The most common mistakes in GDPR documentation and how to avoid them
Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, most organisations have put in place a record of processing activities as well as policies and procedures related to data protection.
Yet documentation often remains a weak point: incomplete records, unclear retention periods, superficial DPIAs, poorly defined responsibilities, etc. These gaps create legal, financial and operational risks.
Here is a breakdown of frequent mistakes and concrete solutions to avoid them.
The record is often the first document requested during an audit. However, it is generally:
• Non-existent or incomplete (no legal basis, incomplete list of data categories, etc.)
• Too outdated to reflect operational reality
How to fix this quickly:
• Describe each processing activity with precise purposes. Example: “Management of job applications” instead of “HR”
• Fill in all required information according to Article 30 of the GDPR
• Document the legal bases in the record. Example: keep proof of consent; prepare a legitimate interest assessment when relying on legitimate interest
• Update the record regularly. Example: full review every one to two years, plus immediate updates when major changes occur (e.g., new HRIS)
Tip: organise a workshop with operational teams to ensure the record truly reflects reality and to explain its importance.
Limiting data retention seems simple, yet it is one of the most frequently sanctioned issues.
Typical mistakes:
• No retention period or criteria documented in the record
• No actual purge performed
• Teams do not know “who purges what, when, and how”
• Some systems keep data indefinitely (“just in case”)
How to do it correctly:
• Define a precise retention period whenever possible. Legal, business and DPO input will be essential.
• Formalise a data retention and deletion policy, including a reference framework
• Automate deletion or archiving whenever possible
• Ensure processors apply the same logic
Common case: marketing databases grow bigger over time, while many entries are no longer valid. Regular purges improve both compliance and campaign performance.
Most organisations work with dozens of service providers (hosting, IT support, marketing, SaaS tools, etc.). But documentation related to processors is often:
• Not supported by evidence (audits, certificates, technical sheets, documents to be reviewed by IT or the DPO, etc.)
• Incomplete (no GDPR-compliant Article 28 agreement signed)
• Not up to date
Best practices:
• Keep an up-to-date list of all processors involved in processing activities
• Verify that each agreement includes a GDPR-compliant Article 28 clause (assistance duties, security measures, etc.)
• Keep evidence of compliance (certifications, audit grids, etc.)
• Schedule regular reviews of service providers
Important: the controller must verify, before contracting, that the processor complies with the GDPR.
The Data Protection Impact Assessment (DPIA) is often viewed as a simple formality. The results typically show:
• Missing DPIAs where they are required
• DPIAs that are too general or incomplete
• No actual mitigation measures
• Lack of DPO consultation
• Poorly assessed risks (“low” by default)
What needs to be done:
• Identify which DPIAs must be carried out
• Involve the right people (DPO, IT, relevant business owners, etc.)
• Clearly describe how the processing works
• Identify real risks to individuals
• Define proportionate and realistic measures (pseudonymisation, access limitation, etc.)
Note: a well-conducted DPIA can become a genuine security management tool, not just an administrative checkbox.
GDPR information notices are the shop window of compliance. Yet they are often:
• Missing or too long
• Vague (“your data may be used for various purposes…”)
• Not aligned with the record
• Outdated
What actually works:
• Describe each processing operation with precise purposes
• Write in clear, simple language (accessible to all), while complying with Articles 13 and 14 of the GDPR
• Prepare a standard information notice template, to be adapted and reviewed by the DPO
• Prioritise essential notices first (website, HR information notices, customer notices), then expand as quickly as possible
• Ensure consistency between the record of processing activities and information notices
Note: If consent is the legal basis, it must be specific to each purpose and cover all uses.
Tip: run a workshop on information notices with relevant teams.
Security goes far beyond technical tools such as antivirus software or firewalls (which must, of course, be kept up to date). It also includes governance (internal processes, employee training, access rights management, etc.) to reduce risks effectively.
Common mistakes:
• No clear policy
• Measures declared but not applied
• No record of audits, tests or reviews
• No data breach management plan
Examples of actions to meet the required level:
• Have your IT department establish an information security policy (ISSP) and an IT charter
• Train teams on GDPR and general security practices (phishing, etc.)
• Document controls (penetration tests, access reviews, etc.)
• Implement a data breach management procedure and ensure teams understand it
Tip: prepare a practical data breach response sheet and run a workshop on the topic.
Effective GDPR documentation must not remain theoretical. It is a living framework grounded in real practices and useful for managing and securing personal data processing.
The most mature organisations do not chase legal perfection; they aim for clear documentation, regularly updated, connected to operational reality, and supported by leadership.
The right approach: start simple, update over time, and embed compliance into daily work habits.
CNIL – “The Six Key Principles of the GDPR”
CNIL – “2024 Guide to the Security of Personal Data”
To give you 100% control over the design, together with Webflow project, you also get the Figma file. After the purchase, simply send us an email to and we will e happy to forward you the Figma file.
Yes, we know... it's easy to say it, but that's the fact. We did put a lot of thought into the template. Trend Trail was designed by an award-winning designer. Layouts you will find in our template are custom made to fit the industry after carefully made research.
We used our best practices to make sure your new website loads fast. All of the images are compressed to have as little size as possible. Whenever possible we used vector formats - the format made for the web.
Grained is optimized to offer a frictionless experience on every screen. No matter how you combine our sections, they will look good on desktop, tablet, and phone.
Both complex and simple animations are an inseparable element of modern website. We created our animations in a way that can be easily reused, even by Webflow beginners.
Our template is modular, meaning you can combine different sections as well as single elements, like buttons, images, etc. with each other without losing on consistency of the design. Long story short, different elements will always look good together.
On top of being modular, Grained was created using the best Webflow techniques, like: global Color Swatches, reusable classes, symbols and more.
Grained includes a blog, carrers and projects collections that are made on the powerful Webflow CMS. This will let you add new content extremely easily.
Grained Template comes with eCommerce set up, so you can start selling your services straight away.
To give you 100% control over the design, together with Webflow project, you also get the Figma file.
.svg)
-min.png)
