Data Protection Network
CONTACT US
NEWSLETTER

Managing system upgrades and migrations

Philippa Donn
May 2026

Avoiding data protection and privacy pitfalls

A case recently caught my eye. Yes, a tale of regulatory action might seem dry, but this example offers a sobering case of ‘there but for the Grace of God go I.’ Most businesses manage system upgrades and migrations. This case, investigated by a German data protection authority, demonstrates the risks.

Perhaps you’re moving from on-site servers to the Cloud. Maybe you’re transitioning to a new HR or Finance platform. From a data protection and security perspective, such projects are inherently risk laden. While this case involved a upgrade to a Customer Relationship Management system (CRM) it speaks more broadly to the potential pitfalls with any system changes.

I’d like to thank Dr Carlo Piltz, Partner at Piltz Legal for this popping up in my LinkedIn feed, and for summarising the case in English.

What went wrong?

The DPA of Hesse in western-central Germany received a complaint about a global travel company, which out of the blue had started sending postal marketing to customers who’d previously objected.

It transpired that when the company redesigned its CRM to improve efficiency, an error during implementation led to a second dataset being created. Crucially, marketing suppressions were not applied to this dataset.

As we know, under GDPR and UK GDPR, objecting to marketing is an absolute right which organisations must honour. The result of this error was the travel company sent marketing communications to more than 5,000 customers when they shouldn’t have.

So simple. But a mistake which led to complaints, unwelcome regulatory scrutiny and fine proceedings, despite the company resolving the issue ‘without undue delay’.

Risks when upgrading or migrating technology

This case highlights the impact of just one error. There are plenty of risks in system upgrades and migrations, which can extend way beyond the realms of data protection and information security.

Risks include data loss, loss of data quality and integrity, record duplication and compatibility errors. There’s the potential for extended downtime and performance dropping off. This is before we consider the risks of security breaches; the potential for personal, confidential or otherwise sensitive data being exposed in transit from A to B or at rest in a new or changed environment.

There are also data governance considerations, including (but not limited to) supplier due diligence and ensuring contractual terms meet legal requirements (if migrating to a third-party platform). Ensuring safeguards are in place for international data transfers (where relevant). access controls, what data needs to be retained and what needs deletion prior or post migration, and so on.

Importance of risk assessments and a test phase

These are all good reasons to have a detailed migration plan, based on an inventory of the data assets involved and map their dependencies. A plan which includes keeping full back-ups of the original source data, verifying data integrity in the new or changed environment, a ‘test run’ rehearsal where you can benchmark the results, a ‘just in case’ rollback strategy, a phased migration, along with ongoing monitoring and testing.

The travel company’s issues highlight the critical need for a testing phase. If robust testing had been done (both within the IT/Development team and user acceptance testing) all of their woes could have been avoided.

From a purely data protection perspective, even if your specific upgrade or migration doesn’t meet the ‘high-risk’ threshold for a mandatory Data Protection Impact Assessment, conducting a DPIA anyway is likely to prove a useful exercise. DPIAs are a really useful risk management tool which can help to identify and raise awareness of potential data protection risks BEFORE they materialise, so corrective measures can be taken.

A DPIA initiated from the outset of a systems upgrade or migration plan and revisited regularly throughout the project will go a long way to avoid unwelcome issues later down the line.

If your migration or upgrade is relatively straight-forward involving minimal personal data which isn’t of a sensitive nature, a full DPIA may be a step too far, but still lighter-touch compliance checks will prove helpful.

The case of the travel company illustrates how just one error in a systems upgrade can have a significant negative impact. Robust planning, appropriate risk assessments and testing are crucial to avoid problems further down the line.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Related Articles

Data Protection Impact Assessments Guide

What's a DPIA? When must we do one? How do we manage the process? All this and more, plus helpful tips in our quick guide to DPIAs
Data Protection Network