third Countries
The transfer of personal data to countries outside the EEA requires special safeguards. Following the "Schrems II" ruling and the EU-US Data Privacy Framework, significant uncertainties persist, particularly regarding the use of US cloud services.
Solution: Document the legal basis for each third-country transfer. Use the EU Standard Contractual Clauses in their current version and conduct a Transfer Impact Assessment (TIA) for each transfer.
Mistake 8: Inadequate Technical and Organisational Measures (TOMs)
Art. 32 GDPR requires the implementation of appropriate TOMs. Many companies have no documented IT security policy, use insecure passwords or fail to encrypt sensitive data.
Solution: Document your TOMs comprehensively and update the documentation regularly. Minimum requirements include: access and entry controls, encryption, pseudonymisation where possible, regular backups and an authorisation concept.
Mistake 9: No Procedure for Data Breaches
Pursuant to Art. 33 GDPR, data breaches must be reported to the supervisory authority within 72 hours. Many companies have neither a detection system nor a defined reporting procedure.
Solution: Establish a data breach response plan. Define who is to be informed internally, who submits the report to the supervisory authority and how data subjects are notified pursuant to Art. 34 GDPR. Practise the process at least once a year.
Mistake 10: Disregard of Retention and Deletion Periods
The GDPR requires the deletion of personal data once the processing purpose has ceased (Art. 17 GDPR). At the same time, statutory retention obligations exist, for example under HGB and AO. This tension is a frequent source of error.
Solution: Prepare a deletion concept that takes all relevant retention periods into account. Implement automated deletion routines in your IT systems and document the deletion processes.
Mistake 11: Failure to Respond to Data Subject Requests
Requests under Art. 15-22 GDPR (access, rectification, erasure, data portability) must be answered within one month. Many companies have no defined process and miss the deadlines.
Solution: Establish a standardised process for handling data subject requests. Prepare response templates and train your employees in recognising and forwarding such requests.
Mistake 12: Missing or Unqualified Data Protection Officer
Companies with at least 20 persons constantly engaged in automated data processing must appoint a data protection officer (DPO) pursuant to § 38 BDSG. The DPO must possess the requisite expertise.
Solution: Verify whether your company is subject to the appointment obligation. Consider whether an internal or external DPO is more appropriate for your situation. Ensure the DPO receives the necessary independence and resources.
Mistake 13: Neglecting Data Protection in Marketing Activities
Email marketing without effective consent (double opt-in), unlawful tracking or the purchase of address lists remain widespread violations.
Solution: Implement a legally compliant double opt-in procedure for newsletters. Document all consents in an audit-proof manner and provide a simple unsubscribe mechanism.
Mistake 14: No Data Protection Training for Employees
The best technical measures are of little use if your employees are not sensitised. Misdirected emails, insecure passwords and social engineering attacks are frequent causes of data breaches.
Solution: Conduct mandatory data protection training at least once a year. Supplement this with regular briefings on current threats and new requirements.
Mistake 15: Data Protection Not Considered in Projects (Privacy by Design)
Art. 25 GDPR requires data protection by design and by default. New IT systems, apps or processes must be designed in a data-protection-compliant manner from the outset.
Solution: Integrate a data protection review into your project planning process. Involve your DPO early in new initiatives and document the data protection decisions taken.
Realistically Assessing Fine Risks
The GDPR permits fines of up to 20 million euros or four per cent of annual worldwide turnover. In practice, supervisory authorities graduate fines according to the severity of the violation:
- Low fines (1,000-50,000 euros): Formal violations such as a missing ROPA or incomplete privacy policies.
- Medium fines (50,000-500,000 euros): Missing DPAs, inadequate TOMs or delayed notifications.
- High fines (from 500,000 euros): Systematic violations, unlawful data transfers or disregard of supervisory authority orders.
Conclusion: Data Protection as a Competitive Advantage
GDPR compliance is not a one-off exercise but an ongoing process that must be embedded in the corporate culture. Companies that take data protection seriously benefit from increased customer trust, reduced liability risks and a genuine competitive advantage.
The team at compleneo supports you in the systematic review and optimisation of your data protection measures. Whether gap analysis, implementation of a data protection management system or training of your employees -- we accompany you in a practical and solution-oriented manner.
