Staff are your weakest link when it comes to personal data security

Derby Office Icon

We know data breach reporting figures have increased fivefold since the GDPR came into force in May 2018. The ICO saw an increase from 367 reported breaches in April 2018 to 1792 in June 2018. We also know from the last set of quarterly statistics published by the ICO in March 2018 that 4 of the top 5 causes of data breaches are as a result of human error (the 5th being cyber intrusion). The most frequently reportable data breaches have occurred from the following:

  1. Loss or theft of paperwork
  2. Data posted or faxed to the incorrect recipient
  3. Data sent by email to the incorrect recipient
  4. Loss or theft of an unencrypted device (e.g. laptop or USB)

It’s not possible to eradicate human error entirely – we are human after all! There are steps however that your organisation can, and is expected by the ICO to take, to minimise these types of personal data breach. Staff awareness and staff training is an obvious place to start. In its guide to the GDPR the ICO highlights the need to “ensure a good level of understanding and awareness of data protection amongst your staff”.

The benefits of effective staff training are numerous:

  1. Educating your staff about data protection, what amounts to a personal data breach and the risks that can result, is fundamental in reducing the number of personal data breaches that occur.

  2. An informed workforce will be able to identify a personal data breach and alert the appropriate individual in your organisation promptly to enable the breach to be contained, a risk assessment to be carried out as soon as possible (within the 72 hour window for notifying the ICO) and if necessary for the ICO and the individuals involved to be notified within the appropriate timescales and in the appropriate manner.

  3. Ensuring your staff are aware of their responsibilities under data protection law provides you with a demonstrable example of your organisation’s compliance with the accountability principle under data protection law.

Online training module

We recognise that for the vast majority of staff who don’t deal with data protection issues as part of their day to day role, taking several hours away from their day job to undertake in-depth training on data protection is not appropriate. That’s why we’ve teamed up with a leading e-learning provider, to develop a cost effective online learning solution that will raise staff awareness of GDPR requirements. The training takes around 30 minutes and informs staff how they can assist your organisation to comply with the security and personal data breach reporting obligations. For further information click here.

Over-reporting highlighted as an issue by the ICO

The ICO has recently issued a warning to organisations on over-reporting personal data breaches. The ICO says that some organisations are reporting a data breach just to be transparent, to manage risk, or because they think everything needs to be reported. This tendency to over report is understandable when you consider the maximum fine for failing to notify the ICO of a reportable personal data breach is 10 million euros or 2 per cent of your global turnover.

Geldards Breach Reporting Assessment Tool

The over reporting that the ICO has been experiencing suggests that organisations are struggling to carry-out the appropriate risk analysis when it comes to a personal data breach. There is an obligation to notify the ICO of a personal data breach unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals involved. Determining the likelihood and severity of the risk to individuals is not always easy. The downside of reporting when you don’t need to is that organisations could attract unnecessary and unwarranted attention from the ICO. The ICO has confirmed that there’s no such thing as an “off the record” or “just in case” notification, all notifications made will be recorded and investigated in the same way. If an organisation is consistently found to be over-reporting this could lead to criticisms of their internal processes and procedures.

Geldards have developed a breach reporting assessment tool to give you a broad idea of the type of questions you should consider to help determine whether a personal data breach is reportable. Download our breach reporting assessment tool here. Together with Geldards’ data breach notification procedure this should provide your organisation with an appropriate risk assessment process to determine when it is appropriate to notify the ICO of a personal data breach.

If you would like any further advice, please don't hesitate to contact a member of Geldards' Information Law Team 




Cyber-Security Issues & Increased Obligations under the GDPR
The National Cyber Security Centre (NCSC) opened this week and is promised to be the “authoritative voice on information security in the UK”.


Geldards Guide to General Data Protection Regulations (GDPR)
The General Data Protection Regulation (‘GDPR’) is the new EU data protection framework replacing the current Data Protection Directive implemented in the UK by the Data Protection Act 1998.


Debra Martin


Partner, Derby

+44 (0)1332 378 355


Lowri Phillips


Partner, Cardiff

+44 (0)29 2039 1758


Hayley Lewis


Head of Knowledge Management, Cardiff

+44 (0)29 2039 1785