Personal Data Breaches

The UK GDPR sets out a number of key data protection principles, as described here. One of these principles is the integrity and confidentiality (security) principle, which requires you to put in place suitable security measures to protect personal data. If such measures are not sufficient, if they fail, or if they haven’t been put in place at all, the risk of a personal data breach can be significant.

A personal data breach is defined in the UK GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

The law requires that certain personal data breaches are reported to the appropriate supervisory authority (in the UK, this is the Information Commissioner’s Office) within 72 hours of becoming aware of the breach. This applies where you have established that the breach is likely to put people’s rights and freedoms at risk.

Furthermore, if the risk to individuals is high, you will also need to inform affected individuals of the breach without undue delay.

This means that you should have procedures and systems in place to quickly detect personal data breaches, investigate them, and report them. You must also keep records of personal data breaches, even those that you do not need to report.

Document Templates Available

We offer a range of documents designed to help you deal with personal data breaches:

• Our Data Breach Guidance Notes are designed to explain data breaches in more detail, helping you to understand what a personal data breach is, how to spot one, how to deal with it, and how to comply with your obligations under the law.
• Our Data Breach Policy is an internal policy document which sets out the steps that should be taken when handling a personal data breach including containment, investigation, and reporting.
• Our Data Breach Register is designed for recording the details of data breaches and the resulting management of those breaches in accordance with the data breach policy.
• Our Data Breach Report Form is another internal document and should be used by your staff to report breaches to the appropriate member of staff or department in accordance with the data breach policy.