Most small businesses are not careless about data protection. They are just busy, and the guidance is written for people with a legal team. Here are the seven mistakes that come up again and again, and what to do about each.
1. Assuming you are too small to be in scope
The exemption people rely on is narrower than it sounds. It falls away once your processing is regular rather than occasional, or involves special category data. Running payroll is regular, ongoing processing, and the moment you handle sick pay or maternity pay it involves health data too. In practice almost every employer is in scope.
2. Having no Record of Processing Activities
Article 30 of the UK GDPR requires a written record of how you use personal data. It is also the first thing asked for in an audit or a customer security questionnaire. A spreadsheet technically counts; the harder part is keeping it current. See what a ROPA is and who needs one.
3. Defaulting everything to “consent”
Consent is one of six lawful bases, and often the wrong one. If you cannot let someone withdraw consent and stop the processing, you probably should not be relying on it. Pick the basis that actually fits, activity by activity. We wrote a plain-English guide to choosing.
4. Keeping data forever
“We might need it” is not a retention policy. The law expects you to keep personal data no longer than necessary and to be able to say how long that is for each type. Set retention periods, write them down, and actually delete when they pass.
5. No plan for a subject access request
People can ask for a copy of their data, and the clock starts the day they ask, in any format, with no special wording. Without a process, a single request becomes a scramble. Here is how to handle one calmly.
6. No process for a data breach
If personal data is lost or exposed and it is likely to risk people, you may have to tell the ICO within 72 hours of becoming aware. That is not long to work out what happened. Read what to do in the first 72 hours.
7. A privacy notice that no longer matches reality
A privacy notice written once and never revisited quietly becomes inaccurate the next time you add a tool or a supplier. It should describe what you actually do today, not what you did when someone last had time to write it.
The common thread
Every one of these comes down to the same thing: knowing what personal data you hold and why. Get that straight and the rest becomes routine. If you want a quick read on where you stand, our free GDPR check takes about two minutes.