Common mistakes that could result in a GDPR breach

In this article, Clive Mackintosh, Founder of GDPR Rep, takes a look at some of the most common data protection mistakes, those which may result in an organisation finding itself in breach of the GDPR.

It is often assumed that GDPR breaches occur through cyber-attacks and other malicious criminal acts. Whilst that is true, most data breaches result from human error and a lack of training and awareness of GDPR responsibilities.

Sending emails or sharing information with the wrong person

This is by far the most common mistake anyone can make and is easy to do when you are under pressure or if you have more than one person in your message history with a similar name to that of the individual who you were intending to email.

Disclosing private information to a person who has no legal right to receive it will amount to a data breach and if that information includes sensitive or special category data such as medical or tax records then it is very likely that a fine will be imposed even though the mistake was simply down to human error. 

The ICO recommends a quick fix when emails are sent to the wrong person and that immediate action is taken to recall the email as soon as possible and if that’s not possible to contact the person who received it and ask them to delete it.

Clicking on unfamiliar web links or email attachments

Opening emails from untrusted sources or from people you don’t know puts you at risk of malware infection and ransomware attack which could be extremely serious for your business.

Phishing emails are on the increase as are other methods of social engineering. It is important that staff are trained to spot suspicious emails and report them to their manager or IT team before clicking on links or opening attachments.

Once opened, an attachment can spread malware across an organisation's systems and networks at a frightening speed.

Failing to respond to a subject access request

Everyone has a right of access to their personal data under the GDPR. An individual can make a subject access request to an organisation to establish what personal information is being processed about them, the reason for such processing, how long their data will be held and importantly to have sight of such information.

Because subject access requests can be made verbally or in writing and don’t have to be addressed to any specific individual in your organisation, it is very easy for such requests to be ignored, not recognised as a subject access request or simply not passed on to the appropriate person, for example, your Data Protection Officer.

If any one of these events occurs, it is very likely that a complaint will be made to a supervising authority which can take regulatory action by ordering you to respond to the subject access request, issuing a fine for the GDPR breach or carry out an assessment of your data protection compliance processes.

Holding on to data you don’t need

The GDPR clarifies that an organisation should have a process in place to determine how long personal data should be kept. There are many legal reasons why personal data needs to be retained for certain periods of time, such as HMRC records, but in the absence of any such requirement, an organisation can find itself in breach of the GDPR for simply allowing personal information to be kept in its systems and networks without any proper management for the review and retention of such data.

The GDPR talks about personal data being kept only for such time as it is needed. This requires an organisation to implement and embed a documented record of its retention and records management processes. 

Personal information that is allowed to pile up in an organisation's systems and networks puts a business at greater of a cyber-attack. 

Leaving personal data in an insecure environment 

Many data breaches occur when an individual is either working in a public place such as a café or on a train.

Whenever you are working on personal information in a public place there is always a risk that such information will be accessible to unwanted eyes.

Leaving personal information on a bus, train or in a car through human error insecurely will amount to a data breach. Similarly, using a cafe’s public Wi-Fi which is not secure to process personal data could allow the data to be viewed by other users and criminal hackers.

Ineffective and simple passwords

Using simple passwords (e.g. ‘1234’ or ‘password’) for IT systems and hardware, or when sending confidential information in an encrypted attachment can amount to a data breach if access is gained by a person who should not have access to the information.

Incidents, where an individual has used their personal home password, date of birth, and surname to access their employers’ systems and networks, have allowed criminal hackers to gain access to the employer’s entire database.

Ineffective password management controls present a very real risk to the confidentiality, integrity and access to an organisation's systems and networks.

‍

GDPR can be a complex subject, with some of the most common breaches being a result of human error and a lack of training and awareness of GDPR responsibilities.

If you are looking for advice or assistance in meeting your organisation’s GDPR compliance why not schedule a no-commitment call with the GDPR Rep team, experts in Data Protection, EU and UK GDPR representation. Our team are on hand to help you navigate GDPR.