14 Mistakes Companies Make in Preparation for GDPR

Aidan Simister by   05.21.2018   Compliance

I think it’s fair to say that most organizations are still struggling to understand exactly what is required of them when it comes to GDPR preparations. There is a lot of misinformation out there surrounding this topic and it can be easy to just ignore the mandate and keep your fingers crossed that it will all be OK. Obviously, this is not the way to go about it. We’ve had a look around at some of the most common mistakes organizations are making with their preparations and compiled a list of them below. I hope you’re not making the same mistakes!

1. The belief that GDPR doesn’t apply to you

Regardless of where your organization is located; if you employ more than 250 people and handle information that belongs to EU citizens, you will need to comply fully with the GDPR. Companies with less than 250 employees also fall under the remit of GDPR but they are some exemptions related to record-storing. SME’s are required to hold records internally for collected and processed data only if it presents a risk to an individual’s rights or freedoms, or if it pertains to criminal activities or offences.

2. The belief that you are already compliant with GDPR

You may have a top-notch security strategy already in place, and thus believe that you are already compliant with the GDPR. However, the GDPR comes with a whole new set of features including elevated rights for data subjects, breach notification requirements, stricter consent laws and more. You simply must have a full review of your security strategy in line with the new regulations to ensure you have all the right security controls in place.

3. Viewing GDPR as a hindrance instead of an opportunity

While is it completely understandable that some companies see the GDPR as a burden, there are some reasons to be positive. Think of the GDPR as opportunity to get your house in order. For example, knowing what data you store, where your sensitive data resides, who has access to this data, and having the ability to demonstrate this knowledge to the authorities, will inevitably improve your work-flow and help you to avoid expensive and disruptive security incidents. If compliance is perceived as an obstacle, staff members will be less enthusiastic to achieve the compliance objectives.

4. Sticking to an outdated understanding of sensitive data

The GDPR expands on our previous understanding of what constitutes sensitive data. Some of the new types of sensitive data include; genetic data, biometric data, religious/political views, IP addresses, sexual orientation, trade union memberships, and basically any information that can be used to identify a specific person.

5. Putting too much faith in cloud service providers

Sure, any reputable cloud service provider will inevitably seek to ensure that they are fully compliant with the GDPR. However, it is ultimately your responsibility to ensure that the data is well protected. Ideally, you should avoid storing sensitive data in the cloud, encrypt everything you can, make sure that you have read and understood the service provider’s user agreement, and of course, make sure you have a strong password policy.

6. Not understanding what data you can and can’t keep

Providing you are able to demonstrate that the PII data you hold was collected in a manner that complies with the GDPR requirements, you should be able to continue using this data without any disruption. If this is not the case, you will need to re-establish explicit consent from your users, which will need to be demonstrated to the supervisory authorities.

7. Not hiring a Data Protection Officer

Achieving compliance objectives requires a team effort. However, it is still necessary for somebody to take ownership of GDPR compliance routines. The DPO will need to manage and maintain the organisation’s data protection policy, co-ordinate relevant training programs, and respond to enquiries from staff members.

8. Failing to cover the different types of data

Broadly speaking there are three types of data; structured, unstructured and web data. It is generally harder to identify unstructured data and web data, which includes things like social media posts, personal photos, IP addresses and geographic locations. If you’re not able to identify unstructured/web data, in whatever form it takes, then it’s unlikely you be able to comply with the GDPR.

9. Not asking for help

GDPR compliance is not a simple task, and the ramifications of failing to comply could be very costly. Don’t hesitate to seek outside assistance if required. Seeking advice from an expert may require up-front costs, but it will likely pay off in the long term. On the flip-side, it is also important that you are able to recognise bad advice and be able to identify badly drafted contracts.

10. Treating GDPR as an after-thought

It is important that you are able to see the big picture. Data protection is an ongoing process. There will need to be planned, periodic reviews of the security policies and procedures in place.

11. Adopting a “them against us” attitude to the supervisory authorities

Keep in mind that they are just people doing a job. Give them a chance to do their job. After all, the GDPR is probably a challenge for them too.

12. Failing to comply with the Purpose Limitation Principle

Organisation’s must ensure that the personal data they collect is “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. They must also be prepared to demonstrate the manner and motives for collecting the data to the supervisory authorities.

13. Failing to adequately delete the data as required under the “right to be forgotten”

Most traditional data management systems don’t actually delete redundant data, but instead archive the data in case it needs to be restored at a later date. Organisations will need to dig-out this archived data and ensure that it has been adequately disposed of.

14. Failing to demonstrate compliance to regulators and consumers

Without the help of a sophisticated auditing and reporting solution such as LepideAuditor, organisations will undoubtedly struggle to demonstrate their ability to comply with the GDPR. LepideAuditor is capable of generating over 300 pre-set reports, which are specifically designed to satisfy regulatory compliance and meet auditing requirements.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.