Despite cyber-attacks dominating the media headlines this year, including against Marks and Spencer, the Co-op and Jaguar Land Rover, the majority of data breaches that occur actually stem from non-cyber incidents, particularly from human error and flawed processes. In fact, around 75% of breaches reported to the UK Information Commissioner’s Office (ICO) in Q1 of 2025 were non-cyber breaches, an increase of 7% compared to Q1 of 2024 (see our blog).
The risk of these breaches is often overlooked, given business focus on cyber risk. However, they are often more harmful to individuals (e.g. with Ministry of Defence’s accidental disclosure of personal data from the Afghanistan Relocations and Assistance Programme) and, as we have seen this year, they can still result in regulatory action and litigation.
Our briefing, which was first published in the November 2025 issue of the Privacy Laws & Business UK report, considers recent learnings from case law, enforcement activity and regulatory guidance, as well as from matters we have advised on. This includes examples of:
- misdirected communications and the precautions organisations should take when sending postal or electronic mail (including issues around data accuracy, system design and the appropriate markings to include on postal correspondence, as highlighted by the 2025 Court of Appeal Farley v Paymaster case);
- accidental oversharing such as when spreadsheets with hidden sensitive data are shared; and
- misfiling data, which is becoming more problematic with the use of AI, as AI can surface information from an organisation’s systems that should not have been accessible to the AI user.
In all situations the precautions will need to appropriate to the risk, so understanding and mapping the relevant data and its sensitivity will also be key. Many of the errors we discuss in the briefing are preventable and have been picked up publicly (if not enforced against) by the ICO. As a result, enforcement action for the same or similar failings is more likely. Our briefing sets out practical tips for organisations to implement to improve day-to-day data governance and compliance, and therefore avoid regulatory action and harm to individuals.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-11-05-17-32-28-938-690b8a2cf758a37a12ec7cad.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-10-31-10-59-40-044-6904969c7a01d593735edf12.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-10-21-14-58-10-278-68f79f82c103613cebe31523.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-10-21-13-25-06-352-68f789b294603fa399123a90.jpg)