GDPR Article 32 a Reasonable and Pragmatic Approach

GDPR Article 32 a Reasonable and Pragmatic Approach

The GDPR  can be seen as a  complex and far reaching piece of legislation. One area where data privacy professionals may have a better understanding  is Article 32-Security of Processing. 

GDPR does not downplay security at all, but rather, the language of Article 32 takes a broad, flexible and risk based approach. In other words, it is reasonable and pragmatic.


Security  measures must ensure


  • the confidentiality, 
  • integrity and 
  • availability’ of your systems and services and the personal data you process within them.


Every good Article 32  strategy has the above three pillars at its heart and much like the crooked Amsterdam houses in the main feature image above  they rely on each other to stay secure and upright, remove  one  and it fails.


Some of the requirements noted include business continuity, testing, encryption and prevention of unauthorized access. Security professionals will find it all very familiar, reasonable and most likely included in any reasonably complete information security programs.


However, it would be unwise and incorrect to perceive the Article 32 as the only place where security considerations are required under GDPR. A well-rounded GDPR compliance program should include security measures that are raised in other GDPR mandates. Here are just a few other GDPR mandates where security measures must be considered and addressed:


Breach Notification and Response:


 Articles 33 and 34 cover the long-standing issue tightly aligned with a security program—incident response and breach notification. Notice to both supervisory authorities and data subjects is required in certain instances and knowing how the GDPR is similar to or different from your existing response and notification requirements is of prime importance. Two key issues to keep in mind:

  • a 72 hour reporting timeline is required for certain breaches; and
  • in addition to legal requirements, there are usually more restrictive contractual obligations that controllers may impose on their processors.



Records of Processing Activities: 


Article 30 requires that technical and organizational security measures implemented for processing activities be included in the documentation that organizations create.


International Transfers: 


Articles 44 through 47 provide for various requirements that must be in place before transfers to a third country outside of the EU can take place. Each of the types of transfer mechanisms have security obligations embedded that are important to understand and incorporate.

  • Adequacy decisions in place prior to GDPR are still in effect and the applicable countries have achieved that designation as a result of the data protection laws and enforcement procedures they impose, including security mandates. For each relevant transfer based on adequacy, security obligations specific to the applicable country should be understood and addressed.
  • Appropriate safeguard transfers such as model clauses likewise include security obligations and since the model clauses cannot be edited, security measures are effectively a contractual obligation even before GDPR is enforced.
  • Finally, binding corporate rules (BCRs) take a holistic approach to data protection including policies, accountability and training around appropriate security assessments and protections.


Data Protection Impact Assessments


 (DPIA): Articles 35-36 describe the obligation to implement DPIAs. Both in the language of GDPR (Art 35(7)) and the guidance released by the Art. 29 working party, security measures are a key factor in conducting an effective DPIA. For example, to have true business impact and comply with GDPR, DPIAs must assess risk including risks to security, use input from security experts, implement adequate security measures and identify residual risk including residual risks to security.

While these are just a few examples, the key point in GDPR is to take a holistic approach, identify and manage security risk in your entire business cycle and to see the foundation of the regulation as seeded in consumer protection and transparency Just like a well-rounded security program relies on a comprehensive, risk based approach, GDPR requires us to apply broad, meaningful security protections.

Relentless GDPR services provide a full coverage of all  the compliance components needed for your organisations privacy strategy.

GDPR Do I Need To Appoint an EU Representative

GDPR Do I Need To Appoint an EU Representative

Art. 27 GDPR Representatives of controllers or processors not established in the Union


Your Questions Answered



 Which companies need an EU representative under the GDPR?



Companies that do not have an presence / legal entity  in the EU yet sell their products to or provide services to EU residents  within the European Union must appoint a representative in the Union if they process personal data (GDPR Art. 27(1)).

The GDPR extends the “territorial” scope of its application to controllers and Processors  who have their Headquarters outside of the European Union. The GDPR also applies to the processing of personal data of individuals residing in the EU, regardless of their nationality (GDPR Art. 3(2)). The centre of attention is therefore not only on where the company is located and where the processing takes place as long as the data processed involves individuals residing in the EU.

Non-EU-based companies that offer and deliver products or services to “data subjects” example  an identified or identifiable natural person) in an EU country need to comply with the requirements stated in the GDPR. The GDPR regulation also applies to services that are offered free of charge. The same applies to non-EU-based companies that monitor the behaviour of EU residents (e.g.the  creation of a customer or member profile), provided that their behaviour takes place in the EU.



