Have you ever received four or five calls from unknown numbers in one day? More and more often, people tell me that they just don’t pick up the phone to numbers that they don’t recognise anymore because too often they are trying to sell us something or scam us. But every now and then, curiosity gets the better of us, and we pick up.
When we do, it’s not uncommon to hear someone using our full name, claiming to be from a company we actually recognise, maybe even one we’re a client of. At first glance, it all sounds legitimate. But something doesn’t feel right. The caller avoids giving a straight answer when asked for identification, or pushes for sensitive information. So we hang up. And later, after a quick online search, we see that hundreds of people have received similar calls, often from the same numbers, and the whole thing turns out to be a well-disguised phishing attempt.
What makes this scenario even more troubling is that it suggests a possible data breach; someone out there may have gained unauthorised access to client data from a legitimate company.
Written by Abigail Sked
Paralegal
The consequences of security breaches go beyond mere annoyance.
This isn't about naming names. This is about the broader issue: the client experience in the wake of a breach. When your data (your name, phone number, perhaps even more) is accessed by someone who shouldn’t have it, it makes us question who we can trust. It’s not just about the inconvenience of spam calls; it’s about the real risk of fraud and identity theft.
And if you run a business and your clients are telling you that they are receiving calls from someone pretending to be you, you need to consider if you’ve been the victim of a data breach.
Unfortunately, many companies still treat data protection as a box-ticking exercise. Draft a privacy policy, publish it online, and move on. But true personal data security goes far beyond that. It means actively implementing best practices, training staff, updating systems, and regularly assessing vulnerabilities. Failure to do so can leave a company (and its clients) wide open to serious consequences.
It's better for everyone, businesses and customers, that we live in a society where businesses can be trusted, and businesses have a role to play in achieving this.
Complying with the GDPR: It’s About More Than Just Uploading a Privacy Policy to Your Website
For customers, the aftermath of a breach often prompts the same question:
Can I still trust this company?
If they let this happen once, what’s stopping it from happening again?
From the client’s perspective, a breach can mean hacked bank accounts, compromised emails, or, in more sensitive cases, exposure of medical, sexual, or criminal records. The personal fallout can be life-changing. But the fallout for companies is also steep: financial losses, regulatory fines, and long-term reputational damage. Just ask 23andMe, whose market value nosedived after a major data breach in 2023.
Lessons from 23andMe: How to Protect Your Business from Personal Data Breaches
And let's be clear: data breaches can’t just be brushed under the carpet
Under the General Data Protection Regulation (GDPR), if a breach poses a risk to individuals' rights and freedoms, the Data Protection Agency must be notified, and if that risk is high, the affected individuals must be informed as well.
That’s why companies are legally obligated to assess the risks they face in handling personal data. This includes understanding the nature of the data they process and the methods they use, and putting the appropriate technical and organisational measures in place to keep that data secure.
Call to action for both companies and customers:
For companies:
Review your security protocols and privacy policies today. That includes staff training, internal processes, and third-party vendor risk assessments. Your reputation and your clients’ trust depend on it.
For clients (and we're all clients):
Stay alert. Fraudsters are getting smarter. Learn how to spot a suspicious call or message. The Spanish National Institute for Cybersecurity (INCIBE) offers useful resources (in Spanish) to help you identify and report these threats and provides the following tips:
- Don't blindly trust caller ID
- Never share sensitive information over the phone
- Be wary of urgent requests
- Enable two-factor authentication
- Use apps which block suspicious callers
- Be wary of unexpected offers or prizes
If you have been affected by a fraud or cybercrime attempt, you can report it to INCIBE here: Report fraud
If you are being harassed by telephone sales calls, you can file a complaint with the Spanish Data Protection Agency (AEPD) here: I receive advertising phone calls
Contact us
If you have a business and are looking to shore up your data protection practices, our team is here to help. We'd be happy to support you in protecting your business and ensuring your compliance with Spanish and European data protection legislation.
Check out our data protection services:
