GDPR has been in force since 2018.
And yet, many programmes still struggle.
Not because firms don’t care about data protection.
Not because they don’t have policies.
But because most GDPR programmes are built backwards.
They Start With Documents, Not Data
The first question shouldn’t be:
“Where is our privacy policy?”
It should be:
“What data do we actually hold?”
Many organisations implement GDPR through paperwork:
- Privacy notices
- Data protection policies
- DPIA templates
- Retention schedules
But they never fully map:
- Data flows
- Processing purposes
- Lawful bases
- Operational ownership
Without understanding the data lifecycle, documentation becomes decorative rather than protective.
Ownership Is Often Unclear
Another common issue is responsibility.
GDPR is frequently assigned to:
- Legal
- Compliance
- Or an external consultant
But operational teams continue handling data daily.
If the people collecting, storing and using personal data don’t understand:
- Their lawful basis
- Their retention obligations
- Their breach reporting responsibilities
Then the framework isn’t embedded.
It’s theoretical.
Fear Replaces Practicality
Some programmes fail because they are driven by fear of fines rather than practical risk management.
The result?
- Overly complex controls
- Defensive documentation
- Processes that slow the business
Effective data protection should be proportionate and commercially realistic.
It should:
- Protect customers
- Reduce operational risk
- Support informed decision-making
Compliance should enable good business, not suffocate it.
GDPR Fails When It Isn’t Operational
The strongest GDPR frameworks I’ve seen share three characteristics:
- Clear data mapping
- Defined accountability
- Practical integration into day-to-day processes
Data protection is not a policy exercise.
It’s an operational discipline.
When firms treat it that way, it works.
