GDPR 2026: The 5 Most Common Mistakes Belgian SMEs Make
No documented legal basis, US tools without safeguards, missing records of processing activities: discover the 5 most frequent GDPR mistakes by Belgian SMEs and how to fix them before an APD inspection.
Eight years have passed since the GDPR came into force in May 2018. Yet the Belgian Data Protection Authority (APD — Autorité de Protection des Données) continues to handle hundreds of complaints every year and consistently finds the same failings, often at the same types of organisations. In 2026, the landscape has hardened: fines are larger, enforcement is more active, and complainants are better informed.
Here are the five most common mistakes we see at SME clients — and, crucially, how to fix each one.
Mistake 1: No Documented Legal Basis for Processing Activities
The mistake
Your company collects email addresses for a newsletter. Your sales team logs prospect phone numbers in a CRM. Your HR department stores medical data to manage sick leave. But on what legal grounds do these processing activities rest?
The GDPR identifies six possible legal bases (Article 6): consent, performance of a contract, a legal obligation, protection of vital interests, a public interest task, and legitimate interests. Yet many SMEs have never formally determined which one applies to each of their processing activities.
Why it matters
Without a documented legal basis, you cannot demonstrate that your processing is lawful. In the event of an inspection or a complaint, the absence of documentation is itself an infringement. The APD can impose fines of up to €20 million or 4% of global annual turnover for unlawful processing of personal data.
In Belgium, APD Decision no. 08/2023 sanctioned a direct marketing company for sending commercial communications without being able to prove either valid consent or a legitimate interest justifying the mailings.
How to fix it
Build an inventory of your processing activities and, for each one, assign a legal basis. Document that choice in your records of processing activities (see Mistake 3). A practical rule: do not default to consent. If processing is necessary for the performance of a contract or to comply with a legal obligation, use those bases — they are more robust and cannot be withdrawn by the individual.
Mistake 2: Using US-Based Tools Without Adequate Safeguards
The mistake
Google Workspace for email and documents, Mailchimp for newsletters, HubSpot for CRM, Zoom for meetings. These tools are convenient and well integrated. But they expose your data to serious legal risk.
The US CLOUD Act of 2018 allows American authorities to demand access to data held by US companies, regardless of where the servers are physically located. Even an AWS data centre in Frankfurt is in scope. Furthermore, the Data Privacy Framework (DPF) — the mechanism governing EU-US data transfers since 2023 — faces legal challenges and could be struck down by the Court of Justice of the EU, as its predecessors Safe Harbour and Privacy Shield were.
Why it matters
Using a US service without a valid transfer mechanism constitutes an infringement of Article 44 GDPR. The Dutch Data Protection Authority (AP) has sanctioned several organisations for unlawful transfers to the United States. In Belgium, the APD has published guidance confirming that the DPF does not exempt companies from assessing residual risks.
How to fix it
For each US tool you use, verify:
- That the vendor is DPF-certified and that you have signed Standard Contractual Clauses (SCCs)
- That you have completed a Transfer Impact Assessment (TIA) documenting residual risks
- That additional technical safeguards (end-to-end encryption, pseudonymisation) are in place where needed
For sensitive or strategic data, consider European alternatives: Infomaniak, OVHcloud, Nextcloud, Proton. Migration is not always necessary, but it must be a conscious, documented decision.
Mistake 3: No Records of Processing Activities
The mistake
Article 30 GDPR requires every organisation to maintain records of processing activities. This document lists all personal data processing carried out by the organisation, with for each activity: the purpose, categories of data, data subjects, recipients, retention periods, and security measures.
Formally, this obligation only applies to organisations with more than 250 employees. But the exception is broad: smaller organisations must also maintain records when processing is likely to result in a risk to the rights and freedoms of individuals, involves special category data, or is not carried out on an occasional basis. In practice, almost every active SME is covered.
Why it matters
Records of processing activities are the first document an APD inspector will request during an audit. Their absence is directly sanctionable. Beyond compliance, without records you cannot govern your GDPR programme: you do not know what you are processing, and therefore you cannot protect it properly.
How to fix it
Start with a simple spreadsheet with the following columns: processing activity name, internal owner, purpose, legal basis, categories of data, data subjects, recipients, transfers outside the EU, retention period, security measures. Work through your most common activities first: HR, customers, prospects, suppliers, website. We cover the full method in our dedicated guide to records of processing activities.
Mistake 4: Ignoring the 72-Hour Data Breach Notification Obligation
The mistake
An employee loses a laptop containing customer data. Ransomware encrypts your servers. An email is sent to the wrong distribution list. These incidents happen — and many companies either have no process in place to detect them, or handle them internally without notifying the APD.
Article 33 GDPR requires any personal data breach to be notified to the APD within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Why it matters
Failure to notify is sanctioned by the APD, but what typically aggravates the situation is the attempt to keep the incident internal. In Belgium, APD Decision no. 114/2023 fined a company not only for the breach itself, but for waiting more than three weeks before notifying — without adequate justification.
How to fix it
Put an internal incident response process in place:
- Detection: who can report an incident? (any employee with access to personal data)
- Assessment: is this a notifiable breach? Document your reasoning even if you conclude notification is not required
- Notification to the APD: use the APD's online notification form within 72 hours
- Notification to data subjects: if the breach is likely to result in a high risk (Article 34 GDPR)
- Documentation: record every incident in a breach register, including those that were not notified
Mistake 5: Treating Consent as the Only Valid Legal Basis
The mistake
Out of caution — or simply unfamiliarity with the other legal bases — many SMEs ask for consent for every single processing activity. The result: overcrowded cookie banners, convoluted sign-up forms, and, more seriously, fragile databases because consent can be withdrawn at any time.
Why it matters
Consent is the most demanding legal basis under the GDPR. It must be freely given, specific, informed, and unambiguous. Consent obtained via a pre-ticked box, ambiguous wording, or an imbalanced relationship (such as employer/employee) is not valid. Using consent where legitimate interests or performance of a contract would be more appropriate creates unnecessary fragility.
The Belgian APD has issued clear guidance on cookies: a simple "OK" banner without an equally easy way to refuse is not valid consent. APD Decision no. 21/2023 sanctioned a Belgian website publisher for non-compliant consent collection practices.
How to fix it
Apply the "most appropriate basis" rule:
| Situation | Recommended basis |
|---|---|
| Contract performance (e.g. delivery) | Performance of a contract (Art. 6.1.b) |
| Legal obligation (e.g. accounting retention) | Legal obligation (Art. 6.1.c) |
| B2B commercial prospecting | Legitimate interests (Art. 6.1.f) with LIA |
| Opt-in newsletter | Consent (Art. 6.1.a) |
| Analytics cookies | Consent (Art. 6.1.a) |
| HR — administrative management | Contract performance / Legal obligation |
Reserve consent for situations where it is genuinely the most appropriate mechanism — and ensure it is then collected correctly.
Conclusion: GDPR Compliance Is an Ongoing Process
These five mistakes share a common root: a reactive approach rather than a structured programme. GDPR compliance is not a one-off project to tick off and forget. It is an ongoing process that requires documentation, training, and regular review.
In 2026, the APD has increased enforcement resources and actively cooperates with other European supervisory authorities through the European Data Protection Board (EDPB). Organisations that have not built a robust compliance programme face growing exposure.
The good news: many of these mistakes can be corrected quickly, with a clear method and a focus on documentation.
Want to assess your GDPR compliance level and identify your priority risk areas?