10 Common GDPR Mistakes UK Employees Make (And How to Avoid Them)
The GDPR mistakes employees make are often simple, everyday errors rather than deliberate misuse of personal data. A staff member sends an email to the wrong customer. A manager keeps old employee records “just in...
H
Henry Dawson
Jun 16, 2026
11 min read
Common GDPR mistakes UK employees make with desk reminders to lock screens and double-check recipients

The GDPR mistakes employees make are often simple, everyday errors rather than deliberate misuse of personal data. A staff member sends an email to the wrong customer. A manager keeps old employee records “just in case”. A receptionist discusses personal details where others can hear. An employee clicks a phishing link and exposes account credentials.

For HR managers, Learning and Development (L&D) professionals and office managers, these risks matter because employees are often the first line of defence in data protection. Policies and systems are important, but they only work when staff understand what personal data is, how to handle it safely, and when to report a concern.

This guide explains ten common GDPR errors UK employees make, the consequences for organisations, and the practical steps that help prevent them. If you need the legal foundation first, read our UK GDPR guide, which explains the UK GDPR framework, principles and compliance duties. For the wider training context, see our employee GDPR training overview.

Why Employee GDPR Mistakes Are So Costly

Employee data errors UK organisations experience can lead to personal data breaches, complaints, operational disruption and reputational damage. A breach does not have to involve hackers. It can happen when personal data is lost, sent to the wrong person, accessed without permission, altered incorrectly or disclosed accidentally.

Under UK GDPR, organisations must protect personal data and demonstrate accountability. This means they need suitable policies, technical controls, staff training and evidence that data protection risks are being managed.

The Information Commissioner’s Office (ICO) has repeatedly highlighted avoidable workplace errors in guidance and enforcement materials. Examples include misdirected emails, poor breach reporting, hidden data in spreadsheets, insufficient staff guidance and weak organisational controls.

The cost is not only regulatory. A data protection mistake can result in:

  • distressed employees or customers;
  • internal investigations;
  • complaint handling;
  • lost trust;
  • client or supplier concerns;
  • legal advice costs;
  • operational disruption;
  • ICO reporting and follow-up;
  • retraining and process redesign.

The good news is that many mistakes can be reduced with practical awareness training, clear procedures and better workplace habits.

Mistake 1 — Sending Personal Data to the Wrong Person

One of the most common data protection mistakes at work is sending personal data to the wrong recipient. This often happens because of email autofill, similar names, rushed working or copying too many people into a message.

Scenario: An HR assistant sends a sickness absence report to the wrong manager. The report includes names, dates of absence and health-related notes.

Consequence: This may be a personal data breach. Because health information can be special category data, the risk to the employee may be higher. The organisation may need to assess whether the breach should be reported to the ICO and whether the affected employee should be informed.

Prevention tip: Staff should check recipients before sending, avoid unnecessary attachments, use secure links where appropriate, and turn off or carefully manage email autofill for sensitive communications.

Training helps staff recognise that “just an email mistake” can still be a reportable breach. An online data protection course can help employees understand safe email handling and breach escalation.

Mistake 2 — Using Personal Email for Work Data

Employees sometimes use personal email accounts to send work files because it feels convenient, especially when working remotely. This creates security, access control and accountability risks.

Scenario: A manager emails a spreadsheet of employee shift patterns to their personal Gmail account so they can work on it at home.

Consequence: The organisation may lose control over where the data is stored, who can access it, and whether it is deleted properly. If the personal account is compromised, employee data may be exposed.

Prevention tip: Staff should use approved work systems only. Remote access should be provided through secure, authorised platforms, not personal email or consumer file-sharing tools.

Organisations should make the approved process easy to follow. If staff rely on personal email because work systems are difficult to use, the process itself needs review.

Mistake 3 — Weak or Shared Passwords

Weak or shared passwords remain a major workplace risk. Passwords protect access to customer systems, HR platforms, payroll tools, email accounts and shared drives.

Scenario: A small office shares one login for a customer database because it is “simpler”. When an account is misused, no one can tell who accessed the records.

Consequence: Shared passwords weaken accountability and increase the chance of unauthorised access. If a password is guessed, reused or exposed through phishing, attackers may access personal data.

Prevention tip: Each user should have their own account, strong passwords and multi-factor authentication where possible. Access should be removed when staff leave or change roles.

Password training should cover more than complexity rules. Staff need to understand why reuse, sharing and writing passwords on sticky notes can expose personal data.

