Officeology says paper records remain an underestimated data protection risk after analysing Information Commissioner’s Office incident data from 2020 to 2025. The document management specialist said 11,141 paperwork-related breaches were reported over that period, with 1,820 incidents recorded in 2025 alone. Of those incidents last year, 330 involved employee data, which the company estimates could have affected up to 28,050 workers.
The study said 41% of paperwork-related breaches in 2025 were reported outside the UK GDPR’s 72-hour reporting deadline, while 39% of employee-data incidents missed that threshold. Officeology found that basic personal identifiers were the most commonly compromised data type, followed by health data. The ICO’s guidance makes clear that personal data breach obligations are technology-neutral, meaning the duties apply whether information is mishandled online or offline.
Adam Butler of Officeology said: “Paper-based processes are inherently more vulnerable to human error.” The analysis also found that formal investigations remain rare, with fewer than 5% of paperwork-related incidents since 2020 leading to a formal ICO investigation, and only one employee-data incident formally investigated in 2025.
Click here to view the full Officeology study.
You must be logged in to post a comment.