The Myth of Being “GDPR Compliant”
- Laura Palmariello
- 1 day ago
- 6 min read
You might have seen it on a website, brochure or LinkedIn post saying We are GDPR compliant. It sounds safe and authoritative. But I find this to be an incredibly unethical marketing strategy. The phrase is misleading and it is wrong.
I also find it hard not to comment when I see it, but who am I to publicly embarrass organisations that might just not know better. I might give them a gentle nudge in the background, though most do not care. It works for marketing after all. Still, I always tell my clients to be cautious because it should be a red flag.
Saying you are GDPR compliant is like saying you have arrived at a destination that does not exist. Compliance is a continuous journey and you cannot get a badge for it.
Why GDPR Compliant Is a Red Flag
The GDPR does not hand out certificates or badges to say you have made it. It is a legal framework built on principles and obligations, not a checklist you can tick off and frame on the wall.
Yes, there are certification schemes and it is great to work towards compliance, but these are voluntary and focus on very specific things such as particular processes, policies or technical measures that can be independently assessed. They do not provide a sweeping we are compliant with GDPR seal for an entire organisation, and certainly not one approved by the regulator.
The problem is that some companies use GDPR compliant as a slogan to sound credible. It is often not done out of bad intent, but it is still misleading. It creates a false sense of security for customers, partners and anyone trusting them with data because it suggests there has been some official stamp of approval when there has not. And that leads to less checks and assurance verifications.
And really, saying you are GDPR compliant is like saying you have finished learning. It completely misses the point. Compliance is not a one off task. It is a continual practice of accountability, review, training, risk management and transparency and most of all training, awareness and communication.
Compliance is also about justification and documentation. It is showing your reasoning for the decisions you have made and the safeguards you have put in place. What that looks like in one organisation might be completely different in another and that is fine. It should be proportionate to your context and risk. But this is not evidence that you are compliant. It is evidence that you have considered compliance and are doing what you can, which is exactly what the law expects.
There are some things you can comply with, such as maintaining a Record of Processing Activities, having a Privacy Notice, or conducting DPIAs. But these do not make you GDPR compliant. They simply show that you are meeting certain obligations, and whether they meet the standard required is another story altogether.
When Good Intentions Go Wrong
I have had clients approach me completely convinced they were GDPR compliant because that is what a supplier told them. They had been sold software, templates or outsourced services with the promise that this makes you compliant. Of course, when we looked properly, it turned out the product or service helped with certain aspects, but it did not make them compliant. It just meant they had taken one small step in the right direction.
I have also heard people confidently say We are fine in that department, we have ISO 27001. And do not get me wrong, ISO 27001 certification is a fantastic achievement. It is an excellent information security framework that strengthens controls, processes and risk management. But it is not evidence of GDPR compliance. Many certification schemes overlap with data protection but that does not make them compliant. They offer recognition for specific standards, not GDPR as a whole.
To be honest, it is a bit like me having the CIPP/E badge. Yes, people buy into it, but what makes me good at what I do is certainly not the badge. But that is a topic for another article.
I would honestly challenge anyone who claims they are GDPR compliant to explain exactly what they mean by that. Are they saying they will never have a data breach? That their staff will never make mistakes? That their processes will never fail under pressure? None of those things are realistic. Compliance is not about being perfect. It is about being accountable, proactive and transparent when things go wrong.
Who would you trust more? The organisation with the GDPR equivalent of an Instagram filter, or the one willing to show you the unfiltered reality of doing their best every day?
What It Really Means In Practice
If you come across a supplier who declares itself GDPR compliant, ask questions. What evidence can they show. Are their policies, incident response plans and risk assessments actually up to date.Do they talk about compliance as a journey, not a destination. Do they show how they handle rights requests, vendor oversight, international transfers, retention and deletion. Do they talk about how they continually review compliance rather than presenting it as a permanent badge.
If the answer is no and it feels like they just say it because it sounds good, then it is not accountability, it is marketing.
And remember, if you are hiring someone to do a job for you or acquiring software to process data on your behalf, you are still accountable. If the worst happens, you will have to provide evidence that you carried out proper due diligence. Saying they told us they were GDPR compliant or they had a GDPR badge will not protect you.
Do not trust words and badges. Trust actions and evidence.
What Honest Organisations Say
Honest organisations show humility and commitment. They might say things like We align our data protection practices with the UK GDPR and EU GDPR. We operate under documented processes, risk assessments and continuous improvement in data protection. Our data processing activities are reviewed annually and our team receives ongoing privacy and security training. We are working towards recognised certification schemes for specific areas of accountability. And yes, sure, they might have a lot of badges to go with it, and that can be a good thing, but these are for certifications not evidence of compliance with the law.
These statements demonstrate effort and integrity and they avoid the misleading badge effect.
My Personal View
In my opinion, claiming GDPR compliant as a blanket statement is far too simplistic and risks undermining trust. I do not think organisations necessarily mean to mislead. I think they often misunderstand. But given that we are dealing with principle led law and often unmeasurable expectations, the claim is inaccurate at best and unethical at worst.
At the end of the day, compliance is about justification and documentation. It is about being able to show why you made certain decisions and how you reached them. That will look different from one organisation to another and that is absolutely fine. But documentation is not proof that you are compliant. It is proof that you have considered compliance and that is what the law expects.
If I were choosing a partner or advising a client, I would much rather hear Here is what we do, how we review it, and how you can see it in practice than the hollow line We are GDPR compliant.
The End....
So if you are selecting a vendor, supplier or data processor and you see GDPR compliant plastered across their website, ask questions. Ask for evidence. Tell them what you need to be satisfied that they are doing all they can.
As you can probably tell, I love an analogy. That is how I learn, so here is one last one.
When someone walks confidently into your office and you have never seen them before, you would not just trust the confident smile. You would ask who they are, why they are there and what they are doing. Treat organisations claiming to be GDPR compliant in exactly the same way. Confidence without evidence is just performance.
Look for transparency, demonstrable process and a willingness to engage.
Because at the end of the day, compliance is not a badge, it is behaviour.