Following our last blog post about the unpreparedness of EU businesses for the arrival of the EU GDPR (which can be found here)  another survey reported by reveals that a considerable number of Britain’s employees frequently commit a data breach by maliciously and frequently leaking confidential data and information by misusing their workplace emails. 

The survey comprised of around 2,000 respondents, and the results showed that:

  • 1 in 4 employees has purposefully shared confidential business data outside of their organisation.
  • Over half of respondents delete the item from their sent folder if they forwarded information to any person that they shouldn’t have(!)
  • 37% admitted that they’ve sent wrongful mails even without checking or reading them
  • 1 in 10 of those people who sent wrong information said they accidentally leaked sensitive attachments such as bank details or personal customer information, putting customers and organisations on risk.

The survey, conducted by OnePoll on behalf of Egress Software Technologies ( goes on to say that 68% of respondents admitted they sent wrong emails in a hurry, and 8% of employees have even sent wrong mails in the influence of alcohol (- does “Mail Goggles” still exist?). 42% blamed the auto select option for choosing wrong recipients.

This coincides with another another report (the cyber-edge 2017 Cyber Defence Report) which quotes that “The biggest barrier to establishing effective defences is low security awareness amongst employees”, followed by “lack of skilled personnel”. Not far behind these 2 reasons is “Lack of Management Support/Awareness”. This brings into question the level of awareness and knowledge of information security and data protection at senior management level (CEO’s and MD’s are ultimately accountable under GDPR).

The findings from both of these surveys makes for uncomfortable reading given that it’s only six months until the EU GDPR becomes enforceable. This also highlights the fact the most common vulnerabilities within an organisation are in fact internal, and therefore reaffirms the need for employee training and HR policies to reflect the corporate policy around emails.

What Are the Implications under GDPR?

Confidential data (personal information) sent to unauthorised respondents would be classed as a data breach due to that personal information becoming compromised. In fact, Article 33 states that:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

That is just part of the organisations’ reporting of data breach obligations however, as Article 34 states that:

“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. “

The Information Commissioner’s Office (who also reported a 46% increase in Q4 16/17 in breaches related to email) also states that companies are expected to put into place comprehensive but proportionate governance measures, and organisations must implement appropriate technical and organisational measures in order to demonstrate compliance.

The regulation affects the WHOLE of your company – from the top of the organisation all the way through.

If your business controls or stores confidential data, and you are still unsure as to how Data Protection Laws and Privacy Regulations affect your business, then contact us today to discuss options to ensure you’re on the right path to compliance.