GDPR fatigue? 5 myths legal and accounting professionals still fall for

We know GDPR isn’t exactly something legal and accounting professionals want to spend their days worrying about, but that doesn’t make it any less important.

Most professionals have done the training, clicked through the policy updates, nodded along in meetings and then simply cracked on with work, assuming all was fine.

However, unfortunately, a few wrong assumptions still hang around. Some come from outdated advice, others from wishful thinking.

Either way, they can land you in trouble, especially when clients, colleagues, or regulators start asking questions.

Here are five of the most common myths that trip up even experienced legal and accounting teams, and more importantly, how your team can avoid the same fate.

Myth 1: “We’re not processing personal data, so GDPR doesn’t apply.”

If only. Personal data is everywhere! Client emails, CVs, invoices, witness statements, payroll info, even that spreadsheet that lists everyone’s birthdays.

Essentially, if you’ve got names, addresses, emails, National Insurance numbers, bank details, or even staff photos, you’re processing personal data.

So, look at your systems, spreadsheets, shared drives, and inboxes. Then make sure that data is stored securely, only accessed by the right people, and not kept longer than necessary.

Myth 2: “We’ve got consent, so we’re covered.”

For whatever reason, many people seem to think that having consent to have someone’s personal information is some kind of get out of jail free card.

Use consent for storing the data only when no other lawful basis fits. For most legal or financial work, contractual necessity or legitimate interest is more appropriate.

Just make sure you can justify whichever you pick and keep a record of your reasoning.

Myth 3: “It’s just for internal use, so it doesn’t really matter.”

Hate to break it to you, but that’s just not how GDPR works. Internal does not mean invisible.

If someone from IT is snooping around HR folders or a junior trainee has access to every client file “just in case,” you’ve got a problem.

A shared login here, a forwarded email there, and suddenly someone’s payroll file is on the office printer. Disaster!

With that in mind, we suggest reviewing access rights across your firm.

Does everyone really need access to everything? Probably not. Keep folders locked down on a “need to know” basis.

Myth 4: “We don’t transfer data abroad, so international rules don’t apply.”

You might be doing it without realising. If you’re using cloud tools, email providers, or software with servers outside the UK, personal data could be heading abroad in the background.

Check where your service providers store data. Most of them have this info buried in their privacy policies.

If data leaves the UK or EU, make sure there are appropriate safeguards (like Standard Contractual Clauses). Your IT team or supplier should be able to confirm this quickly.

Myth 5: “We’ve done the training. Job done.”

Wouldn’t that be nice? Unfortunately, it’s not the reality. With GDPR, things can change all the time, whether that’s your clients, your suppliers, your systems, or even your staff habits (especially bad ones).

The most common data breaches come from day-to-day habits, not hacks.

So, while yes, ensuring each member of your team has had their GDPR training, your efforts to protect your data shouldn’t stop there.

We recommend regularly checking your systems and data to ensure you’re staying up to date with compliance regulations.

Ask simple questions:

• Are we collecting too much?
• Who has access?
• Where does it go?

You’d be surprised how quickly old habits creep in, so make sure refresher courses or reminders are regularly shared across the firm to keep privacy on everyone’s radar.

GDPR fatigue is real, but so is the risk of letting it slide. You don’t need to memorise Article 5, paragraph 1 (though bonus points if you do).

Just stay curious, challenge assumptions, and ensure that your systems and people are doing what they claim to be doing.

If in doubt, ask the person who has read the policy all the way through. There’s always one.

Take your GDPR training to the next level!

We’ve created a brand new two-module UK GDPR course to help you feel confident about data protection in practice.

• Module 1 explores your rights and responsibilities under data protection law. It explains the purpose of the Data Protection Act 2018 and the UK GDPR, unpacks the changes brought in by the Data (Use and Access) Act 2025, and shows you how to handle real-world scenarios such as subject access requests.
• Module 2 focuses on the practicalities of collecting, storing and securing personal data. From lawful bases for processing to privacy notices, retention schedules and breach reporting, this module helps you understand what compliance looks like in everyday situations.

To provide you with even more clarity on the new legislation and help make you a pro in all things GDPR, a short micro-course is also available dedicated to the Data (Use and Access) Act 2025.

It highlights the most important changes, including international data transfers, new provisions for children, changes to the ICO (now the Information Commission, and more.

Looking for a GDPR training course that’s tailored to legal and accountancy professionals? Book a demo with us today!