Skip to content

Should My Company in the UK Create a Data Breach Action Plan?

Table of Contents

In Short

  • A data breach can harm your business’s reputation and finances.
  • Having an action plan helps minimise damage and respond quickly.
  • Legal and regulatory compliance is crucial after a breach.

Tips for Businesses

Prepare for potential data breaches by implementing a clear action plan. Ensure your team understands their roles and responsibilities during a breach. Regularly update your security measures and ensure compliance with the latest data protection regulations to avoid fines and damage to your business’s reputation.

As a business owner, it is essential to have quick access to vital information, which often means storing important information, such as personal details and sensitive information, in a digital form. However, storing this type of information in this fashion can increase the chance of a cyberattack on your company. Such a breach could cause considerable damage to your company and may result in a hefty fine from the Information Commissioner’s Office (ICO). To ensure your business safely and effectively handles personal data, implementing a data breach action plan can be valuable. This article will explore the benefits of a plan and how it can protect your business from a data breach. 

Data Breach Action Plan

A data breach action plan sets out your company’s initial response in the event of a data breach. A data breach can cover the:

  • after-effects of a cyber attack;  or
  • innocent loss of information, such as from a fire or a piece of computer equipment failing.

Most business owners put a plan in place through a specialist lawyer, IT security expert or Data Protection Officer.

Most plans will focus on the first steps after losing particular types of data, which can include physical and digital information. A plan is usually flexible, meaning the stages will likely be different concerning, for example, the theft of physical documents compared to the loss of digital data due to a corrupted hard drive.

Plans usually cover data breaches relating to two main types of information:

  1. sensitive data which could damage your company if lost or stolen, such as intellectual property (IP) or trade secrets; and
  2. information classified as ‘personal data’ under the General Data Protection Regulation (GDPR), which includes ‘personally identifiable information’, such as home addresses or mobile phone numbers.

Information in a Data Breach Action Plan

While all data breach action plans will differ according to the needs of the business and the types of information involved, the majority will cover several important steps your business should take: 

  1. identify if a data breach has occurred;
  2. decide whether the breach is due to a cyber attack or unauthorised access;
  3. take appropriate steps to contain the spread of personal information and customer data as far as possible;
  4. estimate the potential harm caused to individuals and notify those individuals of what has happened;
  5. discover the cause of the data breach and take appropriate action to prevent a future repeat;
  6. consider extra steps in the event of theft or unauthorised access; and 
  7. decide whether it is a legal requirement for your company to notify the ICO (which is likely if the breach is likely to cause harm to individuals).
Front page of publication
UK Startup Manual

LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Why Have a Data Breach Action Plan?

You should have a data breach action plan for two main reasons. The first is because cyberattacks on organisations in England are becoming more complex and frequent, so businesses like yours need to take proactive steps to guard against them. Having a plan to refer to immediately is a good way of dealing with a data breach and avoiding making circumstances worse. It is often vital to take appropriate action as soon as possible following a cyber breach.

The second reason is that any cyber attack or severe data loss will likely constitute a ‘personal data breach’ under the UK GDPR. Good GDPR compliance requires your organisation to self-refer to the IICO within 72 hours of the breach. Failure to do this could result in a fine of up to £17.5m from the ICO.

Key Takeaways

The risk of a data breach for companies is significant in England. If your business faces a data breach, you must deal with it promptly and lawfully. This includes personal and other sensitive data, such as intellectual property. A data breach action plan can help you do this. It may assist you, for example, in understanding what the data breach is and the damage it could have caused.

If you need help creating or updating a data breach action plan, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

What is a data breach action plan?

A data breach action plan details the steps your company may need to take if it faces a data breach.


What data breach can a data breach action plan cover?

A plan typically covers data breaches concerning personal and sensitive data and the appropriate steps your business should take.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards