Home / Blog / Receptionist GDPR risk

Your receptionist is your biggest GDPR security gap — and it's not her fault

Data protection authorities across Europe warn: the rising number of data breaches is caused by employees opening phishing emails. Not the IT systems. Not hackers alone. People — without training, without experience, without knowing what to look for. It's not their fault. It's your responsibility as a clinic owner.

Why the receptionist is the primary target

Cybercriminals know that the receptionist is the person in the clinic who handles the most emails from unknown senders, has access to booking and patient record systems, and typically has the least IT experience of any staff member. It's not because she's careless — it's because she was never shown what to look for.

The 5 signs of a phishing email

Phishing emails are engineered to exploit urgency and authority. They look like they come from your patient system, Microsoft, or your national digital ID service. Train your staff on these 5 signs:

• The sender address doesn't match — "support@nhs-verify.com" instead of nhs.net
• Urgency — "within 24 hours", "your account will be closed", "immediate action required"
• The link goes somewhere else — hover over the link and check the URL before clicking
• Login credentials are requested — no legitimate service asks for your password by email
• Something feels off — train staff to trust that feeling and ask a colleague

It's the clinic's responsibility — not the staff's

GDPR is clear: the data controller — you as clinic owner — has an obligation to ensure staff are trained and that the training is documented. Sending an email saying "remember GDPR" is not sufficient. You need to be able to prove who was trained, what they were trained on, and when.