Whom can companies designate as representative?


Companies can appoint individuals or other companies. The representative can reside or be established anywhere in the EU where relevant data subjects reside; Art. 27(3) does not prescribe a particular member state. The same person or company could serve as representative under Art. 27 and as a data protection officer under Art. 37-39, but companies could also select different persons or entities, in the same or different EU member states.


How do the roles of a representative and data protection officer compare?


A representative under Art. 27 and a data protection officer under Art. 37 have quite different roles, tasks, functions and duties: A data protection officer functions as the long arm of a data protection authority within a company and is intended to foster a compliance culture. The designated representative acts more like a local mailbox. Companies without an establishment in the EU are required under Art. 27 to designate a representative in the EU so data protection authorities can reach and sanction them easier and with less jurisdictional complications. The representative keeps records of processing activities and is available to receive inquiries and complaints; it has no other active duties.


What are the duties of an EU representative?


The main responsibility of the representative is to operate as the intermediary  between the data subjects and the member state supervisory authorities. Therefore, the representative acts on behalf of the controller/processor with regards to their obligations under the GDPR.

In Addition EU representatives must  maintain the records of processing activities (GDPR Art. 30 (1) and (2)) and – where necessary  – making those records available to the supervisory authority (GDPR Art. 30(4)). It is also important to point out  that the appointment of a representative does in no way replace or limit the responsibilities of the company located in a country outside of the European Union.


To what extent can the EU representative be held liable?


Appointing the representative in the EU is made without prejudice to legal actions, which could be initiated against the controller or processor. Therefore, the representative should be responsible to meet the regulatory obligations when processing personal data of EU residents.

Moreover, a representative may be subject to enforcement actions by data protection supervisory authorities in the event of non-compliance by the controller.

If Article 27 applies to your business and if you fail to appoint a Data Protection Representative you could be fined up to (the greater of) €10,000,000 or 2% of global turnover (Article 84(4)(a)).


How can Relentless Privacy and Compliance Services  help ?


Relentless Privacy and Compliance Services have four simple steps  to be appointed as your EU Representative .


Step One :

To carry out our duties of the EU Representative  in maintaining records of processing activities for your organisation we assess your documentation of your  processing activities as stipulated in article 30 of the GDPR and carry out any remedial actions as needed.

Step Two: 

We  create the copy of the record of processing activities  producing a mapping of your   data flows within the Relentless GDPR Portal. We also create the Data Subject Access process in the portal to enable us to answer DSAR requests from your customers and allow us to liaise where necessary with the local supervisory body should the need arise.

Step Three

Upon acceptance of our quote  you designate in writing the appointment of Relentless Privacy and Compliance Services as your EU Representative. This must be displayed within your privacy policy. Where you need to also appoint a DPO we can also act as both DPO and EU Representative.

Step Four 

Assign a member  of your staff as the direct contact point for the organisation for Relentless to communicate with.

Details of our EU Representative Services can be found  here 

Protecting Your Business: The Importance of Record Management and Retention Policies

Protecting Your Business: The Importance of Record Management and Retention Policies

Organisations of all sizes can be weighed down by the volume of records that they create or gather  both in paper and electronic formats. How does your company deal with this mountain of paper and electronic records? 


How long should your company retain and archive such records when considering the countless number of complex national and international record retention requirements and other government agency standards? 


A blanket indefinite retention and storage policy related to all of your company’s paper and electronic records is impractical and could still fall foul of data minimisation requirements of data privacy laws , costly and not the answer!


In contrast, an effective record management and retention policy will help to answer the above practical questions because such a detailed policy will define a company’s legal and compliance recordkeeping requirements. In addition, the policy should outline a system by which a litigation hold can override certain record retention requirements if the litigation hold requires a longer retention period, as well as when a company’s records may be destroyed following expiration of the applicable retention periods.


Scope and Application of a Company’s Record Management and Retention Policy


The scope of a company’s record management and retention policy should apply to all records of the company, regardless of the format that such records are created or stored. Each business unit and all of the company’s employees and officers should be required to adhere to the policy. Data awareness programs play an important part in an organisations data privacy strategy. The terms of the policy should be followed consistently and reevaluated on a periodic basis by management, the length of which should be identified for in the policy.


