Most GDPR (General Data Protection Regulation) breaches arise from everyday slip-ups, such as missing DSAR (data subject access request) deadlines, picking the wrong lawful basis for processing, failing to enforce retention periods, keeping inadequate records or misreporting incidents.
However, fall short of your compliance obligations – for whatever reason – and you face complaints, investigations, reputational harm, legal action and regulatory enforcement, including fines of up to £17.5 million under the UK GDPR or €20 million under the EU GDPR, or 4% of your annual global turnover – whichever is greater.
This blog post sets out five common GDPR compliance mistakes and their business impact, and explains how GDPR Foundation training gives your staff the practical tools they need to fix them – fast.
Common mistakes and quick fixes
| Mistake | Risk/impact | How training fixes it |
| Mishandling DSARs (late, over-disclosing, under-scoping). | Complaints, ICO scrutiny, reputational damage. | Step-by-step DSAR process, scope checks, redaction and deadlines – with practical examples and signposting to templates. Covers the “reasonable and proportionate” search standard introduced by the DUAA. |
| Using the wrong lawful basis for marketing/ops. | Unlawful processing, complaints, list remediation. | Decision logic for lawful bases and consent vs legitimate interests – including the new “recognised legitimate interests” route (where applicable) and how it differs from EU GDPR. |
| Ignoring retention or “keep everything” habits. | Over-retention risk, bigger breach impact, inefficiency. | Build retention schedules and destruction routines aligned with business needs and audits; show evidence for routine deletions. |
| Failing to document decisions (ROPAs, DPIAs, guidance). | Can’t evidence compliance; audit pain. | Workable records, DPIAs and change logs that stand up to challenge. Note: the DUAA doesn’t remove ROPA/DPIA obligations. |
| Mishandling breach reporting (late or over-/under-reporting). | Regulator issues, reputational damage. | Incident triage, thresholds, timelines and communications – practice drills and templates. |
Let’s look at each of those mistakes in more detail.
1) DSAR mismanagement
What happens in the real world
- Requests are logged late or not logged at all.
- Identity checks are skipped.
- Teams scope too narrowly and miss systems such as shared drives, archives and SaaS (software-as-a-service) tools.
- Exports include unredacted third-party data
- Deadlines are missed or holding responses are vague and untracked.
Risk and impact
- Risk of customer complaint and regulator attention.
- Staff and customer trust erodes.
- Costs rise as teams rework disclosures.
- Legal risk increases if special category or confidential data is exposed.
DUAA (Data (Use and Access) Act 2025) update
Owing to the DUAA’s amendments to UK data protection law, searches for DSARs should now be “reasonable and proportionate”, reducing pressure to run exhaustive trawls – but decisions must be justified and recorded. This does not shorten the one-month response deadline.
Training fix
GDPR Foundation training provides a clear DSAR playbook: triage → identity check → scope → collect → review → redact → respond.
Trainees learn proportionate search criteria, redaction rules and how to use extensions where justified – with worked examples and template signposting to put into practice straight away.
2) Wrong lawful basis (especially marketing)
What happens in the real world
- Teams default to consent when legitimate interests would be a more suitable lawful basis for processing.
- PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) nuances on electronic marketing are missed.
- Historic lists lack robust consent records.
- Privacy notices and recorded customer contact preferences drift out of alignment with actual practice.
Risk and impact
- Processing may be unlawful.
- Complaints follow.
- Lists need remediation or rebuilds.
- The brand takes a hit if customers feel misled.
- Internal friction grows between Marketing, Legal and Customer Services.
DUAA update
The DUAA introduces a list of recognised legitimate interests – situations where organisations can rely on legitimate interests without performing a balancing test. These include safeguarding vulnerable individuals, detecting and preventing crime, and maintaining the integrity of democratic processes.
Training fix
The course uses decision trees and live scenarios – customer acquisition, events, B2B outreach, product updates, service communications – to help you pick the right lawful basis for processing, apply PECR rules by channel and document outcomes.
3) Retention periods ignored
What happens in the real world
- “Save it just in case” becomes the norm.
- Parallel copies of personal data sit in email, chat, shared drives and backups.
- Legacy systems hold data with no clear owner.
- Disposal jobs are manual and irregular.
- Project teams store data sets beyond their purpose.
Risk and impact
- Over-retention enlarges the radius of any breach and increases discovery costs.
- Storage sprawl wastes money and complicates audits.
- Individuals’ data is kept on file longer than necessary, increasing risk.
Training fix
GDPR Foundation training walks you through building a practical retention schedule – mapping datasets, purposes and lawful bases for processing to justified periods, with destruction routines that fit business as usual. It shows how to align IT, HR, Legal and business units around deletion triggers and how to evidence routine disposals.
4) Poor documentation and accountability
What happens in the real world
- ROPAs are incomplete or outdated.
- DPIAs are triggered late or treated as a formality rather than informing process development.
- Policy changes are made but not properly logged.
- Local guidance sits in emails and chats, not in a controlled library.
- Third-party processing decisions are poorly recorded.
Risk and impact
- When challenged, the organisation cannot evidence compliance at audit.
- Partners and regulators lose confidence.
- Staff follow inconsistent guidance.
DUAA update
The DUAA relaxes the UK GDPR’s restrictions on decisions made solely by automated means, allowing them to be used under all lawful bases where “appropriate safeguards” are implemented. This change doesn’t apply to special category data.
Training fix
The course makes documentation workable: ROPA essentials, DPIA triggers and approvals, and lightweight change logs to keep policies and guidance current.
Learners practise turning real decisions into short, structured entries that can be retrieved and defended.
5) Breach reporting errors
What happens in the real world
- Incidents are misclassified.
- Teams over- or under-report.
- Internal notifications are ad hoc.
- The 72-hour notification window is misunderstood.
- Communications to affected individuals are unclear or inconsistent with legal duties.
- Root-cause analysis is skipped once systems are back online.
Risk and impact
- Late or inaccurate reporting invites regulatory scrutiny.
- Poor communications damage trust and prolong negative media cycles.
- Recurrence increases if lessons are not learned and acted on.
Training fix
Trainees learn incident severity thresholds, the 72-hour rhythm and who needs to do what, when. The course covers triage, containment, assessment, notification and follow-up – supported by checklists and templates. Table-top drills make the process muscle memory.
Proof and reassurance: why training works
Most organisations benefit from both awareness training for everyone and Foundation training for the people who own delivery.
Our GDPR Foundation training course focuses on tasks that matter: handling DSARs, choosing lawful bases for processing, maintaining records and getting breach response right – in other words, giving learners the confidence to apply the GDPR’s principles in their day-to-day work.
Alternatively, if you need to ensure all your staff understand their data protection obligations, you’ll benefit from our GDPR and Data Protection Act 2018 Staff Awareness E-learning Course.
0 Comments