Data Breach Guidance Notes
This document has been updated for compatibility with the UK GDPR. It is ready for use from the start of 2021.
A personal data breach can have a significant impact on a business and on the individuals whose data has been compromised. A data breach occurs when personal data is unlawfully destroyed, lost, altered, disclosed, or accessed. Data breaches can be accidental or deliberate, but in either case, identifying them quickly, reporting them if necessary, and dealing with the impact effectively is essential.
Data breaches can take many forms. Common examples include hacking and the loss of computer equipment and mobile devices containing personal data.
These Data Breach Guidance Notes have been created to help you understand what a data breach is, how to spot one, how to deal with it, and how to comply with your obligations under the UK's data protection legislation (including the UK GDPR and Data Protection Act 2018) which – depending on the severity of the breach – can include notifying the Information Commissioner’s Office and the individual data subjects whose data has been compromised.
Ideally, your organisation should have technical and organisational measures in place to prevent data breaches from occurring; however, even the best security can be compromised, not least electronically given that those trying to beat the technology are just as clever as those who developed it in the first place. It is vital, therefore, to be prepared to deal with a data breach should one occur.
Steps should be quickly taken to mitigate the damage caused by the breach. If it is severe enough to be reported, this should be done quickly, within the time limit set by the law. The breach should also be carefully investigated. Risks must be considered fully, focusing on the potential impact of the breach on the individuals involved. Data breaches should also be treated as a learning experience, with new protective measures being implemented where necessary to avoid the same thing happening again.
These Data Breach Guidance Notes contain the following sections:
Part 1. Recognising a Personal Data Breach
Part 2. Assessing Risk & Notifying the ICO
Part 3. Notifying Individual Data Subjects
Part 4. What’s Next?
Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.