5 Typical GDPR Mistakes That Businesses Keep Making
From 6 years of GDPR audits — the most common weaknesses that almost every business has. With concrete tips for resolution.
We have conducted many GDPR audits over the past years — from a 5-person tax office to a 200-employee mid-sized company. Remarkably: certain mistakes ALWAYS come up again.
1. "We have the privacy concept from our lawyer — that's fine"
The concept itself is usually OK. The problem: nobody lives it. Employees don't know the requirements, data processing agreements are 3 years old, data protection impact assessments were never updated.
Solution: Quarterly privacy check — no 4-day marathon sessions, but 30 minutes of systematic review is enough.
2. Shadow IT with customer data
Marketing uses Mailchimp, Sales uses HubSpot, someone still has an old Trello account with client notes. Nobody knows who has what data where.
Solution: Tools inventory once a year. Spreadsheet: Tool / Purpose / Data Processed / DPA in place? You will be surprised how much there is.
3. DPAs are signed — but nobody checks them
DPAs are signed at tool introduction and never looked at again. But when the provider extends its sub-processing (e.g. new US data transfer), you only get it via an email notice. Which nobody reads.
Solution: DPA tracker with renewal dates. For major tools (M365, Salesforce, etc.) explicitly ask about changes.
4. Backups contain deleted data
You received a deletion request, deleted from the production database — done? No. Backups still contain the data for months. In a restore, they come back into the system.
Solution: Deletion concept that includes backups. Typical approach: after 6 months all backups containing the deleted information have expired. Inform the client of this.
5. "Right to information" — no processes
A client asks: "What data do you hold about me?" You have 30 days. But: no process, no template, someone first has to figure out who in your company has what.
Solution: Standard process for data subject rights. Template for information letters + internal checklist of which systems need to be queried.
How we help
Our GDPR audit finds exactly these gaps — structured, documented, with prioritized measures. Fixed price from $1,500 for small setups.
If you just want a quick check on whether you are on the safe side: free 30-minute initial consultation.