Retention Schedule in a Company’s Record Management and Retention Policy


Taking into account the global spread of operations of organisations there is no single law or regulation that establishes an identical record retention period with which a company must comply. Instead, the number of laws and regulations requiring a company to retain certain documents is increasing, along with the penalties a company may face for failing to follow best practices in their record retention management.

 Therefore, a well planned record retention schedule should be included in a company’s policy that addresses each type or category of data created by a company in the course of its business and indicates the associated time period that these records are required to be retained.


Key components of a Record Management and Retention Policy


The policy should provide, at a minimum, the following:

  • Types of records covered by the policy
  • Specified procedures related to maintenance of each category of records created or obtained
  • Record retention instructions, retention time periods and storage procedures
  • Timeframe for when the policy should be reviewed and evaluated
  • Steps that a company will take to ensure compliance with the policy and specified consequences for violations


Record Destruction


Organisations  should also have a system in place in which they identify the types or categories of records that are subject to a specific retention period. This identification system will provide guidance to the company as to when these records may be destroyed once the requisite retention period has passed. The policy should also provide clear record disposal and destruction guidelines that the company and/or its third-party contractors will follow.



The Importance of Having a Record Management and Retention Policy and Next Steps for Your Company


The most significant takeaway here for organisations is that they have a written record management and retention policy, and that their employees, officers and applicable third parties are following this policy consistently and effectively.

 If your company does not have such a policy in place,a shrewd decision would be to engage proficient advisors to assist in creating a written record management and retention policy and putting appropriate protocols in place to ensure compliance with national or global requirements.

Relentless Privacy and Compliance Services  is uniquely situated to provide policy advice and services in this area as its Data Security & Privacy Team has vast  experience in assisting companies of all sizes with creating and updating their record management and retention policies, as well as creating frameworks by which companies can manage their types of records based on the applicable retention periods.


Security Breaches are the Icebergs of our Personal Security

Security Breaches are the Icebergs of our Personal Security

At Relentless we are always looking to provide our readership with value add content.


Relentless Global Comprehensive  Data Privacy Assessment  includes looking at data security by design and by default .This great article looks at the details and consequences behind data breaches.


Today we are pleased to share with you our first partner content from Author Chris Smith


The Titanic taught us about a fundamental lesson about icebergs: only a small part is visible above the surface. If we’re talking about data breaches, 2018 was the year we discovered the part of the iceberg floating below the surface. 


Data breach numbers are alarming, but the consequences of these data breaches are what’s impacting our privacy and security, and ultimately, trust. Equifax was fined over $600,000 for a breach exposing nearly 150 million records. Facebook investigated Russian activity attempting to influence the U.S. Presidential elections. The Marriott data breach was tied to Chinese hackers, and it was much more than just credit cards and passport numbers: it illuminated “the patterns of life of global political and business leaders, including who they traveled with, when and where.” And to start off 2019, Google was the first company fined for violating the GDPR with a fine of over $50 million dollars


Despite all this information, people, not to mention companies, still are not taking significant measures to protect their online accounts. Some statistics show that people are actually less worried about privacy and security, and they trust companies more than they did a few years ago. We are starting to see reports of people taking data privacy measures, like deleting the Facebook App, but there is still an emphasis on convenience over security. 


When the news covers these data breaches, the focus is on the bigger picture: the fines, the number of records that have been compromised, the combined cost to consumers, or undue influence on elections. There is less focus on the individual, yet proving identity is a fundamental part of our day to day lives. 


We want to ensure that the individual impacts of data breaches and security failures are not overlooked. So we put together an infographic that shows the daily touch points that make everyone more vulnerable, as people continually distribute their identity information on the Internet. 


As hacks become more widespread and the consequences become more severe, it’s critical to consider these interactions and consider how companies and people can make changes to protect their identity information without sacrificing convenience.


Relentless Privacy and Compliance Services your trusted Data Privacy partner of choice




This article originally appeared on



What is a Data Protection Officer (DPO)

What is a Data Protection Officer (DPO)

DPO is an acronym for Data Protection Officer. which is a key appointment within your organisation.  A DPO is a person who is given formal responsibility for data protection compliance within an organisation reporting into the CEO.  Under the EU’s General Data Protection Regulation (GDPR), some organisations who fall under the requirements will be required to appoint a DPO. When appointed, the GDPR outlines a framework around the roles and responsibilities of the DPO. But it is important to note that not all organisations will have to appoint DPOs and that the DPOs themselves will not personally be responsible for an organisations non-compliance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or processor of the personal data.  


