View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Data
February 6, 2020

Human Error Not Cybersecurity is Leading GDPR Data Breach Trend

Important that controllers understand...

By CBR Staff Writer

Human error is the main data breach trend under the new GDPR regime not cybersecurity incidents according the Irish Data Protection Commission (DPC).

The DPC has detailed the data breach trends it has observed during the first year of GDPR and unauthorised disclosure tops the list accounting for 83 percent of all reported breaches.

One controller reported a total of 7 incidents to the DPC where email accounts of staff members had been potentially compromised. A significant amount of personal data was involved, with various levels of risk presented to affected data subjects. These breaches, particularly their continued reoccurrence, were the result of the controller’s failure to have the appropriate technical and organisational measures in place to ensure the security of personal data stored within their IT environment

During the first year of GDPR, beginning on the 25 of May 2018, the Irish Data Protection Commission received 5,818 data breach notifications. The DPC notes that approximately 4 percent of all reported breaches were deemed to have not meet the definition of a ‘personal data breach’ when GDPR is applied.

Requirement of Notification

The DPC also notes that in GDPR’s first year 13 percent of the reported breaches ‘failed to satisfy the requirement of notification’, meaning that organisations reporting the loss of company and or customer data failed to do so in the 72 hours stipulated by GDPR.

Data breaches appear to be happening in all industries as the DPC’s Breach Assessment Unit has “Undertaken an analysis of breach notifications received from areas within the public and private sector, including those notified by: the financial sector; the insurance sector; the telecommunications industry; the healthcare industry; and law enforcement.”

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation

Out of all the data breaches reported to the DPC, 83 percent were classified as an unauthorised disclosure. This occurs when an organisations or employee sends sensitive or personal data to the wrong recipient via an SMS message or email.

Data Breach Trend

Credit: DPC

This category may be so high as the DPC is also including within this bracket all of the erroneous disclosures that happen through customer online portals and by processing errors.  Sending a physical letter containing sensitive data to the wrong person is also classified as an unauthorised disclosure.

Data Breach Trend

An attack by a threat actor causing a cybersecurity incident is responsible for just 7 percent of reported breaches to the Irish data authorities.

Data Breach Trend

Credit: DPC

Surprisingly stolen or lost devices only account for 2 percent of breaches, whilst lost or stolen documents and papers make up 5 percent.

The Irish Data Protection Commission is warning data handlers and controllers that they have clear obligations under GDPR to report data breaches accurately and within a set time frame.

“It is important that controllers understand that once they have been made aware of a personal data breach, a timetable is set in motion,” the commission warns.

Data Breach Trend

Percentage of data breaches, by breach outcome
Credit: DPC

See Also: Highly Automated Phishing Campaign “Spreading Indiscriminately” Across the UK

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy