KPMG Law LLP logo

8 January 2024

For most organisations, data privacy is considered a “top-10” organisational risk. We know that keeping up with all data privacy requirements can be challenging. We're here to help. Here are some of the most common data privacy mistakes made in 2023, and how to avoid them.

1. Mistake: Selection and application of an inappropriate legal basis

During 2023, the DPC issued several fines to organisations who relied on a legal basis that was not suitable for the data processing undertaken.

Some organisations fail to carry out the “necessity test” to ensure that the personal data processed is necessary to carry out a specific activity before relying upon a legal basis such as performance of a contract or legitimate interest.

How to prevent it: Organisations must carefully assess the purpose of their data processing to identify the legal basis that is most appropriate. When relying on a specific legal basis, it is recommended to document the reasons and, in the case of relying on legitimate interest a legitimate interest assessment must be undertaken. For more guidance, read our briefing on legal bases here.

2. Mistake: Failure to maintain appropriate Record of Processing Activities (“RoPA”)

Under the GDPR, organisations are obliged to maintain a RoPA. When the Data Protection Commission (DPC), conducted a review of organisations’ data protection records, it found many of these records were insufficient and non-compliant. This exposed the organisations in question to penalties under the GDPR.

How to prevent it: Organisations must conduct a data mapping exercise with input from several business functions, to identify exactly what data is held and where. Every business function should be broken down and the RoPA should be as detailed as possible. It is expected that organisations have their RoPA ‘ready to go’ at any time, and in any event, within 10 days’ notice of a request from the DPC.

3. Mistake: Not prioritising training

Privacy training is one of the key factors to ensure all employees in an organisation understand their obligations under the GDPR and any other applicable privacy regulations (the “data protection rules”). A lack of training increases the risk of human error when employees are dealing with personal data (e.g. failure to safeguard personal data, or sharing data with unauthorised persons). This can lead to breaches and potentially fines and reputational damage.

How to prevent it: Training should be tailored to the different roles and responsibilities of each employee to ensure it is relevant and in line with the processing activity. It should also be an ongoing activity to guarantee that all employees, including new joiners and contractors, understand the importance of processing personal data in a compliant manner.

4. Mistake: Believing in a one-size-fits-all approach

There's a tendency to think that that using generic privacy templates will ensure compliance with the requirements laid out in the data protection rules. However, this practice presents a risk as each organisation and its business units will process personal data for different purposes and will require the implementation of different technical and organisational measures. Following a one-size-fits-all approach exposes an organisation to sanctions or penalties under the GDPR for failing to comply with the principles of data protection by design and default.

How to prevent it: Following the data protection by design and by default requirements is crucial to ensure that your organisation tailors its privacy framework to its specific processing operations. Your organisation should assess the inherent characteristics, size, range, and circumstances of the processing as well as the purpose to implement the appropriate technical and organisational measures and safeguards.

5. Mistake: Believing compliance with one regulation equals compliance with all privacy regulations

The data protection rules are constantly evolving, and new laws and regulations are orbiting the data protection and privacy compliance landscape. When implemented in May 2018, the GDPR marked the beginning of global privacy regulations. However, the GDPR isn’t the only player in the game anymore, and organisations must consider what other privacy regulations apply to them based on the nature of their business and locations.

Other legislative texts like the Digital Service Act, the e-Privacy Directive, the AI Act or national data protection acts operating in the locations where your organisation is based might impact your privacy framework.

How to prevent it: It is key to understand the organisational structure of the company, assess the locations where the organisation is based and whether those locations have specific privacy laws in place.

How can KPMG help?

Our team can help you identify any gaps in your privacy programme, design and deliver a data protection framework, and complete an assessment of all the different privacy laws that will be applicable to your organisation and how to comply with them.

If you would like to discuss further, contact a member of our team about these or any other privacy concerns.

Keep an eye on our website this year for insights on key issues affecting privacy professionals.

Contact the team

Emma Ritchie

Emma Ritchie

Head of Data Protection & Privacy