What determines the need to appoint a DPO?


You must appoint a DPO if you are a public authority or body, if your core activities involve the relevant and systematic monitoring of individuals on a large scale or if your core activities involve the processing of sensitive personal data. You will not need a DPO if, for example, you:

  •  Use personal data once or twice a year to promote your local clothes shop

You do need a DPO if, for example, you:

  • Process patient data on fertility and genetics for a hospital
  • Process personal data linked to people’s behaviour online for advertising purpose




DPO The Role Explained


The DPO must be involved, from the outset, in all issues related to data protection compliance. DPOs must monitor the organisation’s compliance and advise the organisation on data protection issues. They need to carry out data protection impact assessments, if the organisation is involved in high-risk processing activities. The DPO will also serve as the primary point of contact between the organisation and the supervisory authority responsible for implementing the GDPR. As you can see the DPO’s role is extensive, including overseeing data protection activities, devising policies and procedures that will enable an organisation to be compliant with the GDPR, monitoring the implementation of these policies and procedures, ensuring staff are trained in data protection and the GDPR, and handling subject access requests for personal data. If a data breach occurs the DPO is to inform all affected parties and be the point of contact for supervisory authorities. The exact responsibilities of a DPO will vary from organisation to organisation, depending on the collection, storage and processing of personal data taking place. The DPO must have access to the most senior positions in an organisation. They must be autonomous and independent, and they cannot be dismissed for fulfilling their role as DPO.


DPO Tasks 


  1. The data protection officer shall have at least the following tasks:
    • to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
    • to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
    • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
    • to cooperate with the supervisory authority;
    • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
  2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.



What are the legal requirements for the DPO role?


  • Independence

    The GDPR requires that the DPO operates independently and without instruction from their employer over the way they carry out their DPO tasks. This includes instructions on what result should be achieved, how to investigate a complaint or whether to consult the ICO. Organisations also cannot tell their DPO how to interpret data protection law.

  • No conflicts of interest

    Although the GDPR allows DPOs to “fulfil other tasks and duties”, organisations are obliged to ensure that these do not result in a “conflict of interests” with the DPO duties. Most senior positions within an organisation are likely to cause a conflict (e.g. CEO, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR and head of IT).


What qualifications does a DPO need?


The GDPR does not specify the credentials a DPO should have.

  • Level of expertise – an understanding of how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expertise the DPO will need.
  • Professional qualities – DPOs do not need to be qualified lawyers, but they must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of what technical and organisational measures the organisation has in place, and be familiar with information technologies and data security.

In the case of a public authority or body, the DPO should have sound knowledge of its administrative rules and procedures.

Relentless Privacy and Compliance Services provides DPO Services across 6 global regions.

Learn More


The Malaysian Personal Data Protection Act  “the act”

The Malaysian Personal Data Protection Act “the act”

The Malaysian Personal Data Protection Act 2010 (“the Act”) was written into law  on 15 November 2013. “The Act” mandates that businesses in Malaysia assume additional responsibilities and requirements when it comes to the processing of personal data of their employees, suppliers, and customers. This article provides an overview of  the key issues to note under the Act.

The Malaysian Personal Data Protection Act 2010 (“the Act”) applies to any person who processes and has control over or authorizes the processing of any “personal data” in respect of commercial transactions known as the  (“data user”). The Act also applies to persons not established in Malaysia (for example: international organisations), if they use equipment in Malaysia for the processing of personal data otherwise than for the purposes of transit through Malaysia.


Certain classes of data users (eg: licensed insurers; legal, auditing, accounting, engineering and architecture firms; housing developers; medical and dental clinics) are required to register themselves with the Department of Personal Data Protection.




Predominantly, “personal data” covered by the Act is information that relates to a data subject who is identifiable from that information being processed or collected. This broad definition will cover data types  such as names, contact details, national registration identity card numbers, and passport numbers. Personal data also includes any sensitive personal data such as the physical or mental health information of the data subject, his/ her  political opinions and religious beliefs, and criminal convictions among others. 




Under the Act, data users are required to adhere to  the 7 Personal Data Protection Principles. 


