The Irish Data Protection Commission (DPC) has analysed the data breach trends within its oversight during the first year of GDPR. A massive 83% of reported breaches could be simple human error or lack of GDPR awareness.
As per Computer Business Review, the DPC’s findings appear to point to human fault instead of a lack of technology or cybersecurity to protect personal and sensitive data. 83% of reported breaches are classified as “unauthorised disclosure.” This means an organisation, or one of its employees, has sent personal or sensitive data to the wrong recipient in an SMS message or by email. And, it can include physical letters, as well as accidental breaches of information via online customer portals and through processing errors.
For the year following May 25, 2018 the Irish DPC received 5,818 data breach notifications. Around 4% didn’t in the end meet the definition of a “personal data breach,” and fall under GDPR.
Of the breaches, companies reporting loss of company or customer data, 13% were not reported within the 72-hour period required under GDPR. The DPC says:
“It is important that controllers understand that once they have been made aware of a personal data breach, a timetable is set in motion.”
Furthermore, only 7% of reported breaches were because of an attack by a hacker or cybercriminal. A figure far lower than many might expect.
As well as the 83% classified as “unauthorised disclosure,” and potentially due to human error, lost and stolen devices makeup 2% of the breaches. And, lost or stolen documents or papers are 5% of the total.
A data controller from one company reported seven incidents to the DPC of compromised email accounts. A “significant” amount of personal data may have been breached causing risk to the individuals concerned. In this case the recurrence of the breaches was because the data controller didn’t have the right technical and organisational measures in place to ensure data security.
The DPC also found that data breaches were spread across industries, saying it had received breach notifications from “within the public and private sector, including those notified by: the financial sector; the insurance sector; the telecommunications industry; the healthcare industry; and law enforcement.”
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
The Irish DPC is one of the busiest in Europe
A recent article from publication RTE, says across 2019 there were 6,716 data breaches reported to the DPC. The numbers have been crunched by DLA Piper which found Ireland has the second highest number of GDPR breach reports per capita in all of Europe. That makes the DPC one of the busiest in the EU. The highest number of GDPR breach reports per capita in 2019 is attributed to the Netherlands.
Ongoing investigations could result in GDPR fines issued by Ireland
RTE says the high figures for Ireland are likely because a number of large technology firms have bases there. This means that the Irish DPC has GDPR oversight on companies such as Google. So far, the DPC hasn’t issued any GDPR fines but it is investigating Facebook, Twitter, Apple, Whatsapp and Google. These investigations could lead to fines in the future.
Across Europe there have been 160,000 GDPR reportable breaches since May 2018. After Ireland, Denmark has the next highest number of breaches per capita. Italy, Romania and Greece have the fewest breaches per capita. So far GDPR has led to fines of €114 million.
If GDPR breaches are because of human error, then training is needed
We hate to blow our own trumpet at The Defence Works. But if 83% of GDPR breaches reported to the Irish GDPR are because of some form of human error, action, or inaction, then it is fair to say comparable statistics may be similar elsewhere in Europe and in the UK. If this is the case, then more GDPR training and data security awareness training is needed. Human-caused data protection and cybersecurity incidents are often preventable.
We make GDPR training fun and effective
GDPR employee training can help to prevent huge GDPR non-compliance fines. At The Defence Works we make our training engaging. We cut through clunky data protection wording and cut out dull delivery. Our aim is to make GDPR compliance, data protection and cybersecurity everyone’s responsibility, getting the message across in a light-hearted way. Our goal is to empower employees and give them confidence to understand, deal with, and protect, data privacy.
Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.
Subscribe to the Proofpoint Blog