Mistake 4 — Not Recognising a Subject Access Request

A subject access request (SAR) does not need to mention UK GDPR. Employees may miss requests because they arrive through ordinary channels such as email, phone, social media or live chat.

Scenario: A former employee emails their line manager saying, “Please send me all emails and notes you hold about me.” The manager treats it as a complaint rather than a SAR and does not escalate it.

Consequence: The organisation may miss the one-month response deadline. Delayed or incomplete responses can lead to complaints to the ICO and loss of trust.

Prevention tip: Staff should be trained to recognise requests for personal data and escalate them immediately. A simple internal phrase such as “personal data request” can help route requests quickly.

For a full explanation of SARs and other rights, read our data subject rights guide. Practical GDPR awareness training can also help frontline teams identify rights requests before deadlines are missed.

Mistake 5 — Sharing Data Without Checking Lawful Basis

Employees may share personal data because another department, supplier or partner asks for it. However, personal data should only be shared where there is a lawful basis and a clear purpose.

Scenario: A sales employee shares a customer list with a partner organisation for a joint campaign without checking whether customers were told about this use or whether a lawful basis applies.

Consequence: The organisation may breach transparency, purpose limitation and lawful basis requirements. Customers may complain if they receive unexpected communications from another organisation.

Prevention tip: Staff should pause before sharing personal data and ask: Why is this being shared? Is it necessary? Has the person been told? Is there a contract or data sharing arrangement in place?

This is where the UK GDPR principles matter. For more detail, read our guide to data protection principles explained.

Mistake 6 — Keeping Data Longer Than Necessary

Many organisations keep personal data for too long because no one owns deletion. Old files build up in inboxes, shared drives, filing cabinets, spreadsheets and archived systems.

Scenario: An office manager keeps unsuccessful job applications for several years because “they may be useful later”.

Consequence: Keeping unnecessary personal data increases risk. If the files are breached, the organisation may struggle to justify why they still held the information.

Prevention tip: Use a retention schedule. Staff should know how long different types of records are kept and when they should be deleted, anonymised or archived securely.

Storage limitation is not about deleting everything quickly. Some records must be kept for legal, tax, safeguarding or employment reasons. The key is having a clear reason and applying it consistently.

Mistake 7 — Failing to Report a Data Breach

Employees may fail to report a breach because they feel embarrassed, hope it will go away, or do not realise the incident counts as a breach.

Scenario: A staff member sends a customer file to the wrong email address. They ask the recipient to delete it but do not tell their manager or the data protection lead.

Consequence: The organisation loses valuable time. If the breach meets the reporting threshold, UK GDPR requires reporting to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it.

Prevention tip: Staff should report suspected breaches immediately, even if they are unsure. The organisation can then assess the risk, log the incident and decide whether ICO notification is required.

Training should make clear that reporting a mistake quickly is better than hiding it. A no-blame reporting culture helps organisations respond faster and reduce harm.

Mistake 8 — Clicking on Phishing Emails

Phishing remains a major workplace risk because attackers rely on human behaviour. A phishing email may trick staff into clicking a link, opening a malicious attachment, entering login details or transferring money.

Scenario: An employee receives an email that appears to come from Microsoft asking them to “verify” their account. They click the link and enter their password.

Consequence: Attackers may gain access to email accounts, shared drives or business systems containing personal data. This can lead to data theft, ransomware, fraud or wider cyber compromise.

Prevention tip: Staff should be trained to check sender addresses, links, urgency cues, unexpected attachments and unusual requests. Multi-factor authentication and security monitoring also help reduce risk.

Phishing awareness should be part of wider data protection training because cyber incidents can quickly become personal data breaches. For broader compliance training, explore GDPR Essentials for UK Businesses.

Mistake 9 — Printing and Leaving Documents Unsecured

Paper records still create GDPR risks. Printed documents may contain HR records, customer details, payroll information, patient information, invoices or meeting notes.

Scenario: A manager prints disciplinary notes and leaves them on a shared printer. Another employee sees the document before it is collected.

Consequence: Confidential employee information may be disclosed to someone who has no need to see it. If the data is sensitive, the risk may be more serious.

Prevention tip: Staff should use secure print settings, collect documents immediately, lock away paper files and dispose of records using confidential waste. Desks, meeting rooms and reception areas should be checked for exposed personal data.

A clean desk habit may feel basic, but it is an important organisational measure. It reduces accidental disclosure and supports a more privacy-aware workplace.

