GDPR – what to do if you have a data breach

Despite your best efforts with GDPR your business might suffer a data breach.

It’s probably not the end of the world but in this blog data protection expert, Karen Heaton, explains what happens next.

We have discussed in our previous blog the potential level of fines for data breaches and some common causes of these breaches.

Our blog today, answers the questions of: what exactly constitutes a reportable data breach?  Whose responsibility is it to report it?

We will look at guidance from the European Data Protection Board on examples of data breaches and whether to report them to, the data subject/s or the Information Commissioner’s Office (ICO).

What constitutes a data breach?

Data Breach Definition – defined in the GDPR Article 4(12) as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

What this means in practice is that all data breaches are security failures, but not all security failures are data breaches.  And… not all data breaches have to be reported to either (or both) the data subject/s or ICO.


So, how do you know what to report or not?  Have you had a breach?  How would you know?

Examples of how you may identify a data breach

  • Employee loses a bag, phone, USB stick
  • Monitoring software identifies unauthorised access to an account or file
  • Large attachments are sent in outgoing emails to an employee’s private email account
  • A supplier (data processor) tells us that they have had a cyber-attack and data has been compromised
  • A client phones to say they have received an odd email from your company asking for bank details for an unexpected refund

Assessing a breach for reporting

When assessing a security incident, the Data Controller should:

a) assess whether the security incident has or is likely to, result in a loss of personal data and then

b) decide whether that breach is likely to result in or will result in a high risk to the Data Subject.

Of course, this depends on the type, volume or subject matter of the data.

Each breach will have its own unique characteristics depending on the organisation and data affected.  See the full list of guidance from the European Data Protection Board here.



How to report a data breach

It is the responsibility of the Data Controller to assess, resolve and report data breaches.  Any suppliers (Data Processors) who are involved in the incident must assist the Data Controller in the investigation and provide fixes where appropriate.   Therefore, it is important to Know Your Data (KYD) and ensure that you understand your responsibilities in each potential scenario.

  • Once the Data Controller has assessed that the data breach is likely to result in a high risk to the data subjects he/she must complete a Data Protection breach notification form and send this to the ICO within 72 hours of becoming aware of the breach which requires to be reported.
  • The Data Controller must then decide how and when to notify the data subjects affected. It is essential to have an operational process or plan for staff to follow.


Today’s fact.  Did you know that the ICO’s website lists organisations who have or are being audited in addition to lists organisations being monitored for concerns about compliance??


=> Take your data protection responsibilities seriously, know your data (KYD) and be operationally compliant to avoid the reputational damage from your company name being listed on the ICO website.

See you next week!