What makes data protection difficult today isn’t just the regulation. It’s the volume of data, the speed at which systems and technology change, and the growing number of third parties involved in how organisations operate. Even in 2026, many organisations still face the same recurring issues.
In this blog marking Data Protection Day 2026, we outline six of the most common data protection issues we still see across industries. The good news is that each one is fixable, and improving just a few of these areas can make a big difference in reducing risk and building confidence internally.
ROPA: Don’t Just Set and Forget
One of the most common issues is that the Record of Processing Activities (ROPA) is created once and then filed away. Sometimes it’s a document that was produced for a compliance exercise, or an audit requirement, which doesn’t get reviewed again. In many cases, the people who currently work in the organisation don’t even know where it is stored, who owns it, or how it should be maintained.
Another challenge is that many organisations still don’t fully understand what a ROPA is meant to do. Some believe it’s just a list of IT systems, but in practice, it’s one of the most useful and powerful tools an organisation can have for demonstrating accountability. It provides clarity on what data is being processed, why it is being processed, who it is shared with, how long it is kept, and what controls are in place to protect it.
When a ROPA is not updated, organisations end up with a gap between what’s written down and what’s actually happening – that’s where risk grows. Business processes evolve quickly: a company might take on a new vendor, introduce a new HR tool, change payroll providers, launch a new marketing campaign, restructure departments, or expand into new locations. If the ROPA doesn’t reflect these changes, it becomes unreliable, and it won’t provide accurate guidance when it’s needed most.
A good ROPA doesn’t need to be perfect, but it does need to be maintained. The goal is to make sure the organisation can confidently explain its processing, both internally and externally when needed.
A Matter of Time: Clearing up Data Retention Schedules
Another ongoing mistake we see is that retention schedules are either missing entirely, or they exist on paper but are not actually applied in practice. Often, people don’t know what to delete, when to delete it, or even whether they are allowed to delete it. This uncertainty leads to one of the biggest silent risks in organisations.
A practical retention process is about understanding what categories of data exist (HR, finance, customer support, marketing, CCTV, etc.), what retention laws apply, and what internal business needs to justify keeping it for a period of time. Once retention is defined, the next challenge is making sure deletion can actually happen, either through system settings, secure disposal processes, or controlled archiving methods.
Data you don’t need is data you shouldn’t keep. The longer data stays in your organisation, the higher the chance it will be accessed incorrectly, shared unnecessarily, or exposed through human error or cyber incidents. Having retention schedules and policies will help reduce that exposure and make your organisation more efficient.
Cards on the Table: Are Paper Records Still a Blind Spot?
Operational changes are proposed to the personal data breach notification regime. Controllers would be required to notify supervisory authorities only where a breach is likely to result in a high risk to the rights and freedoms of individuals. The notification deadline would be extended from 72 to 96 hours, and reporting would be submitted through a single-entry reporting point shared with other EU cybersecurity frameworks.
Paperless offices and electronic records have made this less of a consideration for some sectors, but for others, it’s still an issue. Paper-based processing is still personal data processing and it still falls under GDPR obligations.
Sometimes, paper files are kept in offices without clear controls. Organisations should have clear security measures such as storing documents in locked cabinets or secure rooms, limiting access only to authorised staff, and ensuring keys or access codes are controlled and monitored. There should also be practical day-to-day controls, like avoid leaving files/diaries/books with notes unattended on desks, ensuring secure printing practices, and preventing documents from being left near printers or meeting rooms. This might seem minor, but physical data leaks happen more easily than people think, especially in busy organisations. Shredding and waste disposal are useful methods to dispose of paper records when they’re no longer needed to avoid the risk of leaks.
Have a clear retention and disposal process for paper files, including secure shredding or confidential waste services, and ideally keep a record of when documents are destroyed. These basic controls help the response to a data request, audit, or incident.
Data Subject Access Requests: Knowing Where to Look
Data Subject Access Request (DSAR) readiness is often one of the major areas in GDPR: it’s a test of the organisation’s internal data control, coordination, and documentation.
An individual can make a DSAR in many ways: it may be a formal email with the subject line “Data Request,” or it may be a casual message. It may come through HR, customer support, the company website, a manager’s inbox, or even through social media.
The most common DSAR-related issue is that the organisation doesn’t know where to search. Personal data is rarely stored in one place: it exists across HR platforms, finance systems, CRM tools, marketing platforms, shared drives, emails, chat systems, ticketing systems, and third-party vendors. This is where a well managed ROPA comes into play.
Another challenge is identity verification. Organisations want to respond quickly, but they also need to ensure they are sharing personal data with the correct person. You need to strike a balance in verifying identity in a reasonable way, without collecting unnecessary additional information. Requesting additional information may be risky, but failing to confirm identity can lead to a serious breach.
Then there is the content of the response. Many people assume a DSAR means “send everything”, but not all information can automatically be shared. Some data might include third-party information, confidential business details, or legally privileged communications. Organisations need a review step to ensure that disclosures are accurate, justified, and properly redacted where required.
The difference between an organisation that is truly DSAR-ready and one that isn’t usually comes down to preparation. Being DSAR-ready doesn’t mean having a large team or fancy software. It means knowing who owns the process, having a workflow, keeping your ROPA up to date, tracking timelines, and ensuring that internal teams have sufficient training to manage the process.
Proving your Case Through Accountability Principles
Under the GDPR’s accountability principle (Article 5(2)), organisations aren’t just responsible for complying with data protection rules, but must be able to demonstrate that compliance through documentation. Keeping documents updated is a core component of this, as outdated records are considered non-compliant. This applies across all records, including privacy notices, policies, procedures, contracts, risk assessments, retention schedules, and DPIAs – all of which should clearly demonstrate how the organisation manages and protects personal data.
Outdated documentation makes it harder to prove compliance during audits, incidents, or regulatory engagement. Therefore, regular review and continuous improvement are essential to ensure documentation remains accurate, meaningful, and aligned to the organisation’s processing activities.
Don’t Underestimate Vendor Risk
Organisations often onboard tools quickly because they are convenient and efficient, but without completing proper vendor due diligence. Another issue is that Data Processing Agreements (DPAs) are signed without understanding what they cover, what sub-processors are involved, or what data transfers may be taking place. Many times, there’s no DPA in place.
Vendor risk becomes even more serious when it involves personal data being transferred internationally or when vendors rely on sub-processors that the organisation has not reviewed. Many organisations don’t have visibility into where data is processed or stored, especially when tools have global infrastructure.
Good vendor management doesn’t need to be complicated. It begins with asking the right questions early and maintaining a record of vendor processing. It also means reviewing DPAs, understanding the scope of processing, confirming security controls, and ensuring that the organisation can meet its own obligations if something goes wrong.
Conclusion
Data protection in 2026 isn’t just about having documents in place: it’s about having proper compliance across the organisation. Data Protection Day is a good moment to reflect. Keep your ROPAs updated, define retention properly, improve paper record controls, and build DSAR readiness. And, most importantly, make sure your employees receive regular training. In the end, Data Protection is not only about avoiding regulatory risk. It’s about being compliant and maintaining trust with your clients and employees.
Pam George, BH Consulting
