Nearly ten years after the GDPR came into force — and despite constant headlines about costly data breaches — many businesses are still making the same preventable mistakes. Since its introduction, regulators in the UK and EU have issued more than £5 billion in fines, most of them stemming from basic compliance failures rather than sophisticated cyberattacks.
It’s clear that data protection is no longer just a compliance checkbox; it’s a fundamental part of responsible corporate governance. Customers, investors, and regulators now expect organisations to treat personal data as carefully as any other high-value asset.
And yet, even with compliance teams, advanced tools, and years of guidance, businesses continue to repeat familiar errors. These missteps aren’t just expensive — they’re avoidable. With the right planning and safeguards, organisations can reduce legal, financial, and reputational risks.
Here are the 10 most common mistakes — and how to avoid them:
1. Treating data protection as an IT-only issue Data protection spans legal, operational, and cultural responsibilities. Leaving it solely to IT misses crucial governance, contractual, and HR considerations.
2. Poor supplier due diligence Failing to check a vendor’s security and compliance standards leaves you exposed to their errors. Always include robust data protection clauses in supplier contracts and reserve the right to audit.
3. No documented lawful basis for processing Whether it’s consent, contractual necessity, or legitimate interest, your legal basis must be clear and recorded — or you risk regulatory action.
4. Outdated privacy notices If your website, app, or customer portal still uses last year’s privacy statement, you’re waving a red flag to regulators.
5. Weak breach response procedures Without the ability to detect, assess, and notify within statutory deadlines, you face greater fines and reputational fallout.
6. Over-collecting personal data More isn’t better. Collecting unnecessary data increases liability. The GDPR’s data
minimisation rule is both a principle and a legal requirement.
7. Inadequate access controls Excessive employee access to sensitive data is one of the leading causes of accidental breaches.
8. Neglecting ongoing staff training Employees are your first defence — and potentially your weakest link. Provide regular, role-specific training to keep awareness high.
9. Ignoring Subject Access Requests (SARs) Late or incomplete responses are a regulator’s easiest enforcement win — and a common source of complaints.
10. Failing to embed privacy by design Leaving privacy considerations until after a project launches almost always leads to costly fixes. Build them in from the start.
Avoiding these mistakes doesn’t just keep regulators at bay — it strengthens your brand, earns customer trust, and can give you a competitive edge.
If your organisation hasn’t reviewed its data protection policies, supplier agreements, or training programmes in the past 12 months, the time to act is now.
📩 Contact us: commercial@berrysmith.com | 📞 02920 345 511