Mistake 10 — Using Personal Devices Without Approval

Bring-your-own-device habits can create problems if staff use personal phones, laptops or tablets to access or store work data without approval.

Scenario: An employee downloads customer contact details to a personal laptop before a sales event. The laptop is later lost.

Consequence: The organisation may not know whether the device was encrypted, password-protected or remotely wipeable. If personal data is exposed, the organisation may need to investigate and possibly report the breach.

Prevention tip: Organisations should have clear rules for device use. Staff should only use approved devices and systems, and personal data should not be stored locally unless authorised and protected.

Remote and hybrid work make this especially important in 2026. Staff need simple instructions on what they can access, where they can save files, and what to do if a device is lost or stolen.

How Training Prevents These Mistakes

Training reduces GDPR mistakes by helping staff recognise risk before it becomes a breach. Employees do not need to become data protection lawyers, but they do need to understand the practical rules for their role.

Effective training should cover:

  • what personal data is;
  • special category data;
  • safe email handling;
  • passwords and phishing;
  • subject access requests;
  • lawful basis and data sharing;
  • retention and deletion;
  • breach reporting;
  • secure printing;
  • approved devices and systems;
  • internal escalation routes.

Training should be practical and scenario-based. Staff learn better when examples reflect their real work, such as handling customer calls, sending HR emails, working from home, using spreadsheets or responding to requests.

It should also be refreshed regularly. New starters need induction training, and existing staff should receive refresher training at appropriate intervals. Higher-risk teams may need additional role-specific training.

Training records also support accountability. They help show that the organisation has taken reasonable steps to inform staff of their responsibilities. This matters if something goes wrong and the organisation needs to explain what controls were in place.

For HR managers and L&D teams, a structured course is often easier to manage than informal reminders. Our data protection training for employees helps staff understand common GDPR risks and how to avoid them in everyday work.

FAQs

What is the most common cause of a data breach in the UK?

There is no single cause that applies to every organisation, but many breaches involve human error, phishing, misdirected emails, weak access controls or poor procedures. ICO guidance regularly highlights everyday mistakes such as sending data to the wrong person, failing to act quickly after a breach, and poor staff awareness.

How quickly must a data breach be reported to the ICO?

If a personal data breach meets the threshold for reporting, it must be reported to the ICO without undue delay and, where feasible, within 72 hours of the organisation becoming aware of it. Not every breach is reportable, but every suspected breach should be logged and assessed promptly.

What should an employee do if they suspect a data breach?

An employee should report the incident immediately using the organisation’s internal process. They should not try to hide the mistake, delete evidence or handle it alone, because the organisation needs to assess risk and decide what action is required.

Is it a data breach if I send an email to the wrong person?

It can be. If the email contains personal data and it is sent to someone who should not receive it, this may be a personal data breach. The organisation should act quickly, try to contain the issue, log the incident and assess whether it needs to be reported.

How can training reduce GDPR mistakes?

Training helps employees recognise personal data, avoid risky behaviour, report breaches quickly and follow internal procedures. It also supports accountability by giving the organisation evidence that staff have been informed of their responsibilities.

Help your team avoid costly mistakes — explore our Data Protection Essentials for All Employees course and give staff the practical skills to handle personal data safely.

 

Related Articles
GDPR audit readiness in healthcare with compliance dashboard, staff training records and data protection review
GDPR & European Laws
GDPR in Healthcare: How to Achieve Audit Readiness and Continuous Compliance
GDPR audit readiness healthcare UK is a critical priority for NHS organisations, private healthcare providers, care services, clinics, dental practices, pharmacies and healthcare suppliers. Healthcare organisations process some of the...
Henry Dawson
12 min read
Read More
GDPR compliance for IT professionals with secure data architecture, encryption controls and privacy-by-design practices
GDPR Compliance for IT Professionals: A Practical Training Guide
GDPR compliance for IT professionals UK is not just about knowing what personal data means. It is about understanding how technical decisions affect privacy, security, accountability and risk. Software developers,...
Henry Dawson
11 min read
Read More
IT compliance and GDPR project planning for UK tech teams with data mapping, DPIA updates and compliance tasks
IT Compliance and GDPR: What UK Tech Teams Need to Know
IT compliance GDPR UK responsibilities are now central to the work of developers, infrastructure teams, IT managers and technical support staff. UK General Data Protection Regulation (UK GDPR) is often...
Henry Dawson
12 min read
Read More

Start your learning journey with KitLearn

Discover courses designed to help you grow faster, learn smarter, and achieve more.

Browse Courses Get Started Today