Top 10 GDPR Mistakes SMEs Make in 2026

1. Treating the RoPA as a One-Off Excel

The Records of Processing Activities (RoPA) is a living document. Supervisory authorities expect quarterly updates and ad-hoc additions for new processing activities. Fix: Schedule a quarterly RoPA review in the compliance calendar.

2. No DPA with Standard SaaS Providers

Microsoft 365, Salesforce, HubSpot, Mailchimp — all are processors. Without a Data Processing Agreement (DPA): Art. 28 violation. Fines up to EUR 10m or 2% of global turnover. Fix: Build a DPA inventory; download, review and approve each provider's standard DPA.

3. Cookie Banner without Equal-Choice

An "Accept" button green and large with "Reject" buried in text qualifies as a dark pattern (VG Berlin 2024). DPA fines range EUR 5,000-50,000. Fix: Banner audit ensuring identical size, color and position for both buttons.

4. Breach Not Reported within 72h

Art. 33 GDPR requires supervisory notification within 72 hours of awareness. Late notification adds EUR 5,000-50,000 to the fine plus reputational damage. Fix: Build a breach playbook with a 24h internal trigger and a 48h external notification target.

5. No TIA for US Providers

EDPB 03/2026 still recommends a Transfer Impact Assessment even under the Data Privacy Framework — DPF collapse remains a tail risk. Fix: Document a TIA per US provider; templates are in the GDPR kit.

6. No DPO Despite Section 38 BDSG Threshold

20+ employees with automated processing in Germany triggers a mandatory Data Protection Officer (DPO). Median 2025 fine: EUR 15,000-50,000. Fix: Appoint internal or external DPO immediately and notify the supervisory authority.

7. Privacy Notice Older Than 12 Months

Update obligation triggers on every change to processing activities. Stale notices signal weak compliance. Fix: Half-yearly review cycle.

8. Applicant Data Retained Beyond 6 Months

BAG 2 AZR 1180/16 (Federal Labor Court) sets a 6-month deletion deadline after rejection. Talent pool storage requires explicit consent. Fix: Automated deletion in the ATS.

9. No GDPR + AI Literacy Training

GDPR Art. 32 plus EU AI Act Art. 4 (effective 02/02/2025) require annual training. Fix: E-learning module with quiz and proof-of-completion.

10. No Process for Data Subject Rights

Art. 15-22 require response within one month, extendable to three for complex cases. Fix: Workflow with templates for access, deletion, rectification.

Summary

The 10 mistakes above account for the bulk of supervisory enforcement. Most can be fixed in under four hours each with a complete document set. The cheapest sustainable SME setup combines a GDPR kit, an external DPO contract, and cookieless analytics. Start with the self-test, fill the RoPA Excel, collect DPAs.

View GDPR Kit →