We present below some common mistakes when implementing the GDPR. Non-compliance with the General Data Protection Regulation (GDPR) not only jeopardizes user privacy but can also lead to significant fines imposed by the Spanish Data Protection Agency (AEPD). Below, we explain the 5 most common mistakes businesses make when implementing the GDPR, along with real examples of penalties imposed by the AEPD.<\/p>\n\n\n\n
1. Not conducting an initial risk analysis<\/strong><\/p>\n\n\n\n A hospital and a restaurant are not the same, but both may collect personal data for their operations. The risk associated with the use of that data is completely different in each case, so the risks related to processing these data are distinct. Clearly identify the types of personal data you will process (using the Record of Processing Activities<\/a>) and tailor your measures to the data you handle.<\/p>\n\n\n\n Failing to identify how personal data is processed in the company can lead to security breaches and vulnerabilities that go unnoticed.<\/p>\n\n\n\n Real case<\/strong>: The AEPD fined<\/a> a company \u20ac270,000 for sharing an employee’s payroll with 446 other workers.<\/p>\n\n\n\n How to avoid it<\/strong>: Perform an analysis of the personal data processed to identify risks in data processing and define corrective measures from the outset.<\/p>\n\n\n\n 2. Lack of explicit consent<\/strong><\/p>\n\n\n\n Consent is one of the six legal bases for data processing. Failing to properly assess the legal basis is a common mistake. Requesting personal data without express, clear, and verifiable consent is a serious violation under the GDPR. This includes using pre-checked boxes or failing to properly inform individuals about how their data will be used.<\/p>\n\n\n\n Real case<\/strong>: A bank was fined<\/a> \u20ac180,000 for accessing the credit history of a former customer without a legal basis.<\/p>\n\n\n\n How to avoid it<\/strong>: When necessary, ensure that consent is clear and documented. Use unchecked acceptance boxes and explain in simple terms how the data will be used.<\/p>\n\n\n\n 3. Failing to update privacy policies<\/strong><\/p>\n\n\n\n A Privacy Policy provides users with the necessary information to understand their rights and ensure that their data is provided knowingly. Having outdated or incomplete privacy policies is a recurring mistake that can lead to user distrust and legal penalties.<\/p>\n\n\n\n Real case<\/strong>: A company was fined<\/a> \u20ac10,000 for failing to properly inform users in its privacy policy about personal data processing.<\/p>\n\n\n\n How to avoid it<\/strong>: Review your privacy policies periodically and ensure they include:<\/p>\n\n\n\n 4. Failing to appoint a Data Protection Officer (DPO)<\/strong><\/p>\n\n\n\n Not all companies need a DPO, but those that handle sensitive data or large volumes of personal data are required to appoint one. Ignoring this obligation can result in fines.<\/p>\n\n\n\n\n