Skip to main content
Errores

Common mistakes when implementing the GDPR in your company

We present below some common mistakes when implementing the GDPR. Non-compliance with the General Data Protection Regulation (GDPR) not only jeopardizes user privacy but can also lead to significant fines imposed by the Spanish Data Protection Agency (AEPD). Below, we explain the 5 most common mistakes businesses make when implementing the GDPR, along with real examples of penalties imposed by the AEPD.

1. Not conducting an initial risk analysis

A hospital and a restaurant are not the same, but both may collect personal data for their operations. The risk associated with the use of that data is completely different in each case, so the risks related to processing these data are distinct. Clearly identify the types of personal data you will process (using the Record of Processing Activities) and tailor your measures to the data you handle.

Failing to identify how personal data is processed in the company can lead to security breaches and vulnerabilities that go unnoticed.

Real case: The AEPD fined a company €270,000 for sharing an employee’s payroll with 446 other workers.

How to avoid it: Perform an analysis of the personal data processed to identify risks in data processing and define corrective measures from the outset.

2. Lack of explicit consent

Consent is one of the six legal bases for data processing. Failing to properly assess the legal basis is a common mistake. Requesting personal data without express, clear, and verifiable consent is a serious violation under the GDPR. This includes using pre-checked boxes or failing to properly inform individuals about how their data will be used.

Real case: A bank was fined €180,000 for accessing the credit history of a former customer without a legal basis.

How to avoid it: When necessary, ensure that consent is clear and documented. Use unchecked acceptance boxes and explain in simple terms how the data will be used.

3. Failing to update privacy policies

A Privacy Policy provides users with the necessary information to understand their rights and ensure that their data is provided knowingly. Having outdated or incomplete privacy policies is a recurring mistake that can lead to user distrust and legal penalties.

Real case: A company was fined €10,000 for failing to properly inform users in its privacy policy about personal data processing.

How to avoid it: Review your privacy policies periodically and ensure they include:

  • What data you collect
  • How you use it
  • How long you store it
  • User rights under the GDPR

4. Failing to appoint a Data Protection Officer (DPO)

Not all companies need a DPO, but those that handle sensitive data or large volumes of personal data are required to appoint one. Ignoring this obligation can result in fines.

Real case: A well-known restaurant chain was fined €25,000 for failing to appoint a DPO, despite it being mandatory due to the nature of the data processed.

How to avoid it: Assess whether your company needs a DPO (it’s mandatory for public entities and companies handling sensitive data) and appoint a qualified professional for the role.

5. Failing to properly manage user requests

The GDPR grants users rights such as access, rectification, erasure, and data portability. Failing to address these requests in a timely manner can result in significant fines. Ensure your company has a single entry channel to handle these rights properly.

Real case: A well-known airline was fined €40,000 for failing to respond to a customer’s access request.

How to avoid it: Implement an efficient system to manage these requests and ensure they are responded to within 30 days, as required by the regulation.

Conclusion

Avoiding common mistakes is simple if you carefully analyze your business activities. Complying with the GDPR is not just a legal obligation but also a way to gain your customers’ trust. Avoiding the mistakes mentioned above can protect you from penalties by the AEPD and enhance your reputation.

Author: Victor Roselló, Lawyer.

If you need more informarion, contact us!


    Information on data protection

    Company name
    LEGAL IT GLOBAL 2017, SLP
    Purpose
    Providing the service.
    Sending the newsletter.
    Legal basis
    Compliance with the service provision.
    Consent.

    Us
    Services