What to do if a data breach occurs: how organisations should plan for the inevitable

Fri 5th Apr 2019

Kirsty Davey, Associate in the Corporate and Commercial team at Coodes Solicitors, explains how any organsiations should deal with the unfortunate and inevitable situation of a data breach.

The introduction of GDPR (the General Data Protection Regulations) has made us all more aware of the care we need to take when handling personal data. Most organisations now have much better data storage and processing systems in place as a result of the regulations. However, nothing can prevent things from going wrong. Whether it’s a full blown cyber attack or just human error, it is unfortunately inevitable that any organisation will experience a data breach at some point. That is why all organisations should have plans in place for what to do if a data breach occurs.

If you have not yet put together a protocol for dealing with a data breach, here are the key steps you should follow.

1.If in doubt, speak out

If an employee suspects a data breach has happened, it is vital that they report it immediately. If someone has committed the potential breach themselves, perhaps through simple human error, they may feel nervous about reporting it. It is important to do what you can to ensure individuals feel comfortable about reporting a potential breach.

Look at what you can put in place to make it as easy as possible for an employee to report a data breach. This might include having a simple form for them to fill out, or simply making sure they are aware of who is responsible for data protection so they know who to speak to. It is not compulsory for all organisations to have a data protection officer but it is sensible to have a dedicated person to deal with any data issues. Whether you want staff to report a potential breach to them, or to a line manager, the important thing is that they understand who they should notify if they suspect there has been a breach.

2.Report all notifiable breaches to the ICO

GDPR has given all organisations a duty to report certain types of personal data breaches to the ICO (Information Commissioner’s Office) within 72 hours. Broadly speaking, this is when a breach could result in a risk to people’s rights and freedoms or when the breach involves a large volume of data. If you decide not to report a breach, make sure you can justify your decision to the ICO as you may be asked to do so in future.

3. Understand when you need to notify individuals

In some instances you will also need to notify those individuals whose data is involved in the breach. This is when the breach is deemed likely to pose a high level of risk to the rights and freedoms of the data subjects. If you are in this position, you will need to liaise closely with the ICO on your communication with the individuals concerned. You may also decide to inform them, regardless of your obligations under the regulations, if you think they have a right to know and where you have other duties of care towards the individual.

4. Get external advice when you need it

In some cases, you may feel unable to handle the data breach yourself. Recognise when you need to get help. This could involve getting legal advice, hiring cyber security experts or getting advice from your insurer. Always remember that if you are subject to a cyber attack you should report the incident to the police.

5. Learn from a data breach

Any data breach should teach you something about how you can better handle your data in future. Perhaps you need to review who has access to certain personal data, arrange staff training or put more security measures in place to avoid data being lost or stolen. It may be something simple such as turning off auto complete when sending emails. Although no one wants a data breach to occur, if it does happen then look at it as an opportunity to tighten up any processes or procedures to avoid something similar occurring in the future.

For any help or advice around the new GDPR, please contact Kirsty Davey in the Corporate and Commercial team at Coodes Solicitors on 01326 214034 or kirsty.davey@coodes.co.uk.

Fri 5th Apr 2019

Kirsty Davey

Head of Corporate & Commercial

Get in touch

Call us on 0800 328 3282, or complete the form below and we’ll get back to you as soon as possible.

This field is for validation purposes and should be left unchanged.

Search News & Events



Changes to Paternity Leave in April 2024: What do you need to know?

As of 6th April 2024, paternity leave will be changing to reflect a shifting attitude…

Read more


Suspecting a Power of Attorney of financial abuse: what can you do?

What steps should you take if you suspect someone is committing financial abuse as a…

Read more

Portfolio Builder

Select the legal expertise that you would like to download or add to the portfolio

    Download    Add to portfolio   

    Remove All


    Click here to share this shortlist.
    (It will expire after 30 days.)