Home » Managing a Data Breach

Data Breach Management

What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It includes both accidental and deliberate breaches.

Examples of a personal data breach include:

  • accidental deletion of personal data;
  • sending personal data to an incorrect recipient;
  • sharing personal data without the consent of the data subject;
  • alteration of personal data without permission.

Do businesses need to report personal data breaches to the ICO?

When a personal data breach has occurred, a business should establish the likelihood of the “risk” to the data subject’s rights and freedoms. This means focusing on the potential negative consequences for individuals, such as loss of control over personal data, identity theft, financial loss.

If a risk is likely, the business must report it to the Information Commissioner’s Office (ICO) within 72 hours after becoming aware of it.

If a risk is unlikely, a business does not have to report it to the ICO. However, it is good practice to document the reasons for the decision in case the business needs to justify the decision in the future.

Do businesses need to inform the individual of the data breach?

If a breach is likely to result in a high risk to the rights and freedoms of individuals, UK data protection laws state that you must inform those concerned directly and without undue delay.

To determine if the risk is “high”, a business will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring.

For example, if a GP surgery accidentally discloses a patient’s records to an unauthorised party, then there is likely to be a significant impact on the affected patient because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to the patient’s rights and freedoms, so they would need to be informed about the breach.

Note that a ‘high risk’ means that the requirement to inform individuals is higher than for notifying the ICO.

How do businesses ensure they deal with breaches efficiently?

Training staff to ensure they know how to identify a data breach is paramount. Staff should ideally undergo data protection induction training and undergo refresher training periodically to ensure that they know how to identify a data breach and escalate it to the appropriate person or team in the business.

When breaches occur, businesses should have in place a process to assess the likely risk to individuals as a result of a breach and ensure that the business can act promptly to address a data breach. It is good practice to regularly review and update privacy policies and procedures.

A business should also keep a central register of breaches and record all breaches (regardless of whether they are minor).

If you need any advice on how to manage a data breach, please contact a member of our team in confidence here or on 02920 829 100 for a free initial call to see how they can help.


To speak to one of our experts today, please contact us on 02920 829 100 or by using our Contact Us form for a free initial chat to see how we can help.

Contact Our Team
Fflur Jones
Managing Partner
View Profile
Owen John
Partner
View Profile
Rachel Ford-Evans
Senior Associate
View Profile
Rhodri Evans
Senior Associate
View Profile
Siobhan Williams
Senior Associate
View Profile
Stephen Thompson
Partner
View Profile

I have worked with Darwin Gray for a number of years and the level of service, professionalism and timely response is second to none. I would highly recommend Darwin Gray to any business.”

Becs Beslee, Dice FM Ltd

Darwin Gray have provided us with a first-class service for many years now. They really take the time to understand our business and develop relationships which results in advice and support that is contextualised and effective.”

Rebecca Cooper, ACT Training

We have worked with Darwin Gray for several years and have always found their services and advice to be first class.”

Karen Gale, Stepping Stones Group

An extremely professional and sincere company who make time for your queries and understand the need to break down certain facts and information to ensure everything is understood perfectly. I would highly recommend the company to anyone looking for any type of legal advice”

Gwawr Booth, Portal Training Ltd

PSS has worked with Darwin Gray for many years. We have always received an excellent service. Prompt and professional advice and support.”

Ledia Shabani, Property Support Services UK Ltd

We have used several departments within DG recently and we have been very pleased with an effective, efficient and down to earth service. Very happy thus far and I expect that we will continue to use DG.”

Guto Bebb, Farmers’ Union of Wales

Darwin Gray offer us truly superb services. Very professional, quick and services available bilingually which is very important to us, highly recommend.”

Iwan Hywel, Mentrau Iaith Cymru

My “go to” in urgent and time sensitive cases for direction, support and advice. The team are quick to respond to calls or emails for advice and support on all matters. Always explain complex matters in a way a lay person can easily understand.”

Margot Adams, Guarding UK Ltd

Darwin Gray have acted for myself and my company over a number of years and at all times we have been treated with a professional manner yet maintain a common-sense approach at all levels. We couldn’t recommend them more highly.”

Simon Baston, Loft Co

We have been clients of Darwin Gray for many years; they’ve always dealt with all of our legal matters with such professionalism. They work around us, even during awkward hours, and we feel confident we can always rely on them.”

Louise Williams, ACT Training

Darwin Gray has been acting for Siltbuster for more than ten years. We would have no hesitation in recommending Darwin Gray to other organisations small or large.”

Richard D Coulton, Siltbuster Ltd

From the very first conversation, I had no doubt that Darwin Gray should be the firm to receive our instructions on this matter. I would have no hesitation in recommending Darwin Gray.”

Sandra Warr, Tomos TV

We regularly instruct Darwin Gray. Their service in dealing with our transactional matters and disputes is always professional, prompt and efficient.”

John Poppleton, Absolute Property Management Solutions Ltd

Darwin Gray guided me through a long and extended process that would have been much more difficult had it not been for their patience and constant support.”

Ifan Lewis

Excellent and efficient service. Great result achieved, highly professional and transparent on pricing. Would recommend.”

David Stevens

Superb legal service provided. Exceeded expectations. They went above and beyond in order to provide the best service possible.”

Huw Pickrell

Very professional and understanding. They were a calming influence in a very troubling situation and they brought it to a very successful conclusion”

Rachel Jones

We have used Darwin Gray and have been seriously impressed. The personal approach is what Darwin Gray are excelling on and is the reason why we will continue to work with them in the future.”

Cadwyn Housing Association