  1. General: Personal data can only be processed with the data subject’s consent.
  2. Notice and Choice: Data subjects must be informed by written notice of, among  other things, the type of data being collected and the purpose, its sources, the right to request access and correction, and the  choices and means by which the data subject can limit the processing of their personal data.
  3. Disclosure: Personal data may not be disclosed without the data subject’s consent for any purpose other than that which the data was disclosed at the time of collection, or to any person other than that notified to the data user.
  4. Security: Data users must take practical steps to protect the personal data from any loss, misuse, modification or unauthorized access or disclosure, alteration or destruction.
  5. Retention: Personal data shall not be kept longer than is necessary for the fulfillment of its purpose.
  6. Data Integrity: Data users must take reasonable steps to ensure that personal data is accurate, complete, not misleading and kept up to date.
  7. Access: Data subjects must be given access to their personal data and be able to correct any personal data that is inaccurate, incomplete, misleading or not up to date.


Maximum fines for various offences under the Act range from RM100,000 to RM500,000 per offence. On conviction, offenders may also be liable to imprisonment.


What steps can a business take to help achieve compliance 


If your organization is a data user under the Act, you should start considering the following actions:


  1. Conduct an audit to identify: 

(a) the types of personal data being collected and processed; 

b) the purposes personal data is being collected; 

(c) third parties to whom personal data is being disclosed; 

(d) how data subjects are being notified of the data processing


  1. Have a privacy  framework in place to ensure compliance with the Act. Appropriate policies and procedures regarding the collection, processing, retention and disclosure of personal data must be implemented. Where possible, appoint a team to manage issues relating to personal data and compliance with the Act.


  1. Be mindful that even if you have an existing global privacy policy in place, it may need to be reviewed and customized to match the Malaysian requirements. (For example, the Act requires personal data notices to be issued in both English and Malay).


  1. Key personnel must be trained on the application  of the Act. Compliance with the Act is not possible if employees do not understand the purpose of the Act or what they are required to do.


  1. Board level commitment . Given the severe consequences for non-compliance, it is imperative that senior management sets the tone and “buy in” the importance of complying with the Act.


  1. Have a system in place to continuously monitor compliance with your personal data policies and procedures, so that any gaps can be identified and addressed quickly.


While the additional obligations and responsibilities under the Act may appear troublesome to some, the Act is the right step towards bringing Malaysia’s personal data protection laws in line with the rest of the world as well as boosting investor confidence.

Learn More



Ensuring GDPR Compliance When a Subject Sends an Access Request

Ensuring GDPR Compliance When a Subject Sends an Access Request

One of the many significant changes brought about by GDPR was the data subject’s greater right of access to personal information. And that is far-reaching. The data controller must fulfil a data subject access request (DSAR) within a month to comply with GDPR. So, the correct system components must be in place to make sure this happens. To get a better grasp of this,


What access rights do data subjects have?



Data Subject Access Rights


Under GDPR, a data subject is a person who is identifiable from the information which a controller holds on them. The controller is the party that decides the how and why of data processing and bears the most legal responsibility. Third parties handling the data on behalf of a controller are “data processors”. They also have obligations by law. In the interests of transparency, GDPR gives individuals a full right of access to their data under Article 15. They have a right to know or do the following:

  • The purposes of data processing
  • The categories of personal data collected
  • The recipients or recipient categories to whom personal data has been or will be disclosed
  • The period of data storage or the criteria for determining that period
  • The source of the data if not obtained first-hand
  • The existence of automated decision making
  • The logic involved in automated decision making and any risks it poses
  • The safeguards in place for the passing of data to a third country or global body (GDPR Article 46)
  • Object to data processing and lodge a complaint with a supervisory authority
  • Obtain a copy of data undergoing processing

On top of these rights, data subjects have the right to correct or erase data or move it to a third party. The latter is “data portability”. Of course, there are others such as the right to be informed of a data breach, the right to withdraw a consent, the right to restriction of processing and the rights to children. Those are not being detailed because of the chosen example. All this needs infrastructure on the part of the company. A system should be in place that deals efficiently with Data Subject Access Requests (DSARs).


Data Mapping


Handling DSARs exposes any failings in data management. Data mapping is a vital part of responding to a DSAR, since the controller must know where data resides, to respond in good time. Compliance software such as Relentless GDPR 247 helps achieve this for organisations


Data Minimisation


Data minimisation is a key part of GDPR compliance. That means carrying out frequent inventories of data and deleting whatever is surplus. Controllers shouldn’t store personal data beyond the period originally stated. Efficiency in this area makes it easier to deal with a DSAR.


