Skip to content

What Steps Should My Company Take Following a Data Protection Breach at Work in the UK? 

Table of Contents

Suffering a data protection breach is every business owner’s nightmare. First and foremost, there is a possibility of cyber criminals accessing sensitive information. In most scenarios, you must inform the Information Commissioner’s Office (ICO) of the breach. Being proactive after a data breach is an excellent first step in minimising damage. Additionally, it may minimise any penalties you may receive from the ICO. This article will look at some helpful steps your company could take following any data protection breach.

What is a Data Protection Breach?

The ICO defines a personal data breach as a ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’.

Put more broadly, if an unauthorised user has accessed personal information and stolen, distributed or destroyed that data, it is very likely to constitute a personal data breach. This is the case whether that individual is internal (say, a staff member) or external (a cybercriminal).

Accidental loss of information or human error can also constitute a personal data breach. For example, if an employee accidentally deletes a folder full of data or a hard drive fails.

Your business should try to avoid data breaches for several reasons. Firstly, the misuse of your information can cause problems for your business, including damaging your reputation and the potential theft of vital data. Furthermore, the ICO have the power to impose a fine of up to £17.5 million for breaches of data protection law.

1. Follow a Data Breach Action Plan

A data breach action plan details the actions your company needs to consider after suffering a data breach. Many business owners ask a lawyer or data protection officer to draft this plan.

These plans usually cover data breaches relate to:

  • sensitive information which, if lost or stolen, may cause financial loss to your organisation, including trade secrets, intellectual property (IP) and confidential information; and
  • information classified as ‘personal data’ under the General Data Protection Regulation (UK GDPR), including ‘personally identifiable information’ that can identify individuals.

Regardless of the type of information that has been lost or stolen, your data breach action plan is likely to contain some of the following steps:

  • determine the nature and extent of the breach (for example, whether it was due to an external cyber attack or internal error);
  • take swift and sensible steps to limit the damage caused by the breach;
  • calculate the potential harm to individuals and whether it is appropriate to notify them of the breach;
  • decide on remedial action to guard against the same type of breach happening again (which could include staff training and increasing your cyber defences); and
  • conclude whether your organisation should notify the ICO of the breach.
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

2. Consider Self-Referral to ICO

As per above, most data breach action plans include determining whether to report the breach to the ICO.

Suppose the breach results in a likely risk to people’s rights and freedoms. This means their information is in someone else’s hands and may result in unlawful activity, such as identity theft. If this is the case, your company should refer itself within 72 hours.

However, you do not have to report every breach to the ICO. For this purpose, the ICO provides a self-assessment test on their website. At the end of the test, the website will advise you on whether your organisation should or should not report a breach.

3. Learn Future Lessons and Improve Data Security

Cybercriminals are increasingly targeting businesses in England.  Most cybercriminals do so intentionally due to the value of the customer and employee information held by companies.

It is becoming increasingly essential that businesses guard against the two primary forms of cyber attacks: 

  • ransomware attacks; and 
  • data breaches. 

In summary, the first type occurs when a hacker locks you out of your information and demands a ransom. The second involves cybercriminals stealing data for unlawful purposes, such as identity theft.

In the event your business suffers a data protection breach, you might:

  • carry out annual cyber security audits;
  • immediately instal updates to computer systems, software and operating systems;
  • train staff in cybersecurity and data protection matters and provide refresher courses; and
  • ensure regular use of strong passwords and two-factor authentication (requiring a second device to grant access after any password entry).

Key Takeaways

It is more important than ever to take proactive measures to guard against a personal data breach and to show your initial actions should one ever occur. This is because businesses face a high risk of cyber attacks and of receiving a fine from the ICO if personal or sensitive data ends up in the wrong hands. Overall, your company should aim to respond quickly and effectively to any suspected data breach and prioritise minimising any damage.

If you need help taking appropriate action following a data protection breach, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Why do the ICO punish organisations that suffer cyber intrusion? 

The ICO punish organisations that put individuals’ personal data at risk. Therefore, if your organisation has weak system security and this allows access to unauthorised users, the ICO is likely to take a dim view regarding financial penalties.

Why does the ICO place such a high value on personal details?

Because the purpose of the ICO (and the GDPR and Data Protection Act) is to ensure that organisations in England guard against the loss of private information. This is because the loss or theft of personal data can have severe consequences, such as identity theft

Register for our free webinars

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards