All-in-one Risk Management Platform

Common GDPR Compliance Mistakes & Pain Points

GDPR compliance is a necessity for many businesses that deal with consumer data. Here are some compliance scenarios to avoid.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

5 Common GDPR Compliance Mistakes & Pain Points

The GDPR, or General Data Protection Regulation, has been in effect since May 2018. However, many organizations are still uncertain about compliance-related difficulties. Make sure that your company is not committing any of the typical GDPR errors that other organizations frequently make.

In this guide, we’ll explore some common GDPR compliance mistakes that organizations tend to make that can lead to violations.

5 Common GDPR Compliance Mistakes and Pain Points

Failing to Reply to Data Subject Access Requests Appropriately

People, a.k.a. data subjects, are entitled to access their own personal data under data protection law. This means they can submit a "data subject access request" (DSAR) to obtain any personal information you may have about them.

Requests for data subject access can be made orally or in writing. They don't have to be addressed to a particular person in your organization, be made in a certain way, or make use of data privacy laws. You cannot demand that users utilize a specific form or submit requests in writing. You can only ask somebody to follow up in writing after receiving a verbal request. Both parties may benefit from having a written record of a subject access request, especially if the request was made over the phone and you need to clarify a few things. But regardless of whether you record their request on paper or they follow up in writing, their verbal request is still valid. An employee might request their personal information, for instance, at a disciplinary hearing; this would be a data subject access request.

Make certain that you and your staff are aware of data subject access requests and what to do if one is sent to you. In a nutshell, a data subject access request is when someone asks you for information on them and you are required to give them a copy of that material within predetermined periods.

Employee Mistakes Stemming from a Lack of Regular Training

Security awareness training is vital when creating a GDPR regulatory compliance strategy. Any piece of data can be obtained by employees of your firm. Even with the finest security precautions and a robust Data Processing Agreement in place, this could still happen. Making sure that employees understand how to protect personal data is one of the major duties of a data protection officer (DPO) under the GDPR. The GDPR does not specify how much data protection training businesses must provide, though. In this situation, the data protection officer has a lot of discretion. The legislation is silent regarding the type of data protection training you must do, including whether it must be written, delivered in person, or both. It also doesn't specify how frequently you must perform it. However, if they don't practice often, people often forget what they have learned. The best practice for data security training is typically requiring annual training, with supplemental training added if and when necessary due to internal or external changes that might affect data security expectations. 

Another frequent issue is when a company thinks GDPR compliance can be handled by just one department, typically the IT department. Although the IT department must, of course, manage many of the major changes, the GDPR affects a wide range of company operations, therefore it is crucial that staff members at all organizational levels play an active role. To ensure that everyone on staff is aware of how the GDPR affects both them and consumers, training is necessary. The GDPR will be too much for the IT personnel to handle.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

Not Taking Email Security Practices Seriously

One of the most frequent privacy errors and a violation of data protection laws is this. 

You might believe it won't affect your company, especially if email usage isn't a big requirement there. Unfortunately, history demonstrates that isn't the case with regard to data. One of the most frequent data breaches causes in businesses is having a list of recipients that anyone can see. Millions of emails can be sent daily from members of the CC (carbon copy) group to other members of the cc group. Frequently, nothing occurs. Data breaches can, nevertheless, occur with ease.

Like those on the list, people on the CC list can see the precise email addresses that the sender used when sending the message. Additionally, they have access to your email history. If individuals do not have access to each other's email addresses, this could lead to issues. You shouldn't give out any personal information to anyone if they read your email history. Make sure to include information on email security and the importance of avoiding the sending of CC messages in your employee training materials.

Disclosing Personal Data and Transfering Data Where It Shouldn’t Go

Many businesses claim that they do not sell the data and, obviously, that they do not share it with unauthorized parties. They fail to identify who receives the data and what information is disclosed. The main issue is that people sometimes aren't even aware that accessing third-party platforms, apps, or services entails releasing personal information. These third parties could include, for instance, internet service providers, hosting companies, social media sites, online payment processors, as well as any organizations that use third-party cookies on their websites and their partners. The golden rule, in this case, is straightforward: gather information from all points of contact to create a complete picture, and if you lack the knowledge or resources to do it internally, hire a consultant who does.

The issue of data transfers is another potential mistake that organizations make with their compliance procedures. Data transfers beyond the European Union must be specified, as well as any associated security precautions. Most of the time, while referring to businesses that are part of a group, they omit to name the nations where transfers are performed among the groups. For instance, even if practically all personal data is transferred within the group via its IT services, if the organization's IT services are located in China or the UAE, this is frequently not acknowledged. Applying Binding Corporate Rules (commonly known as BCRs, which are legally binding internal codes of conduct operating inside a multinational group that applies to transfers of personal data from the group's EU firms to the group's non-EU entities) is one way to deal with the problem. BCRs are enforceable data subject rights contained in legally binding data protection laws that have been authorized by the relevant Data Protection Authority. Intra-group model clause agreements provide a further remedy.

Not Paying Attention to Cookies

Almost 99% of all relevant websites in the EU utilize cookies that gather personal data as defined by the GDPR. Online identifiers, such as those created and kept by cookies, are specifically regarded as personal data under the GDPR. In the same way, IP addresses, location information, and other online identifiers can create a GDPR violation. The extensive usage of pre-made solutions like plug-ins and templates that act as virtual black boxes is largely to blame for the pervasive use of different cookies that can cause GDPR violations. It is understandable why many website owners are completely unaware that their customer's personal information is being collected and tracked by different advertisers– but it is the organization’s responsibility to ensure their website is GDPR compliant.

You should limit the number of cookies your website sets in order to avoid this issue. Eliminate extraneous plug-ins and components that are slowing down your website as well.


GDPR compliance can feel overwhelming and confusing at times, that’s why it is best to work with the experts to ensure that you have every necessary piece handled with ease. At Accountable, we are here to help you walk through GDPR compliance and maintenance as quickly and conveniently as possible. 

Like what you see?  Learn more below

GDPR compliance is a necessity for many businesses that deal with consumer data. Here are some compliance scenarios to avoid.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)