Data Subject Access Request; an Example


Let’s imagine a motor insurance company called Magic Insurance. Within that company, several departments might need access to personal data, including Claims, Finance, Underwriting and Customer Care. The problem with centrally stored, easily accessible data, is that it goes astray. It gets copied, moved, and soon the company is suffering from “data sprawl”. An efficient system of data management is the solution. magic Insurance receives a DSAR from Mr Jon Doe, who is keen to know what data the company holds on him. He sends the request by email. The company now has up to one month to satisfy the request. What processes must Magic Insurance follow?


1. Initial Response


First, it’s essential to confirm the identity of Mr Jon Doe. Otherwise, Magic Insurance risks breaching GDPR by handing over personal data to a malicious party. The company would also ask at this point how the data subject wants delivery of the information. This might be in writing or by email. Having received the DSAR, the person responsible at Magic Insurance starts documenting the request over its entire life cycle. Keeping records of an access request and all its stages is a vital part of GDPR. This is where software such as Relentless GDPR 24/7  is a essential tool to any sized businesses. Built-in DSAR management tracks a SAR and archives all aspects of it.


2. Gathering the Information


After verifying the subject’s ID, the Magic Insurance DSAR handler liaises with departments to gather information. Remember, each department only has access to the data it needs, and all staff know their data-handling responsibilities. During a DSAR, all relevant departments must check digital data, any paper records (filed methodically) and search email systems for any emails which identify the subject. Deleted records are exempt, even if they are retrievable using technical expertise. In line with data minimisation, each department only holds the data necessary to do its job. In Magic Insurance, the Claims department knows Mr Jon Doe’s policy number and can identify him through that. It might also store a history of previous claims. The Finance department has the customer’s bank details or identifiers such as IBAN numbers. And so on. It’s the job of the IT department to know which systems store personal data and put adequate security in place to protect them and it. A process must exist which enables the identifying and reporting of data breaches within 72 hours.


3. Reviewing the Information


At the review stage, Magic Insurance decides if all the data it stores is safe to disclose. For instance, details of third parties should not be given without consent . Other persons might have been involved in a traffic accident with Mr Jon Doe, for example. A DSAR always needs a response, even where no data is held.


4. The Final Response


Within 30 days, Magic Insurance sends the requested information to Mr Jon Doe in the agreed format. Under GDPR Article 15, this communication should be clear to the average person and free of any industry jargon or unexplained codes. Magic Insurance keeps a record of the entire process, not least to show compliance in the event of a further query.


Get Ready to Prove Compliance

Using compliance software such as Relentless GDPR 24/7  eases the DSAR process. You can add a form to your website to control requests and make sure subjects supply all the information you need. Complementary features such as data mapping help you to pinpoint the data you hold. A data subject access request brings GDPR into sharp relief. If your business is not ready for such a test, get started now!

Learn More
Data Breach  Root Causes

Data Breach Root Causes



With so many cases of data breaches being reported, you may be wondering whether hackers have become cleverer or whether organisations are not giving data protection the seriousness it deserves. Unfortunately, many organisations may not know human error is one of the primary data breach causes. Often, inappropriate data handling policies and procedures, not to mention negligence and lack of vigilance by data users, are what expose information to intruders (or hackers if you like). Some of the most obvious mistakes made by data system users point to such things as lost or stolen paperwork, leaked passwords and sending emails to the wrong recipients, etc.


What exactly causes human-related data breaches?


Data users, specifically employees, expose organisational data systems to hackers by making simple mistakes that can easily be avoided. Here are many of the most common data breach causes.


Use of weak passwords


A password such as your spouse’s name or your birthday could be easy to remember but can also be correctly guessed by someone else, or can be cracked by the so-called brute-force attack, with ease. A shared password is also a risk factor, as you just don’t know who else it will be shared with , staff colleagues with malicious intentions included. Additionally, if one password is used by employees across multiple accounts, all accounts risk being breached, in case one of them is accessed by attackers.


Low data security awareness

Not everyone updates themselves on data security matters. Often, employees fail to update the software they use, perhaps because they don’t realise how important it is to update such software, or just because update notifications come at a time when they (employees) are swamped, working on their regular tasks. Even worse still is the fact that even the smartest employees fall prey to scammers who spread malicious email links. They click on these links without realising how harmful they are. In some cases, employees create vulnerabilities by inadvertently downloading malicious software or plugging in devices whose security may already be compromised.


