Table of Contents
Most GDPR (General Data Protection Regulation) breaches arise from everyday slip-ups, such as missing DSAR (data subject access request) deadlines, picking the wrong lawful basis for processing, failing to enforce retention periods, keeping inadequate records or misreporting incidents.
However, fall short of your compliance obligations – for whatever reason – and you face complaints, investigations, reputational harm, legal action and regulatory enforcement, including fines of up to £17.5 million under the UK GDPR or €20 million under the EU GDPR, or 4% of your annual global turnover – whichever is greater.
This blog post sets out five common GDPR compliance mistakes and their business impact, and explains how GDPR Foundation training gives your staff the practical tools they need to fix them – fast.
Common mistakes and quick fixes
| Mistake | Risk/impact | How training fixes it |
| Mishandling DSARs (late, over-disclosing, under-scoping). | Complaints, ICO scrutiny, reputational damage. | Step-by-step DSAR process, scope checks, redaction and deadlines – with practical examples and signposting to templates. Covers the DUAA’s “reasonable and proportionate” search standard. |
| Using the wrong lawful basis for marketing/ops. | Unlawful processing, complaints, list remediation. | Decision logic for lawful bases and consent vs legitimate interests – including the new “recognised legitimate interests” route (where applicable) and how it differs from EU GDPR. |
| Ignoring retention or “keep everything” habits. | Over-retention risk, bigger breach impact, inefficiency. | Build retention schedules and destruction routines aligned with business needs and audits; show evidence for routine deletions. |
| Failing to document decisions (ROPAs, DPIAs, guidance). | Can’t evidence compliance; audit pain. | Workable records, DPIAs and change logs that stand up to challenge. Note: the DUAA doesn’t remove ROPA/DPIA obligations. |
| Mishandling breach reporting (late or over-/under-reporting). | Regulator issues, reputational damage. | Incident triage, thresholds, timelines and communications – practice drills and templates. |
Let’s look at each of those mistakes in more detail.
1) DSAR mismanagement
What happens in the real world
- Requests are logged late or not logged at all.
- Identity checks are skipped.
- Teams scope too narrowly and miss systems such as shared drives, archives and SaaS (software-as-a-service) tools.
- Exports include unredacted third-party data
- Deadlines are missed or holding responses are vague and untracked.
Risk and impact
- Risk of customer complaint and regulator attention.
- Staff and customer trust erodes.
- Costs rise as teams rework disclosures.
- Legal risk increases if special category or confidential data is exposed.
DUAA (Data (Use and Access) Act 2025) update
Owing to the DUAA’s amendments to UK data protection law, searches for DSARs should now be “reasonable and proportionate”, reducing pressure to run exhaustive trawls – but decisions must be justified and recorded. This does not shorten the one-month response deadline.
Training fix
GDPR Foundation training provides a clear DSAR playbook: triage → identity check → scope → collect → review → redact → respond.
Trainees learn proportionate search criteria, redaction rules and how to use extensions where justified – with worked examples and template signposting to put into practice straight away.
2) Wrong lawful basis (especially marketing)
What happens in the real world
- Teams default to consent when legitimate interests would be a more suitable lawful basis for processing.
- PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) nuances on electronic marketing are missed.
- Historic lists lack robust consent records.
- Privacy notices and recorded customer contact preferences drift out of alignment with actual practice.
Risk and impact
- Processing may be unlawful.
- Complaints follow.
- Lists need remediation or rebuilds.
- The brand takes a hit if customers feel misled.
- Internal friction grows between Marketing, Legal and Customer Services.
DUAA update
The DUAA creates a narrow list of recognised legitimate interests – situations where organisations can rely on legitimate interests without performing a balancing test. These include safeguarding vulnerable individuals, detecting and preventing crime, and maintaining the integrity of democratic processes.
This sits alongside, not in place of, the existing legitimate interests basis under Article 6(1)(f) UK GDPR, where the balancing test still applies.
