How to Avoid Common Data Breaches

Posted by

Ian Hare

on 15 Feb 2023

Companies trip up and breach GDPR every year, some paying eye-watering fines. We look at the most common GDPR breaches and how to side-step them.

How to Avoid Common Data Breaches

Since the GDPR was introduced across the EU and the UK in 2018, countless businesses have found themselves on the wrong side of the law, including some of the world's most recognised brands.

The GDPR provides constant consumer protection and guides how our businesses should handle personal data. It is important to allow it to do just that. By adhering to the regulation, businesses can avoid penalties and uphold the GDPR's purpose.

Free GDPR Self-assessment Questionnaire

What to do if you suspect a data breach

If you suspect a breach, be upfront about it immediately. Any staff training should encourage your employees to come forward, even if they think it’s a near-miss. You have 72 hours to tell the ICO about a reportable breach, and the clock runs from when you discover it.

Keep proper details. Find out and record what happened, who is involved, what you're doing about it, and the timeline. Your main priority is to find out what happened to the affected data. If it’s recoverable, do it immediately.

Assess the risk and, if high, protect impacted people by giving them specific and clear advice on the steps they can take. Submit your report to the ICO. If you’re unsure if the breach is reportable, use the ICOs self-assessment tool.

The Most Common Data Breaches

The UK’s Information Commissioners Office (ICO) has outlined the six most common data breaches.

1. Access by an unauthorised third party

Typically, from malware, ransomware or hacking – often enabled by systems that are old or haven’t had adequate or the latest protection installed or updated.

2. Sending personal data to the wrong person

We're only human. In busy or stressful times, mistakes happen. Unfortunately, where data's concerned, the consequences can hit home hard.

3. Deliberate or accidental action (or inaction) by a controller or processor

We all like to think the people we work with are scrupulously honest, but the opportunity to sell lucrative sensitive information may be difficult to resist for a few, especially in tough economic times. Equally, someone who left the firm under a cloud may take advantage, especially if they still have access.

4. Loss of availability of personal data

Sometimes, systems and files give up the ghost, corrupting, losing or destroying data. Hard copies can be mislaid, misfiled or accidentally shredded. If these are your only records, the data's gone for good.

5. Lost or stolen devices containing personal data

Is there anyone who hasn’t had that sinking feeling of leaving a laptop, tablet or smartphone somewhere? And if the device doesn’t have secure password protection, criminals can quickly exploit personal information for fraud.

6. Altering personal data without permission

As well as the chance of hackers gaining access and changing passwords, staff members may change personal information to deceive or misrepresent the information. Even making minor tweaks to say someone’s age to fulfil an email campaign list still infringes the regulations.

Free GDPR Personal Data Awareness Poster

How to Avoid Common Data Breaches

First, conduct a risk assessment to discover the current state of play, such as the ICO's impact assessment template. It should aim to tell you the likelihood of a GDPR breach and its potential consequences so you can prioritise your resources.

The ICO also suggests several actionable steps which can reduce your risk of committing the common GDPR breaches mentioned above:

A. Store data securely

Helps prevent third-party access or misuse if a device is stolen. When dealing with sensitive information, ensure you have the strongest possible online security. Given the potential consequences, this isn’t the time to settle for the simplest and cheapest option. Criminals are increasingly tech-savvy, so you need to keep one step ahead.

Choose the best you can afford, wherever possible. For those businesses who keep hard copies of data, lock up paperwork whenever it’s not in use and put a clear desk policy in place – right down to personal info on post-it notes.

B. Create a remote working policy

Helps prevent third-party access or misuse if a device is stolen. Since the pandemic, far more of us are regularly working from home. Make sure your employees understand how to handle personal data when off-site. If using mobile devices, secure them with two-factor authentication or similar tech, and create a hybrid working policy that includes security guidelines.

C. Keep client details up-to-date

Helps to prevent personal details from being sent to the wrong person. Ask your clients, customers or members to let you know when they change their contact details. Keeping your database up-to-date will reduce the risk of data going to the wrong address.

D. Label documents appropriately

Helps prevent personal details from being sent to the wrong person. Naming your documents clearly and consistently will reduce the risk of employees sending the wrong one.

E. Take care when redacting data

Helps prevent personal details from being sent to the wrong person and processor/controller error. When a client asks to see their data, making and sending copies can be all too easy. Always check if there are any details about other people on the documents and remove them.

F. Be careful when using blank templates

Helps prevent personal details from being sent to the wrong person. If using blank templates, ensure your employee always creates a new copy rather than overwriting a used one, which can leave fields populated with previous details.

G. Review employee access

Helps prevent unauthorised use, direct action by a processor or controller, or alteration. Not everyone needs access to everything. Ensure only those who need access have it and act fast to remove it when someone leaves the company to avoid any temptation to sell or alter data for personal or business gain.

H. Think about ex-employees

Helps to prevent unauthorised use. Some leavers may take customer details to use in their next position. Include clear clauses in employment contracts that prevent ex-staff members from approaching your clients to avoid any temptation to sell or alter data for personal or business gain.

I. Back up your systems regularly

Helps prevent the loss of personal data. Losing vital data may seem unlikely, but the unexpected does happen. Back up your systems as often as possible so you retain info in the event of fire, flood or a system failure.

Free GDPR Training Presentation

Penalties for breaching GDPR

In the first 20 months of GDPR, more than €114 million was issued in fines. Since then, several high-profile companies have made world news for data breaches.

Luxembourg fined Amazon a record €746m, while Meta, who owns Facebook, Instagram and WhatsApp, was hit with four separate fines of €405m, €390m, €265m and €225m in Ireland. All dwarf the previous highest – Google’s €90m in Dec 2021.

While these fines are proportionate for global powerhouses, penalties can be high, no matter the size of your business. UK and EU GDPR can impose a maximum fine of £17.5m or €20m, respectively or 4% of your annual global turnover, whichever is larger.

Admin errors (not leading to a data breach) carry lesser fines, while penalties for minor infringements include warnings and reprimands, a temporary or permanent ban on data processing, restoring, restricting or erasing data, or suspending data transfers. Breaches also lead to significant reputational damage.

GDPR Self Assessment Questionnaire

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.

GDPR Training Presentation

The fines for GDPR breaches represent up to 4% of your global annual turnover or EUR 20 million, whichever is the highest. So it is critical to ensure your organisation understands and adheres to GDPR.

Our free GDPR Training Presentation is fully editable, presents the key points in plain English and is packed with practical activities to accelerate learning.

Download your free training aid