Data Breach Guidance Notes
This document has been updated for compatibility with the UK GDPR. It is ready for use from the start of 2021.
A personal data breach can have a significant impact on a business and on
the individuals whose data has been compromised. A data breach occurs when
personal data is unlawfully destroyed, lost, altered, disclosed, or
accessed. Data breaches can be accidental or deliberate, but in either
case, identifying them quickly, reporting them if necessary, and dealing
with the impact effectively is essential.
Data breaches can take many forms. Common examples include hacking and the
loss of computer equipment and mobile devices containing personal data.
These Data Breach Guidance Notes have been created to help you understand
what a data breach is, how to spot one, how to deal with it, and how to
comply with your obligations under the UK's data protection legislation (including the UK GDPR and Data Protection Act 2018) which – depending on the
severity of the breach – can include notifying the Information
Commissioner’s Office and the individual data subjects whose data has been
Ideally, your organisation should have technical and organisational
measures in place to prevent data breaches from occurring; however, even
the best security can be compromised, not least electronically given that
those trying to beat the technology are just as clever as those who
developed it in the first place. It is vital, therefore, to be prepared to
deal with a data breach should one occur.
Steps should be quickly taken to mitigate the damage caused by the breach.
If it is severe enough to be reported, this should be done quickly, within
the time limit set by the law. The breach should also be carefully
investigated. Risks must be considered fully, focusing on the potential
impact of the breach on the individuals involved. Data breaches should also
be treated as a learning experience, with new protective measures being
implemented where necessary to avoid the same thing happening again.
These Data Breach Guidance Notes contain the following sections:
Part 1. Recognising a Personal Data Breach
Part 2. Assessing Risk & Notifying the ICO
Part 3. Notifying Individual Data Subjects
Part 4. What’s Next?
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.