Following on from our mini-series on data protection breaches:
https://www.law-point.co.uk/uncategorized/data-protection-breach-blogs-part-1-what-is-a-breach/ & https://www.law-point.co.uk/blog/data-protection-breach-blogs-part-2-ive-experienced-a-breach-what-do-i-do/
we thought we’d give you our top three examples of the most common data breaches we’ve seen in our role as Data Protection Officer.
1. Email sent to the wrong recipient
This is without a doubt the most common example of a data breach we’ve come across! The auto-fill function can be helpful, but when you’re in a rush or distracted it’s easy to send an email to the wrong person.
2. Wrong details sent
Again when you’re busy it’s very tempting to take shortcuts, such as re-using an email you’ve already sent. But you need to be cautious to ensure that all details are updated and you don’t inadvertently leave in details relating to another individual.
3. Wrong details input
When inputting details into your company’s systems, it’s important to double check that everything is correct. The impact of incorrect details would depend on exactly which type of personal data was wrong – we came across an example where payment was being taken from someone else’s account as the wrong direct debit details were entered!
As you can see from our examples above, the most common breaches are accidental rather than malicious, but even if something is accidental and is ring-fenced (i.e. about a limited number of individuals) the impact could still be significant. For example, wrong information being entered about one individual could lead to a credit rating issue for that individual.
Whilst these examples may seem minor rather than the headline grabbing breaches we’ve seen in the news, they do constitute data breaches and so must be assessed and dealt with appropriately – but that is not to say they would be need to be notified to the ICO!
But it is important to ensure that staff understand the risks, are appropriately trained and procedures in place to reduce the likelihood of a breach occurring. If the ICO were to ever audit your company and kept coming across the same “minor” breaches but no lessons were being learned or measures put in place it is not likely that they would take a good view!