The 10 Most Common GDPR Mistakes Made by Businesses

Eight years after the GDPR came into force, the same mistakes keep coming back. Again and again. And CNIL (French data protection authority) is no longer educating — it is sanctioning. In 2025, 486.8 million euros in fines. In 2024, 87 sanctions for 55 million euros. The simplified procedure now allows rapid sanctions for the most flagrant cases (fines up to 20,000 euros without a hearing).

The problem is not that businesses refuse to comply. It is that they think they are compliant when they are not.

Here are the 10 most common GDPR mistakes — with a concrete example for each, the risks involved, and the solution to fix them.

Mistake 1: Missing or Copy-Pasted Privacy Policy

This is the most visible and most widespread mistake. Either the privacy policy simply does not exist, or it was copied from another site without any adaptation.

The problem: A generic privacy policy does not reflect your company’s actual data processing activities. It does not mention the right purposes, the right recipients, or the right retention periods. During an inspection, it is an immediate red flag.

What the GDPR says: Articles 13 and 14 require transparent, intelligible, and easily accessible information about data processing.

The scale of the problem: During its online inspections, CNIL (French data protection authority) finds that many businesses use privacy policy templates found on the internet, often poorly translated from English, that bear no relation to their actual processing activities. Some mention services they do not use, others omit essential processing such as email marketing or CRM.

How to fix it: Write a policy specific to your business, detailing each processing activity, its purpose, legal basis, recipients, and the rights of individuals. Complio automatically audits your website and identifies gaps in your privacy policy.

Google: 325 million euros fine in September 2025. SHEIN: 150 million euros. The reason? Advertising cookies dropped before the user even had the opportunity to consent or refuse.

The problem: Many sites drop trackers as soon as the page loads, before any interaction with the cookie banner. Others make refusal harder than acceptance (dark patterns).

What CNIL (French data protection authority) says: Since 2021, CNIL’s cookie recommendations require that refusal be as simple as acceptance. No non-essential tracker can be dropped before explicit consent.

The most common dark patterns: A bright green “Accept” button next to a discreet gray “Settings” link. A banner that closes by accepting cookies if the user clicks anywhere on the page. A “Refuse” button hidden on a second settings screen. All these practices are considered non-compliant by CNIL.

How to fix it: Deploy a compliant CMP (Consent Management Platform) like Cookilio, which blocks all non-essential trackers until the user has given consent, and offers refusal at the same level as acceptance.

Mistake 3: Missing Processing Records

The record of processing activities is mandatory for any business with more than 250 employees, but also for smaller ones if they carry out non-occasional processing (which applies to virtually every business with a website, CRM, or contact database).

The problem: Many businesses simply have no records. Others have a document created once and never updated, which no longer reflects the reality of their processing activities.

What the GDPR says: Article 30 requires maintaining a record detailing the purposes, categories of data, recipients, retention periods, and security measures for each processing activity.

What many do not know: The “fewer than 250 employees” exception is misleading. The GDPR specifies that even businesses with fewer than 250 employees must maintain records if their processing is not occasional, involves sensitive data, or is likely to pose a risk to individuals’ rights and freedoms. In practice, any business with a website featuring a contact form, a newsletter, or a CRM tool is covered.

How to fix it: Start by mapping all existing processing activities (website, CRM, email marketing, payroll, accounting). CNIL (French data protection authority) offers a free records template. Complio facilitates this mapping for your web presence.

Mistake 4: Ignoring Individuals’ Rights

Your customers and users have the right to know what data you hold about them, to have it corrected, deleted, or transferred to another service. In practice, many businesses have no process for handling these requests.

The problem: No dedicated email address, no internal procedure, no request tracking. The legal response deadline (one month) is regularly exceeded or ignored.

What the GDPR says: Articles 15 to 22 define individuals’ rights. Article 12 requires a response within one month.

A concrete case: A customer requests access to their data by email. The message arrives in the company’s general inbox, nobody knows who should handle it, nobody responds. Three months later, the customer files a complaint with CNIL (French data protection authority). The simplified procedure allows CNIL to sanction this type of failure within weeks.

