GDPR: What UK Businesses Still Get Wrong

GDPR Is Not a Finished Project

Seven years after the General Data Protection Regulation came into force, UK organisations still routinely fall short of the standard it demands. The introduction of the UK GDPR after Brexit, and the ongoing evolution of case law and Information Commissioner's Office (ICO) enforcement, means that compliance is a continuous exercise rather than a one-off project. Organisations that treated GDPR as a 2018 milestone and moved on are now finding that the gaps have grown wider than they realise.

This post sets out the mistakes we see most often in UK businesses, why they matter, and how to fix them.

Mistake 1: Confusing Consent With Lawful Basis

Many organisations still treat consent as the default lawful basis for all personal data processing. In practice, consent is rarely the most appropriate or most defensible basis for routine business activities. Contractual necessity, legitimate interest, legal obligation, and vital interest are all equally valid and are often more suitable depending on context.

Relying on consent when another basis is more appropriate creates two problems. First, consent must be freely given, specific, informed, and unambiguous, which is a high bar that is often not genuinely met. Second, where consent is withdrawn, the organisation must stop processing, even if that undermines a legitimate business purpose. The fix is a data processing inventory that identifies the correct lawful basis for each activity, supported by clear documentation.

Mistake 2: Missing or Weak DPIAs

Data Protection Impact Assessments are not optional paperwork. The UK GDPR requires them for any processing likely to result in high risk to individuals, and case law has expanded the circumstances in which one is expected. Yet many organisations either skip DPIAs entirely or produce documents that are too generic to be useful.

A strong DPIA identifies the specific processing, the individuals affected, the risks, and the mitigations. It is reviewed when the processing changes. For AI deployments, especially those involving personal data or high-impact decisions, DPIAs are now effectively mandatory and are closely scrutinised by the ICO. If your organisation is deploying generative AI across employee workflows without a DPIA, you are exposed.

Mistake 3: Weak Vendor and Processor Management

UK GDPR makes controllers responsible for the actions of their processors. That means organisations must ensure that every third-party vendor handling personal data, from cloud platforms to marketing tools to call centre providers, is bound by appropriate contracts, subject to due diligence, and monitored over time.

The common mistake is treating processor management as a one-time exercise handled by procurement. In reality, it is a continuous responsibility. New vendors are onboarded without a data protection review. Existing vendors change their sub-processors without notice. Processor security posture degrades over time. The fix is a living vendor inventory linked to contract management, security assessment, and onboarding and offboarding workflows.

Mistake 4: International Transfer Complacency

Since the UK's adequacy decision from the EU, many UK organisations assume that international transfers are largely a solved problem. They are not. Transfers to the US remain subject to the UK extension to the EU-US Data Privacy Framework, and transfers to many other jurisdictions still require Standard Contractual Clauses, transfer risk assessments, and supplementary measures.

The rise of cloud AI has complicated this picture further. Generative AI tools often send user prompts and organisational data to processing infrastructure outside the UK, sometimes without clear transparency. Organisations that deploy these tools without understanding and documenting the transfer posture are exposed to enforcement risk.

Mistake 5: Treating Subject Access Requests as Ad Hoc

Subject access requests are a fundamental individual right, and the ICO treats failure to respond properly as a serious issue. Yet many organisations still handle them as ad hoc exercises, finding themselves overwhelmed when requests arrive.

A robust subject access process covers identification and verification, a defined response workflow, tooling to find and redact data efficiently, and clear escalation for complex requests. It also tracks timelines to ensure the one-month statutory window is met. If your team is reinventing the process every time a request arrives, you are one disgruntled individual away from a regulatory complaint.

Mistake 6: Breach Readiness vs Breach Response

UK GDPR requires notification of personal data breaches to the ICO within 72 hours where the breach is likely to result in a risk to individuals. Many organisations have paper plans for this but have never tested them, and struggle to meet the deadline when a real breach occurs.

Effective breach readiness includes a documented incident response process, tabletop exercises, clear roles and responsibilities, technical detection capability, and rehearsed communication templates. It is also integrated with your wider cyber incident response process so that GDPR obligations are not forgotten in the middle of a broader security incident.

Mistake 7: Training That Does Not Change Behaviour

Annual compliance training that users click through to satisfy a policy requirement is not training. It is theatre. Genuine data protection awareness requires contextual training tailored to roles, regular reinforcement, and leadership that visibly takes the issue seriously.

Where training is done well, data protection becomes part of daily decision-making rather than a separate discipline. Where it is done poorly, staff default to convenience and compliance is steadily eroded.

Putting It Right

Fixing these issues is achievable. It requires a clear programme owner, executive sponsorship, a realistic roadmap, and the discipline to treat data protection as an ongoing business function rather than an occasional project.

BTLITC supports UK organisations with data protection impact assessments, subject access processes, vendor due diligence, and breach preparedness. For organisations deploying AI, our BTLITC AI Vault provides a private, on-premise AI workspace that removes the most acute cloud-AI data protection exposures in a single step. Contact us to discuss your data protection posture.