The GDPR has been in application since May 2018. Seven years later, the audits and DPO engagements I conduct reveal the same recurring failures - often in companies that believed they were compliant. Since then, the regulatory environment has become considerably more complex: the Schrems II ruling in 2020 invalidated the Privacy Shield and imposed strict conditions on data transfers outside the EU, the AI Act entered into force in 2024 and creates new obligations for systems processing personal data, and European supervisory authorities have significantly toughened their approach.
Here is what companies still get wrong - and why it deserves to be taken seriously.
Data transfers outside the EU: a poorly mastered subject
Schrems II invalidated the Privacy Shield mechanism and required that transfers of personal data to third countries be framed by appropriate safeguards - typically the European Commission's Standard Contractual Clauses (SCCs), accompanied by a Transfer Impact Assessment (TIA). In theory, many companies have updated their DPAs with their US providers. In practice, very few have actually conducted the required impact analysis.
The risk is real: using an American cloud provider, CRM tool, email service, or even certain videoconferencing tools without having properly documented the resulting data transfer exposes the organisation to significant sanctions - and to difficulties in the event of a user complaint.
The processing register: incomplete or outdated
The record of processing activities is one of the most fundamental GDPR obligations - and one of the least well maintained. In many organisations, it was created during the initial 2018 compliance exercise and has never been updated. New tools have been integrated, new categories of data processed, new providers added - without the register reflecting these developments.
An incomplete register does not protect the organisation. It gives a false impression of compliance while leaving blind spots that will become problematic in the event of an audit or incident.
The AI Act and its intersection with the GDPR
The AI Act introduces new obligations for organisations that use or deploy AI systems - including commercial tools such as certain assistants, scoring systems, or automated recruitment tools. For AI systems that process personal data, GDPR and AI Act obligations accumulate.
Most organisations using AI tools in their HR, commercial or operational processes have not yet assessed whether these uses comply with both texts simultaneously. This is a blind spot that will become increasingly visible as supervisory authorities develop expertise on the subject.
Data subject rights: processes not always operational
The GDPR grants rights to individuals whose data is processed: access, rectification, erasure, portability, objection. These rights must be exercisable within strict timeframes - generally one month. In many organisations, the process for responding to these requests is not truly operational: no clear entry point, no documented procedure, no system for tracking requests received and responses provided.
This is a genuine risk area - complaints to supervisory authorities very frequently concern rights requests that did not receive a correct response.
What this means for your organisation
GDPR compliance is not a state reached once and for all. It is ongoing governance, which must evolve with regulation, with the organisation's practices, and with authority decisions. This is precisely why the DPO function - external or internal - has value: not to produce documentation, but to maintain operational vigilance over a regulatory framework that continues to evolve.