GDPR One Year On: Common Gaps in Compliance and How to Fix Them
It’s just over a year since the General Data Protection Regulation (GDPR) reshaped the way organisations view, process and store personal data. When the law came into force, many already stretched organisations scrambled to meet its requirements. While plenty of teams have successfully embedded GDPR principles, there are still several areas where compliance commonly falls short — often without the organisation realising.
Below, we summarise the issues we encounter most frequently, and how a strong Information Governance Framework can help fix them.
1. Privacy by Design Is Still Being Overlooked
Privacy by Design is one of the most fundamental principles of GDPR — yet it is still often forgotten. Many teams skip this step simply due to a lack of training or awareness.
Embedding Privacy by Design means considering data protection at the earliest stages of any new system, process, or project, not as an afterthought.
To do this effectively:
- Involve your Data Protection Officer (DPO) or Information Governance Lead early.
- For higher‑risk processing, complete a Data Protection Impact Assessment (DPIA).
- Use a structured checklist or questionnaire to identify risks and required mitigations.
An effective DPIA examines areas such as:
- The legal basis for processing personal information.
- Any third‑party data processors involved, and how compliance will be maintained.
- How you will communicate processing activities to data subjects.
Working with an Information Governance specialist can make this process far easier — ensuring your project is both compliant and secure from the outset.
2. Information Governance Isn’t Just About Technology
GDPR applies to any asset containing personal information — not just digital systems.
While cyber‑security gets most of the attention, physical records (paper files, printed lists, ID documents, etc.) often receive far less scrutiny, which leaves gaps in compliance.
To address this:
Create and maintain an Information Asset Register (IAR)
This should include all information assets across the organisation, including physical documents.
A good IAR lists:
- The owner of the information asset
- The volume of personal information it contains
- The retention period
- Where and how it is stored
It should be reviewed annually or whenever new assets are created.
Strengthen physical security
Common best practices include:
- Closing doors behind you and challenging tailgaters
- Locking storage cabinets containing personal data
- Locking your computer screen when away from your desk
- Storing paper records securely
- Reporting any incidents through your standard procedures
Physical risks are often forgotten — but they are just as important as digital security.
3. GDPR Compliance Is Not a One‑Off Task
A common misconception is that GDPR is something you “complete” once. In reality, it requires continuous attention.
Data protection applies across the entire information lifecycle — from collection, to storage, to archiving, to destruction.
You can maintain ongoing compliance through:
- Annual staff training on Data Protection & Information Security
- Annual policy reviews to reflect legal changes and best practice
- Regular process reviews (schedule these every 6 months)
- Meetings with stakeholders to identify risks, improvements, and lessons from incidents
When Information Governance becomes a regular conversation, it drives awareness, strengthens practice, and builds organisational buy‑in.
Many organisations use Smartdesc’s ongoing Information Governance services to help manage and review their compliance on a recurring basis.
4. Policy Gaps — and Why Just Uploading Them Isn’t Enough
Every organisation should have a core set of GDPR‑related policies, including:
- Data Protection Policy
- Retention & Disposal Policy
- Information Security Policy
- Acceptable Use Policy
- Physical Security Policy
While many organisations have written these policies, a frequent mistake is failing to properly communicate them to staff.
GDPR requires organisations to show accountability, which means you must evidence that staff have:
- Received the policies
- Read them
- Understood them
Simply uploading policies to an intranet is not enough. At minimum, require staff to confirm they have read them — ideally as part of induction and refresher training.
Finding the balance between overly detailed policies and those too vague to be useful is also key.
Smartdesc can supply “vanilla” templates to help you get started or strengthen your existing suite.
Final Thoughts
GDPR compliance is not a tick‑box exercise — it’s an ongoing organisational commitment. By embedding privacy into design, maintaining oversight of all information assets (including physical ones), investing in regular training, and ensuring staff understand your policies, you significantly reduce your risk of a costly data breach.
If you’d like help managing your GDPR compliance or improving your Information Governance practices, you can find more information here.
- Microsoft Licensing Changes Coming on 1 July 2026: What Your Organisation Should Know
- CSP Subscriptions: Key Changes to Extended Service Terms (EST) Coming May 2026
- Smartdesc Newsletter: Latest Blogs, Events, Surveys and More
- How Nonprofits Can Meet Sustainability Goals While Reducing IT Spend
- Microsoft 365 E7 – Everything You Need to Know About Microsoft’s New Frontier Suite