GDPR in Practice – Things Most Companies Have No Idea About (But Should)

16.11.2025 by: Piotr Wichrań · 5 min read

GDPR has been in force since 2018, but in most companies and institutions, it looks the same as on day one: somewhere there are some “policies”, someone once did a “document-based” implementation, and personal data… well, lives its own life.

The longer I work with organisations, the more I see that GDPR is not a legal problem. GDPR is an organisational and technical problem.
This means that knowing the regulations alone does nothing – you need to know how to organise data, processes, people, and systems to avoid risks.

Below, you’ll find a practical guide that shows where companies most often make mistakes and what true GDPR compliance means in 2025.

1. GDPR Is Not Documents. GDPR Is Processes and Accountability

The most common pattern:

Then an incident happens: a former employee takes data, a laptop is stolen, or someone sends an email to 150 people in CC instead of BCC.

And that’s when real GDPR begins:
can we prove we knew what we were doing?

GDPR is a system:

It’s not a one-time project – it’s a cycle where we are accountable for data from start to finish.

2. “We Have GDPR” ≠ “We Are GDPR-Compliant”

Having a security policy doesn’t mean the company follows it.
Regulators and auditors look at reality, not what’s in the binder.

Most common sins:

True compliance starts when:

3. Personal Data Is Everywhere – Even Where No One Sees It

Examples from real companies:

GDPR doesn’t say: “have documents”.
GDPR says: have control over all data – identify, classify, protect, delete.

4. Suppliers and Processors – The Weakest Link

Most companies check suppliers for price, quality, delivery – but forget GDPR.

Reality:

GDPR requires:

One weak supplier = your GDPR violation.

5. Incidents and Breaches – Not “If”, But “When”

Most companies have an “incident procedure” – but it’s never tested.

Common mistakes:

GDPR Art. 33-34: report high-risk breaches within 72 hours.

But real value: use incidents to improve – analyse, fix, train.

6. GDPR = Risk Management + Cybersecurity

Few say it out loud:

GDPR is nothing but risk management + cybersecurity.

Art. 32 GDPR:

Sounds like ISO 27001? NIST? CMMC Level 1/2?

Because it is exactly that.

The problem arises when:

GDPR works only when:

form a coherent system.

7. The Key Question: Can the Company Show Evidence?

GDPR in 2025 is about evidencing – proving that procedures work.

Not:

But:

Documents are 20%. Evidence is 80%.

8. GDPR in SMEs – What You Really Need

Contrary to appearances, most companies don’t need a 300-page implementation.

What they really need:

In practice, companies need an external data security operator who handles everything holistically: from procedures to firewalls and backups.

9. GDPR Doesn’t Have to Be Hard, But It Must Be Consistent

Implementations fail when:

It works when:

10. The Future of GDPR Is Automation and Cybersecurity

The world is moving towards:

GDPR is becoming less paper-based and more cyber-centric.

Companies stuck with documents and “nice binders” will fall behind.
Those shifting GDPR to:

will be secure regardless of regulatory changes.

Summary

GDPR is not black magic, but it requires:

It’s a blend of cybersecurity, digital forensics, and risk management.

Companies that want peace of mind seek someone who can bridge these worlds –
not just write documents.

Get in Touch

Secure your company.
I help with selection, implementation, and auditing of effective protection solutions.

Email: biuro@wichran.pl
Phone: +48 515 601 621

Author: Piotr Wichrań – Court-appointed IT forensic expert, IT/OT cybersecurity specialist, licensed private investigator
@Informatyka.Sledcza