It’s approaching five years since the General Data Protection Regulations - to give it its full title - came into law in the EU and the UK. Since then, countless businesses have found themselves on the wrong side of GDPR, including some of the world’s most recognised brands.
Common GDPR breaches & how to avoid them
- What are the most common data breaches?
- What are the penalties for breaching GDPR?
- How can you avoid common GDPR breaches?
- Why was GDPR introduced?
- What are the facts & figures around GDPR breaches?
- What do you do if you suspect a data breach?
What are the most common data breaches?
The UK’s Information Commissioners Office (ICO) suggests the six most common data breaches include:
1. Access by an unauthorised third party
Typically, from malware, ransomware or hacking – often enabled by systems that are old, or haven’t had adequate or the latest protection installed or updated.
2. Sending personal data to the wrong person
We’re only human. In busy or stressful times, mistakes happen. Unfortunately, where data’s concerned, the consequences can hit home hard.
3. Deliberate or accidental action (or inaction) by a controller or processor
We all like to think the people we work with are scrupulously honest, but the opportunity to sell lucrative sensitive information may be difficult to resist for a few, especially in tough economic times. Equally, someone who left the firm under a cloud may take advantage, especially if they still have access.
4. Loss of availability of personal data
Sometimes, systems and files just give up the ghost, corrupting, losing or destroying data. Hard copies can be mislaid, misfiled or accidentally shredded. If these are your only records, the data’s gone for good.
5. Lost or stolen devices containing personal data
Is there anyone who hasn’t had that sinking feeling of leaving a laptop, tablet or smartphone somewhere? And if the device doesn’t have secure password protection, criminals can quickly exploit personal information for fraud.
6. Altering personal data without permission
As well as the chance of hackers gaining access and changing passwords, staff members may change personal information to deceive, or misrepresent the information. Even making minor tweaks to say, someone’s age to fulfil an email campaign list still infringes the regulations.
What are the penalties for breaching GDPR?
In the first 20 months of GDPR, more than €114 million was issued in fines. Since then, several high-profile companies have made world news for data breaches.
Amazon was fined a record €746m by Luxembourg, while Meta, who owns Facebook, Instagram and WhatsApp, was hit with four separate fines of €405m, €390m, €265m and €225m in Ireland. All dwarf the previous highest – Google’s €90m in Dec 2021.
While these fines are proportionate for global powerhouses, penalties can be high, no matter the size of your business. UK and EU GDPR can impose a maximum fine of £17.5m or €20m, respectively or 4% of your annual global turnover, whichever is larger.
Admin errors (not leading to a data breach) carry lesser fines, while penalties for minor infringements include warnings and reprimands, a temporary or permanent ban on data processing, restoring, restricting or erasing data, or suspending data transfers. Breaches also lead to significant reputational damage.
How can you avoid common GDPR breaches?
First, carry out a risk assessment to discover the current state of play, such as the ICO’s impact assessment template. It should aim to tell you the likelihood of a GDPR breach and its potential consequences so you can prioritise your resources.
The ICO also suggests several actionable steps which can reduce your risk of committing the common GDPR breaches mentioned above:
- Store data securely
Helps prevent third-party access or misuse if a device is stolenWhen dealing with sensitive information, ensure you have the strongest possible online security in place. Given the potential consequences, this isn’t the time to settle for the simplest and cheapest option. Criminals are increasingly tech-savvy, so you need to keep one step ahead.
Choose the best you can afford, wherever possible. For those businesses who keep hard copies of data, lock up paperwork whenever it’s not in use and put a clear desk policy in place – right down to personal info on post-it notes.
- Create a remote working policy
Helps prevent third-party access or misuse if a device is stolenSince the pandemic, far more of us are regularly working from home. Make sure your employees understand how to handle personal data when off-site. If using mobile devices, secure them with two-factor authentication or similar tech, and create a hybrid working policy that includes security guidelines.
- Keep client details up-to-date
Helps to prevent personal details from being sent to the wrong personAsk your clients, customers or members to let you know when they change their contact details. Keeping your database up-to-date will reduce the risk of data going to the wrong address.
- Label documents appropriately
Helps prevent personal details from being sent to the wrong personNaming your documents clearly and consistently will reduce the risk of employees sending the wrong one.
