The Irish Data Protection Commission - the lead privacy authority across the EU - has revealed that employee gaffes remain the biggest threat to companies’ data systems, with cybersecurity incidents accounting for just 3.5% of breaches.
According to the Irish DPC’s annual report, its first full year operating under GDPR. The vast majority of breaches were blamed on unauthorised disclosures, including emails and letters to incorrect recipients; administrative processing errors; verbal disclosures; papers lost or stolen; and unauthorised access to personal data in the workplace.
Overall, the DPC received 7,215 complaints in 2019, out of these complaints 6,904 were related to GDPR. The remaining 311 were related to issues reported prior to GDPR and were handled by the commission under the previous Irish Data Protection Acts 1988 to 2003.
The majority of complaints that the DPC received were due to access request issues which account for 29% of GDPR issues. Disclosure and data processing complaints made up 35% of the issues that people reported.
Commissioner Helen Dixon said: “Disputes between employees and employers or former employers remain a significant theme of the complaints lodged with the DPC, with the battle often staged around a disputed access request.”
Out of the 6,257 data breach notifications dealt with by the DPC, only 223 related to cybersecurity incidents. The majority (5,188) pertained to unauthorised disclosures, while only 108 were the result of a hack and 161 were due to phishing.
The report noted: “The DPC has observed an increase in the number of repeat breaches of a similar nature by a large number of companies. This is most apparent in the financial sector, where the majority of breaches appear to be related to unauthorised disclosures.”