A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It includes both accidental and deliberate breaches.
Examples of a personal data breach include:
When a personal data breach has occurred, a business should establish the likelihood of the “risk” to the data subject’s rights and freedoms. This means focusing on the potential negative consequences for individuals, such as loss of control over personal data, identity theft, financial loss.
If a risk is likely, the business must report it to the Information Commissioner’s Office (ICO) within 72 hours after becoming aware of it.
If a risk is unlikely, a business does not have to report it to the ICO. However, it is good practice to document the reasons for the decision in case the business needs to justify the decision in the future.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, UK data protection laws state that you must inform those concerned directly and without undue delay.
To determine if the risk is “high”, a business will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring.
For example, if a GP surgery accidentally discloses a patient’s records to an unauthorised party, then there is likely to be a significant impact on the affected patient because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to the patient’s rights and freedoms, so they would need to be informed about the breach.
Note that a ‘high risk’ means that the requirement to inform individuals is higher than for notifying the ICO.
Training staff to ensure they know how to identify a data breach is paramount. Staff should ideally undergo data protection induction training and undergo refresher training periodically to ensure that they know how to identify a data breach and escalate it to the appropriate person or team in the business.
When breaches occur, businesses should have in place a process to assess the likely risk to individuals as a result of a breach and ensure that the business can act promptly to address a data breach. It is good practice to regularly review and update privacy policies and procedures.
A business should also keep a central register of breaches and record all breaches (regardless of whether they are minor).
If you need any advice on how to manage a data breach, please contact a member of our team in confidence here or on 02920 829 100 for a free initial call to see how they can help.
To speak to one of our experts today, please contact us on 02920 829 100 or by using our Contact Us form for a free initial chat to see how we can help.
I have worked with Darwin Gray for a number of years and the level of service, professionalism and timely response is second to none. I would highly recommend Darwin Gray to any business.”
Darwin Gray have provided us with a first-class service for many years now. They really take the time to understand our business and develop relationships which results in advice and support that is contextualised and effective.”
We have worked with Darwin Gray for several years and have always found their services and advice to be first class.”
An extremely professional and sincere company who make time for your queries and understand the need to break down certain facts and information to ensure everything is understood perfectly. I would highly recommend the company to anyone looking for any type of legal advice”
PSS has worked with Darwin Gray for many years. We have always received an excellent service. Prompt and professional advice and support.”
We have used several departments within DG recently and we have been very pleased with an effective, efficient and down to earth service. Very happy thus far and I expect that we will continue to use DG.”
Darwin Gray offer us truly superb services. Very professional, quick and services available bilingually which is very important to us, highly recommend.”
My “go to” in urgent and time sensitive cases for direction, support and advice. The team are quick to respond to calls or emails for advice and support on all matters. Always explain complex matters in a way a lay person can easily understand.”
Darwin Gray have acted for myself and my company over a number of years and at all times we have been treated with a professional manner yet maintain a common-sense approach at all levels. We couldn’t recommend them more highly.”
We have been clients of Darwin Gray for many years; they’ve always dealt with all of our legal matters with such professionalism. They work around us, even during awkward hours, and we feel confident we can always rely on them.”
Darwin Gray has been acting for Siltbuster for more than ten years. We would have no hesitation in recommending Darwin Gray to other organisations small or large.”
From the very first conversation, I had no doubt that Darwin Gray should be the firm to receive our instructions on this matter. I would have no hesitation in recommending Darwin Gray.”
We regularly instruct Darwin Gray. Their service in dealing with our transactional matters and disputes is always professional, prompt and efficient.”
Darwin Gray guided me through a long and extended process that would have been much more difficult had it not been for their patience and constant support.”
Excellent and efficient service. Great result achieved, highly professional and transparent on pricing. Would recommend.”
Superb legal service provided. Exceeded expectations. They went above and beyond in order to provide the best service possible.”
Very professional and understanding. They were a calming influence in a very troubling situation and they brought it to a very successful conclusion”
We have used Darwin Gray and have been seriously impressed. The personal approach is what Darwin Gray are excelling on and is the reason why we will continue to work with them in the future.”