Morocco's Law 09-08 on the protection of individuals with regard to the processing of personal data has been in force since 2009, and Moroccan organizations with European customers or operations also fall within the scope of the EU General Data Protection Regulation. Despite this, data protection compliance remains inconsistent — and often misunderstood — across organizations of every size and sector.
In our work with organizations across Morocco and the region, the same gaps appear repeatedly. They are rarely the result of bad faith. More often, they stem from treating data protection as a one-time legal exercise rather than an ongoing operational practice. Here are the five mistakes we see most often, and what it takes to fix them.
Mistake 1: Treating consent as the only legal basis for processing
Organizations that have heard of GDPR often assume that consent is the universal solution — if someone has clicked an "I agree" box, you can do anything with their data. This is wrong on two counts.
First, consent under GDPR must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, or consent buried in terms and conditions does not meet this standard. Many organizations are relying on consent that would not survive regulatory scrutiny.
Second, consent is only one of six legal bases for processing personal data. Contract performance, legitimate interests, compliance with a legal obligation, protection of vital interests, and the performance of a task carried out in the public interest are all valid alternatives — often more appropriate than consent for many typical business operations. Choosing the wrong legal basis creates compliance risk even when the processing itself is perfectly reasonable.
The fix: Conduct a data mapping exercise that identifies each category of personal data you process, the purpose of processing, and the most appropriate legal basis for each. Document this in a record of processing activities (ROPA) — a requirement under GDPR for most organizations.
Mistake 2: Ignoring processor relationships
GDPR creates obligations not just for how you handle personal data yourself, but for how you manage third parties who handle it on your behalf. Cloud providers, payroll processors, marketing platforms, CRM vendors, and HR software suppliers are all likely "data processors" under the regulation — and you, as the data controller, are responsible for ensuring they provide sufficient guarantees about their data protection practices.
This requires written Data Processing Agreements (DPAs) with every processor. Many organizations have none. Those that do often have generic agreements that do not meet the specific requirements of Article 28 — covering subject matter, duration, nature and purpose of processing, type of personal data, and the processor's obligations and rights.
The fix: Audit your supplier and vendor list for all parties who access or process personal data on your behalf. Review existing DPAs against the requirements of Article 28 or GDPR. Prioritize vendors processing sensitive data or large volumes of customer data.
Mistake 3: Failing to respond to data subject rights requests
GDPR grants individuals extensive rights over their personal data: the right to access, rectify, erase, restrict processing, object to processing, and port their data. Moroccan Law 09-08 contains equivalent rights. Many organizations have no procedure in place to receive, verify, and respond to these requests within the required timeframe — typically one month.
This is not a theoretical risk. Customer complaints, employee requests, and regulatory enquiries that expose non-compliance in this area are increasing. The right to erasure — the "right to be forgotten" — in particular is frequently mishandled, either by organizations refusing to comply when they are obligated to, or by deleting data they were legally required to retain.
The fix: Build a documented process for receiving and responding to data subject rights requests. Train the teams most likely to receive them — customer service, HR, and legal — on what they are, how to identify them, and what the response timeline requires. If you receive a request you are unsure how to handle, seek guidance rather than ignoring it.
Mistake 4: Underestimating the employee data angle
Most organizations focus on customer data when they think about GDPR. Employee data is equally regulated — and often where compliance is weakest. Recruitment data (CVs, interview records, background checks), performance management records, absence and health data, monitoring of business communications, and payroll information are all personal data subject to the full protections of GDPR and Law 09-08.
The use of AI tools in HR — including recruitment screening tools, performance analytics, and employee monitoring software — creates additional compliance obligations around automated decision-making that many HR teams are entirely unaware of.
The fix: Apply the same rigor to employee data that you apply to customer data. Establish clear retention periods for recruitment data (particularly for unsuccessful candidates). Review the legal basis for each category of employee data you process. If you are using AI tools in HR, assess whether those tools make or significantly influence decisions about individuals and, if so, what safeguards are required.
Mistake 5: Having a privacy policy but no privacy practice
A privacy policy published on a website is not compliance. It is one component of compliance — and often the least operationally significant one. Organizations that invest energy in polishing their privacy policy while neglecting their actual data handling practices have the compliance relationship backwards.
The purpose of a privacy policy is to give data subjects the information they need to understand how their data is used. If your actual practices do not match what the policy says — because the policy was written by a lawyer and bears no relationship to what operations is actually doing — the policy creates a compliance liability rather than discharging one.
The fix: Start with what you actually do, then write the policy to describe it accurately. Review your privacy policy at least annually and after any significant change to your processing activities. Treat the policy as a living document tied to your ROPA, not a one-time exercise.
Summary: five fixes
- Map legal bases for every processing activity — don't default to consent
- Audit your processors and establish proper DPAs
- Build a documented process for data subject rights requests
- Apply data protection rigor to employee data, not just customer data
- Align your privacy policy to what you actually do
Beyond the checklist
Each of these fixes is actionable in isolation, but sustainable data protection compliance is not achieved by working through a list of remediation tasks. It requires building data protection into how the organization thinks and operates — which is a training and culture challenge as much as a legal one.
The EXIN Privacy and Data Protection certification provides a rigorous, internationally recognized framework for privacy professionals. At the Foundation level, it builds the awareness that every employee who handles personal data should have. At the Professional level, it develops the depth of knowledge needed for DPO roles and serious compliance functions.
Build real data protection capability in your organization
Claribrix delivers GDPR and privacy training — from organization-wide awareness to DPO-level certification. Talk to us about your compliance goals.