GDPR: the 3 mistakes that trigger an inspection

The DPA is targeting SMEs

In 2025, the Belgian Data Protection Authority issued more than €2.3 million in fines. SMEs are no longer spared. A dental practice in Antwerp, an e-commerce business in Liège, a fiduciary in Brussels. The profile of sanctioned companies has changed dramatically.

The good news? The three mistakes that trigger the most inspections are easy to fix. If you know which ones.

3 mistakes the DPA won't forgive

1. No record of processing activities. This is GDPR obligation number one, and it's also the first thing the DPA checks. In 2025, 62% of Belgian sanctions involved a missing or incomplete record. This document must list every personal data processing activity, its legal basis and its retention period. Our GDPR training covers this in detail, with a ready-to-use template.

2. Poorly managed consent. Cookie banners with pre-ticked boxes, opt-out instead of opt-in for marketing, forms without legal notices. The DPA fined a Brussels SME €25,000 for a non-compliant cookie banner. The rule is simple: consent must be freely given, specific, informed and unambiguous. Our GDPR training includes a full audit of your forms and cookies.

3. No breach notification procedure. You have 72 hours to notify the DPA of a data breach. Without a documented procedure, that's mission impossible. A company in Charleroi was sanctioned not for the breach itself, but for reporting it too late. Having a response plan ready is what makes the difference between a fine and a simple warning.

Take action

Three things to do this week:

1. Assess your compliance level with our free mini-audit. Two minutes, zero commitment.
2. Train your team. Our GDPR training is available as a lunch & learn, half-day or conference. See the programme.
3. Need an external DPO? Our team supports you through full compliance. Contact us.

DPA inspections aren't slowing down. Better to be ready before you receive the letter.