How to safeguard your organisation against a GDPR breach

Breaching GDPR obligations is not only reputationally damaging – it’s expensive. Here, we discuss what the current data protection climate looks like, and what businesses must do to meet their data protection obligations.

Both data protection and GDPR are very much in the public eye right now. Take, for example, the high-profile data breach suffered by the Police Service of Northern Ireland (PSNI) last year, which showed just how serious the consequences of a breach can be, both for a business and for the individuals to whom the data belongs.

According to the latest data from the Information Commissioner’s Office (ICO), data-related incidents are on the rise. In Q2 of last year, 2,893 incidents were reported to the ICO, a 41% increase on the same quarter in 2022. Of these, ransomware was the most common type of incident, although malware-related incidents had also increased by more than 500% since 2022.

What are the most common data protection issues?

According to the ICO, the most common types of incident remain “non-cyber breaches”. These are defined as incidents that do not “have a clear online or technological element which involves a third party with malicious intent”.

For example, the most recent data suggests that 15% of incidents involved data that were emailed to the wrong recipients, while 4% involved a failure to redact sensitive information before an item was sent.

For cyber-related incidents, 12% involved ransomware, which is defined as “a type of malware that unlawfully encrypts a user’s files and demands a ransom to unencrypt files”. This has risen significantly since 2019, when ransomware accounted for just 1% of the incidents reported.

Across the EU, more fines were incurred in 2023 alone than in 2019, 2020, and 2021 combined for data protection breaches, according to Statista, amounting to more than €2bn.

What are businesses getting wrong?

Regardless of the kinds of data a business is likely to handle, the principles of GDPR are something that every business must take seriously.

Despite the UK’s withdrawal from the EU, compliance with GDPR remains a legal requirement under the Data Protection Act. Organisations doing business in, or transferring data to and from, the European Union must also comply with the EU GDPR.

Furthermore, as business models change to digital and remote-based ways of working, it is more likely than ever that data – including personal data – will no longer be held centrally and may even be available via individuals and personal devices.

Data held in the cloud may also transfer between jurisdictions, placing even primarily national and local businesses at risk of breaching both the UK and EU GDPR.

As such, regulators are increasingly willing to exercise their powers and pose sizeable sums on businesses that fail to comply.

How can a business avoid breaching its GDPR obligations?

Any business that stores, handles, and processes personal data must be confident that information relating to an identified or identifiable individual is processed lawfully, fairly, and in a transparent manner.

This means informing an individual about which data the business is collecting and the lawful reason why, who may receive these data, and any rights of which the data subject (i.e. the individual whom the data concern) should be aware.

Hiding this information amongst wordy terms and conditions and privacy policies is not advisable, as the GDPR also requires that such information be communicated clearly and at a level that its intended audience will understand.

Compliant data processing does not just relate to individuals outside an organisation. Employees must also understand their obligations concerning GDPR. Most employees can now access sensitive data outside of an office or central location and many breaches are often the result of human error, whether that is losing a laptop or sending an email to the wrong person.

Regular, relevant training on GDPR and data protection is vital to ensure that all employees are aware of the requirements and work towards keeping an organisation compliant.

At a minimum, this training should include:

• obligations when handling personal data;
• when data must be deleted or anonymised;
• how to comply with data subject access requests, without breaching GDPR obligations;
• the potential consequences of a breach for a business, and;
• how to ensure personal data are correct, proportionate, and not kept for longer than necessary.

With some of the world’s biggest technology companies based in Ireland, the ICO’s latest data, as well as the fallout from the PSNI breach, serve as important reminders that compliance with GDPR is not a box-ticking exercise, but one that all businesses must take seriously.