View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Data
February 6, 2020updated 13 Jul 2022 10:37am

Human Error Not Cybersecurity is Leading GDPR Data Breach Trend

Important that controllers understand...

By CBR Staff Writer

Human error is the main data breach trend under the new GDPR regime not cybersecurity incidents according the Irish Data Protection Commission (DPC).

The DPC has detailed the data breach trends it has observed during the first year of GDPR and unauthorised disclosure tops the list accounting for 83 percent of all reported breaches.

One controller reported a total of 7 incidents to the DPC where email accounts of staff members had been potentially compromised. A significant amount of personal data was involved, with various levels of risk presented to affected data subjects. These breaches, particularly their continued reoccurrence, were the result of the controller’s failure to have the appropriate technical and organisational measures in place to ensure the security of personal data stored within their IT environment

During the first year of GDPR, beginning on the 25 of May 2018, the Irish Data Protection Commission received 5,818 data breach notifications. The DPC notes that approximately 4 percent of all reported breaches were deemed to have not meet the definition of a ‘personal data breach’ when GDPR is applied.

Requirement of Notification

The DPC also notes that in GDPR’s first year 13 percent of the reported breaches ‘failed to satisfy the requirement of notification’, meaning that organisations reporting the loss of company and or customer data failed to do so in the 72 hours stipulated by GDPR.

Data breaches appear to be happening in all industries as the DPC’s Breach Assessment Unit has “Undertaken an analysis of breach notifications received from areas within the public and private sector, including those notified by: the financial sector; the insurance sector; the telecommunications industry; the healthcare industry; and law enforcement.”

Out of all the data breaches reported to the DPC, 83 percent were classified as an unauthorised disclosure. This occurs when an organisations or employee sends sensitive or personal data to the wrong recipient via an SMS message or email.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

This category may be so high as the DPC is also including within this bracket all of the erroneous disclosures that happen through customer online portals and by processing errors.  Sending a physical letter containing sensitive data to the wrong person is also classified as an unauthorised disclosure.

Data Breach Trend

An attack by a threat actor causing a cybersecurity incident is responsible for just 7 percent of reported breaches to the Irish data authorities.

Surprisingly stolen or lost devices only account for 2 percent of breaches, whilst lost or stolen documents and papers make up 5 percent.

The Irish Data Protection Commission is warning data handlers and controllers that they have clear obligations under GDPR to report data breaches accurately and within a set time frame.

“It is important that controllers understand that once they have been made aware of a personal data breach, a timetable is set in motion,” the commission warns.

See Also: Highly Automated Phishing Campaign “Spreading Indiscriminately” Across the UK

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.