The distinction matters for record-keeping: when using a recognised interest, document the purpose reference in the DUAA schedule; when using a standard interest, retain your own necessity and balancing assessment.
Training fix
The course uses decision trees and live scenarios – customer acquisition, events, B2B outreach, product updates, service communications – to help you pick the right lawful basis for processing, apply PECR rules by channel and document outcomes.
Learners practise aligning notices, CRM fields and preference centres with the chosen lawful basis, including when (and when not) to rely on recognised legitimate interests.
3) Retention periods ignored
What happens in the real world
- “Save it just in case” becomes the norm.
- Parallel copies of personal data sit in email, chat, shared drives and backups.
- Legacy systems hold data with no clear owner.
- Disposal jobs are manual and irregular.
- Project teams store data sets beyond their purpose.
Risk and impact
- Over-retention enlarges the radius of any breach and increases discovery costs.
- Storage sprawl wastes money and complicates audits.
- Individuals’ data is kept on file longer than necessary, increasing risk.
DUAA update
The DUAA doesn’t remove core accountability duties such as keeping ROPAs (records of processing activities) and carrying out DPIAs (data protection impact assessments), nor does it redefine “personal data”. Retention remains a controller decision that must be justified and followed in practice.
Training fix
GDPR Foundation training walks you through building a practical retention schedule – mapping datasets, purposes and lawful bases for processing to justified periods, with destruction routines that fit business as usual. It shows how to align IT, HR, Legal and business units around deletion triggers and how to evidence routine disposals.
4) Poor documentation and accountability
What happens in the real world
- ROPAs are incomplete or outdated.
- DPIAs are triggered late or treated as a formality rather than informing process development.
- Policy changes are made but not properly logged.
- Local guidance sits in emails and chats, not in a controlled library.
- Third-party processing decisions are poorly recorded.
Risk and impact
- When challenged, the organisation cannot evidence compliance at audit.
- Partners and regulators lose confidence.
- Staff follow inconsistent guidance.
DUAA update
The DUAA relaxes the UK GDPR’s restrictions on decisions made solely by automated means, allowing them where “appropriate safeguards” exist – such as meaningful human review, transparency and an appeal route.
Controllers must still explain the logic, significance and effects of such processing, but consent is no longer always required.
Training now includes updated coverage of Article 22 UK GDPR as amended, so teams understand when automation is lawful, how to implement human-in-the-loop controls, and how to document them within existing ROPA and DPIA frameworks.
Training fix
The course makes documentation workable: ROPA essentials, DPIA triggers and approvals, and lightweight change logs to keep policies and guidance current.
Learners practise turning real decisions into short, structured entries that can be retrieved and defended.
5) Breach reporting errors
What happens in the real world
- Incidents are misclassified.
- Teams over- or under-report.
- Internal notifications are ad hoc.
- The 72-hour notification window is misunderstood.
- Communications to affected individuals are unclear or inconsistent with legal duties.
- Root-cause analysis is skipped once systems are back online.
Risk and impact
- Late or inaccurate reporting invites regulatory scrutiny.
- Poor comms damage trust and prolong negative media cycles.
- Recurrence increases if lessons are not learned and acted on.
Training fix
Trainees learn incident severity thresholds, the 72-hour rhythm and who needs to do what, when. The course covers triage, containment, assessment, notification and follow-up – supported by checklists and templates. Table-top drills make the process muscle memory.
Proof and reassurance: why training works
Most organisations benefit from both awareness training for everyone and Foundation training for the people who own delivery.
Our GDPR Foundation training course focuses on tasks that matter: handling DSARs, choosing lawful bases for processing, maintaining records and getting breach response right – in other words, giving learners the confidence to apply the GDPR’s principles in their day-to-day work.
Alternatively, if you need to ensure all your staff understand their data protection obligations, you’ll benefit from our GDPR and Data Protection Act 2018 Staff Awareness E-learning Course.