Summary
- A personal data breach occurs when personal data is lost, altered, or accessed without authorisation. Businesses must act quickly to assess the breach and determine whether it needs to be reported.
- As a data controller, you must notify the Information Commissioner’s Office (ICO) within 72 hours if the breach is likely to affect individuals’ rights and freedoms.
- Businesses must notify affected individuals if there is a high risk to their rights and freedoms, and document all breaches.
- LegalVision’s data privacy lawyers specialise in advising businesses on data protection compliance, including how to respond to data breaches and meet UK GDPR obligations.
Tips for Businesses
It is crucial to have a clear data breach response plan in place. This should include a process for quickly containing the breach, assessing its impact, notifying the ICO and affected individuals if required, and documenting all actions. Regularly review and update your plan to ensure your business can respond quickly to any breach and comply with data protection laws. Early legal advice can help ensure you meet your obligations and avoid penalties.
Data breaches can affect any business that handles personal data. As your reliance on digital systems increases, so does the risk of cyberattacks, human error and data loss. Even a simple mistake, such as sending personal data to the wrong recipient, can expose your business to legal, financial and reputational consequences. This article will explore key strategies for how your business can understand, manage and respond to a personal data breach.
What is a Personal Data Breach?
A personal data breach occurs where a security incident leads to the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
This includes both deliberate and accidental incidents. For example, a breach may arise if you send an email to the wrong person, lose a device containing client data or experience a cyberattack that exposes information.
What Are Your Legal Responsibilities?
Your obligations depend on whether you act as a data controller or a data processor.
| Data Controller | Data Processor |
| If you are a controller, you decide how and why personal data is processed. You must investigate the breach and determine whether it is reportable. Where required, you must notify the Information Commissioner’s Office (ICO) and affected individuals. | If you are a processor, you act on behalf of a controller. You must notify the controller without undue delay after becoming aware of a breach. Your contract may require you to notify within strict timeframes, and failing to meet these can result in a breach of contract. |
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
When Must You Notify the ICO?
If you are a controller, you must notify the ICO where a breach is likely to result in a risk to individuals’ rights and freedoms.
You must do this within 72 hours of becoming aware of the breach. This timeframe starts when you have sufficient awareness that a breach has occurred, even if your investigation is ongoing.
When Must You Notify Affected Individuals?
You must notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
Your communication must explain what happened, what data was affected and what steps individuals should take to protect themselves.
This factsheet sets out how your business can become GDPR compliant.
How Should You Respond to a Data Breach?
You must act immediately to contain the breach and prevent further unauthorised access or disclosure. You must then assess the breach by identifying the data involved, the number of individuals affected and the likelihood of harm.
If the breach meets the reporting threshold, you must notify the ICO and affected individuals without delay. You must document the incident, including your assessment and decisions.
Why Do You Need a Data Breach Response Plan?
A documented response plan allows you to act quickly and consistently.
It should allocate responsibility, set escalation procedures and outline how you communicate with regulators and affected individuals. Without a plan, you increase the risk of delayed reporting and non-compliance.
Key Takeaways
You must assess every personal data breach quickly and determine whether it is reportable under UK GDPR. If you are a controller and the breach creates a risk to individuals, you must notify the ICO within 72 hours and notify affected individuals where there is a high risk. You must document all breaches, including those that are not reported. A clear response plan and early legal advice will help you meet your obligations and reduce risk.
LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced data, privacy and IT lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.
Frequently Asked Question
A robust and comprehensive data breach plan can help your business respond quickly when an incident occurs. It can set out who takes responsibility, how to assess the breach and how to communicate with the ICO and affected individuals where necessary.
Yes, but processors report breaches differently from controllers. If you are a processor and experience a personal data breach, you must inform the controller without undue delay. The controller will then proceed to determine whether the breach must be reported to the ICO or to the affected individuals. Your contract with the relevant controller may specify stricter timelines – so you should review them carefully and ensure your procedures allow you to meet these deadlines.
We appreciate your feedback – your submission has been successfully received.