How to fix it: Set up a dedicated email address (dpo@yourcompany.com or gdpr@yourcompany.com), a documented procedure with response templates for each type of right, and a request tracking register with reception and response dates.

Mistake 5: Uncontrolled Subprocessors

Do you use a cloud host, an email marketing tool, a CRM, an analytics tool? Each of these providers is a subprocessor under the GDPR. And each subprocessor must be governed by a contract compliant with Article 28.

The problem: Many businesses do not even know how many subprocessors access their data. Even fewer have a compliant contract with each of them.

What the GDPR says: Article 28 requires a written contract detailing the subprocessor’s obligations, the nature of the processing, security measures, and conditions for further subcontracting.

Cascading subcontracting: An often underestimated risk. Your email marketing provider may use AWS for hosting, which itself may be subject to the US CLOUD Act. Your CRM may transfer data to servers located outside the European Union without your knowledge. Every link in the subcontracting chain must be identified and governed.

How to fix it: List all tools and providers that handle personal data. Verify the existence of a Data Processing Agreement (DPA) for each. Prefer subprocessors hosted in Europe to avoid cross-border transfer issues.

A pre-checked box is not consent. Scrolling is not consent. Simply continuing to browse is not consent.

The problem: Consent must be freely given, specific, informed, and unambiguous (Article 4(11) of the GDPR). Any form of presumed or implicit consent is invalid.

What CNIL (French data protection authority) says: CNIL has sanctioned businesses multiple times for non-compliant consent mechanisms, particularly through dark patterns making refusal more complex than acceptance.

Beyond cookies: Flawed consent is not just about cookies. Newsletter signup forms with a pre-checked box “I agree to receive partner offers,” terms and conditions that include data processing consent in an unreadable block of text, or pop-ups that leave no choice other than “Accept” are all non-compliant practices.

How to fix it: Ensure that every data collection form uses unchecked boxes by default, with clear information about the intended use. For cookies, use a CMP like Cookilio that guarantees compliant consent.

Mistake 7: Data Retained Indefinitely

“Keep everything, just in case.” This is probably the most dangerous phrase in GDPR compliance.

The problem: Retaining data beyond the period necessary for the purpose for which it was collected constitutes a violation of Article 5(1)(e) of the GDPR (storage limitation principle).

What the GDPR says: Data may only be retained for as long as necessary for the purposes for which it was collected. Beyond that, it must be deleted or anonymized.

Concrete examples of retention periods: CNIL (French data protection authority) publishes sector-specific retention guidelines. For a prospect who did not respond to a commercial solicitation, the maximum retention period is 3 years from the last active contact. For job application data, it is 2 years maximum. For connection logs, it is generally 1 year. For billing data, accounting obligations require retention for 10 years, but this does not justify retaining all data associated with the order.

How to fix it: Define a retention period for each processing activity in your records. Implement automatic purge procedures. CNIL publishes sector-specific retention guidelines.

Mistake 8: No DPO When One Is Required

Certain businesses are required to appoint a Data Protection Officer and fail to do so, either through ignorance of the obligation or refusal to allocate the necessary resources.

The problem: The absence of a DPO when one is required is a non-compliance in itself, regardless of any other failure.

What the GDPR says: Article 37 requires a DPO for public authorities, businesses whose core activity involves regular and systematic large-scale monitoring, and those processing sensitive data on a large scale.

The confusion about scope: Many businesses think they are not concerned because they are not in “tech.” Yet a temp agency managing thousands of candidate profiles, a pharmacy network processing health data, or a retail chain with a loyalty program are all potentially subject to the DPO requirement.

How to fix it: Objectively assess whether your business falls into one of the three mandatory cases. If so, appoint an internal or external DPO. If not, consider designating an internal GDPR point person anyway.

Mistake 9: Undocumented Cross-Border Transfers

Using Google Analytics, US-hosted AWS, Mailchimp, or any other American service without adequate safeguards constitutes a potentially illegal transfer of data outside the EU.

