What are the common Data Protection breaches you see?

We've been thinking about the most common breaches that we've seen over the years....

The ICO recently published their “GDPR - One year on” update which reported an increase in breaches being reported, stating “we received around 14,000 PDB [Personal Data Beach] reports from 25 May 2018 to 1 May 2019. For comparison, we received around 3,300 PDB reports in the year from 1 April 2017”.

That’s a huge increase and ok, this doesn’t mean that there are more breaches occurring, many companies will be reporting due to the GDPR introducing a duty on all organisations to report certain types of breaches and hopefully a lot of the reporting comes from companies becoming more diligent around data handling, breach reporting and the recognition of a potential substantial fine.

These are some of the common breaches that we’ve seen.

Auto Populated Email Addresses

Where you begin typing someone’s email address into your email and it suggests who you may be trying to contact so that you don’t have to type the whole address every time. A useful function, but it can lead to breaches. If you type “J” in order to email “Jamie” and it suggests “Jason” as you email
them more frequently, you can easily send personal data to the wrong person. We’ve seen this one a lot!

Triple check where you are sending your emails before clicking send, you can even turn the function off if you want to be extra careful!

Lack of Awareness of Rules

It’s all well and good having a Data Protection (DP) team to handle DP matters, but DP should be weaved through your business processes so that anyone handling personal data knows how to treat it appropriately. We’ve seen lots of people sending rafts of personal data without considering password protection, or sending more information than they should, just because the information required is contained in a larger data set.

Get the processes right, but get the culture right too. Make sure staff carry out training and don’t be afraid to challenge inappropriate data use.

Attaching incorrect files

We all know human error can occur and wrong files may be attached to the wrong email, but again a triple check before you send anything
could avoid a breach.

If you have applied password protection / encryption then you’ve significantly lowered the risk!


Webchat can cause a challenge for businesses around DP, particularly as sometimes agents dealing with customers are expected to handle multiple conversations / windows at once which can lead to personal data being accidently provided to the incorrect recipient.

Think about how you handle webchat queries. If your agents need to work multiple windows, make sure there are processes in place that don’t for example provide a customer with a username and password in the same message, as this being sent through the wrong window can cause a whole lot of

Paper files left in the office

I’m sure we’ve all seen this in the day to day running of an office, people leaving files with personal data scattered around when they leave their desk or even when they go home. Fit notes left on desks, disciplinary notes printed and left on the printer, the list goes on.

Operate a clear desk policy, make sure that files are locked away at night or destroyed. Think about whether you really need to print that file.

Personal data on the move

It’s becoming more common practice to work from trains, or coffee shops, but do you consider who is around you when you are looking at personal data?

Make sure you consider where you sit if you will be looking at personal data. It may sound over the top, but we’ve seen breaches occur from people reading over others shoulders on a train or even someone sitting in a coffee shop with their back to a window allowing anyone walking past to see
what’s on their screen.

What are the common breaches you come across?