- Take care when redacting data
Helps prevent personal details from being sent to the wrong person and processor/controller errorWhen a client asks to see their data, it can be all too easy to make and send copies. Always check if there are any details about other people on the documents and remove them.
- Be careful when using blank templates
Helps prevent personal details from being sent to the wrong personIf using blank templates, ensure your employee always create a new copy rather than overwriting a used one, which can leave fields populated with previous details.
- Review employee access
Helps prevent unauthorised use, direct action by a processor or controller, or alterationNot everyone needs access to everything. Make sure only those who need access, have it and act fast to remove it when someone leaves the company to avoid any temptation to sell or alter data for personal or business gain.
- Think about ex-employees
Helps to prevent unauthorised useSome leavers may take customer details to use in their next position. Include clear clauses in employment contracts that prevent ex-staff members from approaching your clients to avoid any temptation to sell or alter data for personal or business gain.
- Back up your systems regularly
Helps prevent the loss of personal dataLosing vital data may seem unlikely, but the unexpected does happen. Back up your systems as often as possible, so you retain info in the event of fire, flood or a system failure.
- Awareness training
Helps prevent all breachesAwareness training can help everyone understand what breaches fall under GDPR (including those mentioned above), the potential pitfalls and how best to avoid them. GDPR compliance is everyone’s responsibility, so ensure your employees have the compliance training, support and resources they need.
Why was GDPR introduced?
The unstoppable rise of technology has transformed the working world in the last 30 years. Companies have embraced online and digital business, while we freely share our personal information at the click of a button.
However, the speed of tech advances left Europe’s data protection laws trailing in its wake, with a disparate set of inadequate regulations and interpretations.
GDPR harmonised regulations across countries – affording people a consistent level of protection while making it clear how businesses should handle people’s information. Under UK GDPR, individuals have the right:
- To be informed about how their data is collected and used.
- Of access to their personal data, and other supplementary information.
- To have inaccurate personal data rectified, or completed if incomplete.
- To have personal data erased.
- To restrict or suppress the processing of their personal data (in certain circumstances).
- To keep or reuse data for their own purposes (called data portability).
- To object to the processing of their personal data (in certain circumstances)
- Relating to decision-making and profiling done by AI rather than a person.
After four full years of GDPR, the stats make for an interesting – and sometimes concerning – read for business owners.
What are the facts & figures around GDPR breaches?
According to stats collected and recently updated by email marketing company Moosend:
- Germany and the Netherlands had the most data breach notifications as of January 2022, with almost 107,000 and 93,000, respectively. The UK was third with a touch over 40,000.
- 83% of corporate respondents thought privacy laws have had a positive impact, 14% were neutral, but just 3% thought they’d had a negative effect.
- The top benefits of investing in data security are building loyalty and trust (71%) and making the company more attractive (69%).
However:
- Around 30% of European businesses are still not GDPR-compliant.
- While 62% of consumers in the UK feel more comfortable sharing their data, almost half of the EU (45%) are still concerned about their data privacy.
- Just 31% of consumers feel their overall experience with companies has improved since GDPR was introduced.
- Almost half (46%) of consumers feel they’re unable to adequately protect their data, because of a lack of understanding about what companies do with it.
- 90% of respondents won’t buy from a company if they’re unsure how the company is using or protecting its data.
What do you do if you suspect a data breach?
The GDPR exists to provide constant protection for consumers and offer guidance on how our businesses should handle personal data. It is important to allow it to do just that. By adhering to the regulation, businesses can not only avoid penalties but uphold the purpose of the GDPR.
If you suspect a breach, be upfront about it immediately. Any staff training should encourage your employees to come forward, even if they think it’s a near-miss. You have 72 hours to tell the ICO about a reportable breach, and the clock is running from when you discover it.
Keep proper details. Find out and record what happened, who is involved, what you’re doing about it, and the timeline. Your main priority is to find out what happened to the affected data. If it’s recoverable, do it immediately.
Assess the risk and, if high, protect impacted people by giving them specific and clear advice on the steps they can take. Submit your report to the ICO. If you’re unsure if the breach is reportable, use the ICOs self-assessment tool.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.