Every week, the headlines are full of major cyber incidents: ransomware attacks, data leaks, and system outages that cost millions, and that also bring significant risks to the individuals whose data is compromised. But behind many of those headlines often lie the same small mistakes that happen in every organisation, every day.
It’s not always the hackers in hoodies breaking in – sometimes, it’s us holding the door open. The quick email, the shared password, the Teams chat that isn’t as private as we think. These habits, not hackers, remain a big threat to data protection.
After years of working with law firms, private organisations and public bodies, I’ve noticed the same patterns again and again. They’re small, well-intentioned, and completely human, but they’re also what the ICO fines and compensation claims are built on.
The “quick email” that isn’t so quick
You mean to copy in the estate agent and you grab the wrong Clare from autocomplete. You forward a thread without trimming it down first. Or you send to “All Staff” when you meant one person in HR.
Fix: Slow down, check recipients, use “bcc” for groups. A ten-second pause is cheaper than a compensation claim.
The Teams chat that suddenly becomes evidence
Internal chats feel private, until a client or employee submits a Subject Access Request. That light-hearted message about a “tricky client” or a “nightmare complaint” is now part of their disclosure bundle.
Fix: Keep work chats professional and factual. ‘Ask yourself, Would I be happy for this to appear in an SAR pack? If not, don’t type it. Think it don’t say it. Most critically, don’t type it!
The file-saving free-for-all
It’s easy to dump documents on a shared drive “for later”. Months (or years) on, nobody knows which version is correct, who can access it, or whether it should have been deleted.
Fix: Save to the correct folder in your case-management system, not your desktop. Use version control properly, and delete duplicates when the matter closes.
The borrowed shortcut
Reusing a previous template form “because it’s easier” means personal data and metadata often travel with it. I’ve seen firms accidentally send wills and conveyancing files with someone else’s details still hidden in the document properties.
Fix: Start fresh or scrub old documents completely. “Find and replace” won’t catch everything, especially not in track-changes or headers.
The unspoken “I’ll just send it to my Gmail”
When systems feel slow or remote access is clunky, people take shortcuts. Personal email accounts, USB sticks and WhatsApp groups still creep in, especially when staff work from home.
Fix: If you wouldn’t do it in the office, don’t do it remotely. Use corporately-approved tools. If they don’t work, escalate the problem – don’t invent a workaround.
The forgotten closure
We’re brilliant at opening new files, not so good at closing them properly. Uncleared inboxes, leftover drafts, and unlabeled archives leave personal data sitting indefinitely.
Fix: Follow the retention schedule. Close, archive, and delete once the purpose is complete. Every unnecessary gigabyte is a liability.
Why these habits matter
Each of these tiny slips erodes accountability. They make DPIAs harder, SARs slower, and breaches more likely. Data protection isn’t about fear of fines, it’s about professionalism. Clients, residents, employees – they all trust us with their private lives. Protecting that trust starts with habits, not policies.
Final thought
The next time you hit “Send”, upload to Teams, or grab a document template, pause for two seconds and ask, Would I be comfortable explaining this to the ICO? If the answer’s yes, you’re probably fine. If the answer’s no, that two-second pause just saved you a breach.
JH Data Protection Limited 
Leave a comment