Careless data handling


Employees deal with large amounts of data on a routine basis. As such, making mistakes during data transfers is not unheard of. Wrong typing of the recipient’s email address or attaching the wrong file to the email could mean that the organisation’s sensitive information lands in the wrong hands.


Uncontrolled data access


Granting employees too much access to data is another human mistake that exposes data systems breaches. Uncontrolled data access may result in unauthorised system changes, as the employees may want to make their job easier or speed up the data system. Unfortunately, such changes may hinder the normal operation of the organisation. The data system may be brought to a halt in extreme cases. In such an open data access setting, employees also gain access to system configurations and information that they are not authorised to access, leading to data leaks.


Negligence of proper security procedures


Most employees put their work first before everything else. They focus on completing their work fast, even if it means compromising the data security of the organisation. Data security features, such as updates, are very critical to the efficiency of the organisation’s overall data protection. However, these updates take too long to complete; hence, employees tend to ignore them. Some employees may also decide to turn off important data security features they deem to be intrusive. These human actions can easily expose the whole data system to breaches.


Examples of data breaches caused by human error


Having said that human errors play a significant role in data breaches, it’s essential to know some of the well-documented breaches caused by this human element.




In early 2015, Anthem, a health insurance company in America treated the world to the shocking news that attackers had gained access to their data system, stealing social security numbers, income data, and addresses of the company’s employees and clients. It was claimed that someone had initiated a database query using one of the company administrator’s unique identifier codes. As many people believe, the attackers employed social engineering methods to steal the code. This breach affected at least 80 million clients.




In 2014, the news had it that some attackers stole the credentials of up to 100 eBay employees. This information was used to access the internal network of this e-commerce site. The attackers exfiltrated the details of about 145 million clients of the company, including their names, physical addresses, email addresses, and passwords.


Sony Pictures Entertainment


It all began when the company’s top executives received fake Apple ID verification messages via email. Each email redirected the recipient to a phishing website, which accessed the Apple information of these executives. The attackers also used the information to gain access to LinkedIn profiles of the company employees, as they tried to access Sony’s network. The attackers would cripple the computer networks of the company, making off with a 100 data terabytes.




In September 2015, a SoHo clinic staff sent out a newsletter to 781 “Option E” subscribers. In the process, the sender accidentally entered the emails into the ‘To’ field instead of the ‘BCC’ field, allowing every recipient to view every other recipient’s email address, as well as their full names.


Best practices to prevent human-related data breaches


Although there are cyber security mistakes that occur occasionally, others could be systematic (think using weak passwords). And while their damage to your business may not happen immediately, such errors are indeed a disaster in waiting. If they’re not moderated in time, they will result in data breaches and leaks, which may require vast sums of money to fix. However, you can employ the following practices to protect your business from human security mistakes effectively.


Employee education


Training your employees on data security matters creates security awareness, which goes a long way in lessening or eliminating mistakes. Educate them on secure methods of handling data and the extent of damage that data breaches can cause. Let this awareness be in their DNA.


Implementation of effective security policy


It’s critical to formalise security rules and regulations in your organisation by writing them down. The policy document should clearly outline how data should be handled, the monitoring software that should be used and how passwords should be managed, etc. Every employee should be familiar with the data security policy, and the policy should be enforced to the letter.


Limited privileges


Unless it’s absolutely necessary, all the employees should not have the privilege to access every bit of data in your company. It’s safer to allow them only to access information that is necessary for them to work. Any other data should only be retrieved when there is an unavoidable need. This helps to prevent any accidental data deletion and leaks.


Employee monitoring


Distinguishing regular user activities from security mistakes may be difficult. This makes it possible for the errors to go unnoticed for an extended period, which renders your data vulnerable to breaches. Using employee monitoring software is one reliable way of detecting and fixing the mistakes as soon as they happen.


Prevent human errors with Relentless GDPR 24/7

Want to eradicate data breach causes resulting from employee mistakes?

Use Relentless GDPR 24/7  a purpose-designed programme loaded with built-in GDPR guidance, data risk assessments, data breach management, subject access management, and other GDPR compliance aspects. With all these features, Relentless GDPR 247 secures your data like no other.

Find Out More

Privacy Preference Center