Data breaches happen daily, often at the hands of employees. In fact, Mimecast’s 2025 report revealed that it’s the cause of 95% of breaches. 

These errors, while unintentional, can have serious implications for your business. In this blog, we’ll explore the most common data breaches caused by human error and the necessary controls to reduce the likelihood of such incidents happening again.

What Types of Data Breaches Are Caused By Human Error? 

Based on the ICO’s data security incident trends, the most common human error-induced data breaches in 2024 are as follows:

1. Data emailed to the incorrect recipient – 18% of reported breaches
2. Falling for a phishing attack – 11% of reported breaches
3. Failure to redact – 6% of reported breaches
4. Data posted or faxed to the wrong recipient – 6% of reported breaches
5. Loss/theft of paperwork or data left in an insecure location – 5% of reported breaches
6. Failure to use BCC – 3% of reported breaches

Careless email behaviour is the leading cause of data breaches. This has remained the case for the last few years and continues to rise as we become increasingly reliant on online communications. 

Other common mistakes include employees using weak or reused passwords, exposing sensitive data on public Wi-Fi networks, or failing to keep work devices up to date with security updates. 

Are Employees Really to Blame?

Blaming employees is only a surface-level response. Yes, accidents do happen, and even the most protected organisations fall victim to breaches. But the question is: did you have the necessary tools, procedures and policies in order in the first place?

Under the UK GDPR, organisations are responsible for implementing appropriate technical and organisational measures (or ‘TOMs’) to minimise personal data breaches. If those controls aren’t in place, the accountability lies with the organisation, not the individual.

TOMs are a fundamental part of your data protection obligations (see Article 32). To learn more, read our recent guidance on TOMs: 

• The appropriate technical measures under the UK GDPR
• The appropriate organisational measures under the UK GDPR

How to Prevent Human Error in the Workplace

1. Implement Policies & Procedures

If you don’t have clear policies and procedures, how can you expect your employees to know what they did was wrong in the first place? 

Policies and procedures provide structure, helping employees understand their obligations and the steps necessary to maintain compliance. 

Under the UK GDPR, you should have a:

• Data Protection Policy – This outlines your GDPR requirements and commitment to compliance.
• Data Retention Policy – This policy outlines the duration for which data will be retained, which is essential for employees to know when storing and destroying personal data. A data retention schedule will keep your team on track for disposing of data when no longer required.
• Data Breach Notification & Response Procedure – Although you can never avoid human error entirely, you need to know what to do when a mistake turns into a breach. These procedures guide employees on what to do in the event of one, so it doesn’t turn into something worse.
• Data Breach Report Form – In addition to the above procedures, you are also required to provide explicit notification if a breach must be reported to the ICO. 
• Subject Access Request (SAR) Form – When a data subject requests their data, do your employees know what to do? Without awareness, your employee could simply ignore or mishandle the request. Having this form ensures that all SARs are processed correctly.

This is not an exhaustive list, so we’d recommend speaking with one of our data protection advisors to get a better understanding of what’s needed. 

2. Implement Stronger IT Controls

Minimising human error requires the right technical safeguards to catch mistakes before they cause harm. Some key technical controls include:

• Email security tools – Use Data Loss Prevention (DLP) software and email filters to prevent emails from being sent to the wrong person or containing unredacted data. Some tools can flag or block messages containing sensitive information.
• Multi-Factor Authentication (MFA) – Even if login details are compromised, MFA adds an extra layer of protection to keep accounts secure.
• Strong password policies – Encourage employees to use complex, unique passwords for every platform they use.
• Automatic updates & patch management – Keep systems updated to reduce vulnerabilities, even if employees forget or delay manual updates.
• Access controls & least privilege – Limit data access to only what’s necessary for each role.
• Endpoint security – Protect laptops, mobiles and other devices with antivirus, firewalls and mobile device management.

3. Commit to Regular Cyber Security & GDPR Training

Your employees are your first and last line of defence when it comes to security and compliance. They’re the people handling personal data, sending emails and making your business operate. Through regular training, you can minimise human error and build a culture of awareness. 

Your organisation should do the following:

• Include data protection training as part of your onboarding process and have scheduled refresher sessions to keep knowledge up to date. 
• Encourage employees to ask questions and raise security concerns, rather than avoiding or attempting to resolve them on their own.
• Conduct cyber security training, such as phishing awareness, to equip employees with tips on how to identify a threat.
• Send company-wide updates to raise awareness of industry threats and any updates to policies or procedures. 

4. Conduct a Data Protection Audit

A data protection audit helps you identify and avoid repeating the same or similar mistakes. It’s a deep dive into your organisation’s overall compliance, helping you understand:

• Why you’re collecting personal data (your lawful basis)
• What personal data you’re collecting
• How personal data is stored, processed and destroyed
• Whether you have the right technical and organisational controls
• Your roles and responsibilities under the UK GDPR 
• Whether your existing policies and procedures are legal
• Gaps in knowledge, i.e., where employee training is needed

The most important thing is that regular audits will help protect you against data breaches, caused by human error or otherwise. 

5. Keep Your Priorities In Order

You need to have a dedicated point of contact for data protection within your organisation. This may be your IT team, executive leadership or a designated data protection officer (DPO). 

However, employees who aren’t full-time DPOs often juggle multiple responsibilities. They may be pulled into solving day-to-day issues, leaving less time to focus on compliance. Depending on the scale of your processing activities, you may find yourself outsourcing to a data protection consultancy to ease the burden on your internal team. 

Whether you need an outsourced DPO or temporary support, these options provide a dedicated safeguard to help prevent internal oversights from escalating into breaches.

Speak to Our GDPR Consultancy Today 

As a cyber security and GDPR consultancy, we can help secure your business and ensure you remain compliant with data protection regulations. Speak with our team to learn more.