A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It includes both accidental and deliberate breaches.
Examples of a personal data breach include:
When a personal data breach has occurred, a business should establish the likelihood of the “risk” to the data subject’s rights and freedoms. This means focusing on the potential negative consequences for individuals, such as loss of control over personal data, identity theft, financial loss.
If a risk is likely, the business must report it to the Information Commissioner’s Office (ICO) within 72 hours after becoming aware of it.
If a risk is unlikely, a business does not have to report it to the ICO. However, it is good practice to document the reasons for the decision in case the business needs to justify the decision in the future.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, UK data protection laws state that you must inform those concerned directly and without undue delay.
To determine if the risk is “high”, a business will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring.
For example, if a GP surgery accidentally discloses a patient’s records to an unauthorised party, then there is likely to be a significant impact on the affected patient because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to the patient’s rights and freedoms, so they would need to be informed about the breach.
Note that a ‘high risk’ means that the requirement to inform individuals is higher than for notifying the ICO.
Training staff to ensure they know how to identify a data breach is paramount. Staff should ideally undergo data protection induction training and undergo refresher training periodically to ensure that they know how to identify a data breach and escalate it to the appropriate person or team in the business.
When breaches occur, businesses should have in place a process to assess the likely risk to individuals as a result of a breach and ensure that the business can act promptly to address a data breach. It is good practice to regularly review and update privacy policies and procedures.
A business should also keep a central register of breaches and record all breaches (regardless of whether they are minor).
If you need any advice on how to manage a data breach, please contact a member of our team in confidence here or on 02920 829 100 for a free initial call to see how they can help.
To speak to one of our experts today, please contact us on 02920 829 100 or by using our Contact Us form for a free initial chat to see how we can help.
02920 829 100 
