When people think about data protection incidents, they tend to picture something dramatic - a cyber attack, a system being hacked, or a ransomware demand making headlines.
But that isn’t what most data protection incidents actually look like.
According to the ICO’s Data Security Trends report, the majority of reported incidents are far more ordinary. They happen in the flow of day-to-day work, and usually without any malicious intent.
They’re consistent, repeatable patterns, and that’s exactly why they matter. Because if incidents are predictable, they’re also preventable.
In this blog, we’ll be looking at:
Looking at the ICO’s Data Security Trends report for 2025, the most common incident types include:
What really stands out here isn’t just the volume, it’s the nature of these incidents.
None of them rely on advanced technical exploits or sophisticated attacks. Instead, they all have one clear thing in common: they come down to user behaviour.
And more importantly, they’re all avoidable with clear, consistent training.
Not every reported incident leads to enforcement. But the ones the ICO does investigate tell you something important - what actually matters from a regulatory perspective.
They’re not just looking at what happens most often, they’re looking at what creates real risk.
When you look at the cases pursued, a few categories come up repeatedly:
At first glance, this might look slightly different from the most common incidents. But when you step back, the same themes are still there.
Unauthorised access and failure to redact sit firmly in both lists. Even phishing and malware, while more technical on the surface, still rely heavily on human behaviour — someone clicking, downloading, or trusting something they shouldn’t.
And it all comes back to how data is handled day to day. Who has access to it, and whether people recognise risk in the moment.
It would be easy to put these incidents down to carelessness, but that’s not really what’s going on.
Most teams are moving quickly, juggling priorities, and handling more data than ever. In that environment, mistakes aren’t surprising, they’re inevitable without something in place to guide better decisions.
And without that awareness, the same incidents happen again and again, regardless of how many policies or tools are in place.
When you look at the types of incidents being reported and investigated, prevention doesn’t need to be complicated. It comes down to getting the basics right, consistently.
For each of the most common issues, there are clear, practical ways to reduce risk:
People are always going to make mistakes, that’s inevitable. But a large proportion of these incidents can be avoided when people know what to look for and what to do in the moment.
That’s where training makes the difference.
For it to actually work, training needs to be:
Without that, it becomes a tick-box exercise - completed, but not applied.
And if your organisation processes personal data, this goes beyond best practice. Under the GDPR, you’re expected to put appropriate measures in place to protect that data, including ensuring staff are properly trained and aware of their responsibilities.
At Trust Keith, our training is designed around how incidents actually happen, so teams don’t just complete it, they apply it.