An independent review found that the breach was a result of multiple factors and highlighted the organization’s lack of a data protection strategy. It also noted that the PSNI had not fully implemented the 2018 Data Protection Act.