The problem: Since the Schrems II ruling (July 2020), transfers to the United States no longer benefit from automatic protection. The EU-US Data Privacy Framework adopted in 2023 is legally challenged and could be invalidated (potential “Schrems III”).

What the GDPR says: Articles 44 to 49 strictly regulate cross-border transfers. The data controller must guarantee a level of protection equivalent to the GDPR.

The iceberg of invisible transfers: Beyond the tools you are aware of, your website may transfer data to the United States invisibly. Google Fonts loads files from American servers and transmits the visitor’s IP address to Google. An American CDN like Cloudflare sees all data exchanged between your site and your visitors. A Facebook pixel drops cookies and transfers behavioral data to Meta’s US servers.

How to fix it: Map data flows to third countries. Prefer solutions hosted in Europe. Replace Google Analytics with Mirage Analytics, hosted on Scaleway in Europe, which transfers no data outside the EU.

Mistake 10: No Notification in Case of a Breach

FREE Mobile and FREE: 42 million euros fine in January 2026 for insufficient security measures that allowed access to the data of 24 million subscribers. France Travail: 5 million euros for vulnerabilities that exposed the data of millions of registrants.

The problem: Many businesses have no procedure for detecting and notifying data breaches. Some discover the leak through the press.

What the GDPR says: Article 33 requires notification to CNIL (French data protection authority) within 72 hours of discovering the breach. Article 34 requires informing the persons concerned if the risk is high.

The 72 hours start at discovery, not at the incident. CNIL considers that the data controller must have put in place measures to quickly detect breaches. A nonexistent or failing detection system is not an excuse for delayed notification. On the contrary, CNIL has sanctioned businesses for discovering a breach with excessive delay, considering that adequate monitoring measures would have enabled faster detection.

How to fix it: Implement an incident detection process (logs, monitoring, alerts). Document a notification procedure with clear responsibilities and pre-drafted templates. Train teams to identify and report security incidents.

The True Cost of Non-Compliance

Fines are only the visible part. An unmanaged data breach also means:

Loss of customer trust
Lasting reputational risk
Legal and technical remediation costs
Competitive advantage handed to compliant competitors
Potential exclusion from public and private tenders
Impact on company valuation during fundraising or acquisition

GDPR compliance is not a burden. It is an investment in trust.

FAQ

In 2025, the most significant CNIL fines were: Google (325 million euros for cookies dropped without consent), SHEIN (150 million euros for the same reason), FREE Mobile and FREE (42 million euros for security failures), and France Travail (5 million euros for insufficient security). Source: CNIL (French data protection authority) — Sanctions Report 2025.

Does CNIL inspect small businesses?

Yes. The simplified procedure implemented by CNIL allows rapid sanctions for straightforward cases, with fines up to 20,000 euros. Small and medium businesses are not exempt from inspections. In 2025, more than 60% of sanctions targeted SMEs. CNIL uses automated tools to scan websites, allowing it to detect the most common violations without any human intervention.

Can Google Analytics be used in France?

It is legally risky. Google Analytics transfers data to the United States. The EU-US Data Privacy Framework is challenged and could be invalidated. For peace of mind regarding compliance, opt for a solution like Mirage Analytics that hosts all data in Europe and drops no cookies.

A compliance audit identifies gaps: non-compliant cookies, missing or incomplete privacy policy, undeclared third-party trackers. Complio performs this audit automatically and provides an actionable report with a compliance score and concrete recommendations.

How long does it take to become compliant?

For a small business with a simple website, a few days suffice for the essentials (privacy policy, CMP, compliant analytics). For a medium-sized or larger company with complex processing, allow several weeks to a few months for a complete compliance program. The important thing is to start with the most visible risks — particularly the website, which CNIL can inspect at any time — and progress step by step.

Sources: CNIL (French data protection authority) — Sanctions Report 2025, CNIL — Sanctions and Corrective Measures 2024, CNIL — FREE Sanction, CNIL — France Travail Sanction, CNIL — Google Sanction. Article updated February 12, 2026.

The 10 Most Common GDPR Mistakes Made by Businesses