Sparqa Legal | The online legal platform for business

Checklist for responding to a data breach

This checklist for responding to a data breach takes you through the steps you should take once you become aware of a personal data breach in your business (where personal data has been accidentally or illegally destroyed, lost, stolen or disclosed). This checklist includes the steps that you are legally required to take, depending on the circumstances of the breach. Failure to take the necessary steps after a personal data breach can result in very serious consequences, including significant fines.

Free

Notice of a personal data breach (affected individuals)

This template Notice of a personal data breach (affected individuals) will allow you to produce a letter to send to any individuals who have been affected by a personal data breach in your business, where their personal data has been accidentally or illegally destroyed, lost or disclosed. You have a legal requirement to inform affected individuals where the breach carries a high risk to their rights and freedoms. In the most serious cases, failure to notify the affected individuals of a personal data breach can result in a significant fine. You can also purchase this document as part of the Data breach toolkit .

£10 + VAT

See all solutions

Data breaches

Explaining personal data breaches

Q1:What is a personal data breach?

A A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. is a Also known as a debenture, charge or mortgage, security over an asset or assets (such as cash, debts, real estate or equipment) is given by a borrower (and sometimes a third party such as a shareholder of the borrower) to a lender in case the borrower fails to make a payment due. Security is also used to refer to a personal guarantee of a borrower's payment obligations to a lender, typically given again by a shareholder and sometimes secured over the shareholder's personal assets. In the event of a borrower's failure to make a payment due to a lender, the lender will have the right to sell any asset secured or call in the guarantee. A violation of a legal or moral obligation. which leads to the accidental or illegal destruction, loss, alteration or unauthorised disclosure of Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual.. It also covers the situation where unauthorised access has been given to Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual.. The Also known as a debenture, charge or mortgage, security over an asset or assets (such as cash, debts, real estate or equipment) is given by a borrower (and sometimes a third party such as a shareholder of the borrower) to a lender in case the borrower fails to make a payment due. Security is also used to refer to a personal guarantee of a borrower's payment obligations to a lender, typically given again by a shareholder and sometimes secured over the shareholder's personal assets. In the event of a borrower's failure to make a payment due to a lender, the lender will have the right to sell any asset secured or call in the guarantee. A violation of a legal or moral obligation. can be caused accidentally or deliberately.

A A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. does not need to be caused by unauthorised electronic access, such as Violations of a legal or moral obligation. carried out by hackers or other unauthorised individuals that are often highlighted in the media. Nor does a data A violation of a legal or moral obligation. have to result in the data being permanently lost, damaged or otherwise made unavailable. Accidental disclosure of data that is in hard copy, or a temporary loss of data (or indeed loss of access to data), can also be a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. , if it is caused by a A violation of a legal or moral obligation. of Also known as a debenture, charge or mortgage, security over an asset or assets (such as cash, debts, real estate or equipment) is given by a borrower (and sometimes a third party such as a shareholder of the borrower) to a lender in case the borrower fails to make a payment due. Security is also used to refer to a personal guarantee of a borrower's payment obligations to a lender, typically given again by a shareholder and sometimes secured over the shareholder's personal assets. In the event of a borrower's failure to make a payment due to a lender, the lender will have the right to sell any asset secured or call in the guarantee. .

All of the following situations are potential data Violations of a legal or moral obligation.:

a device (eg a laptop or USB stick) containing a A set of data, stored and accessed electronically. of customers' personal information is lost or stolen;
your business's systems are accessed remotely by a hacker or other person without authority;
a member of Anybody who works for a business, whether as an employee, casual worker, apprentice, agency worker or freelancer. accidentally deletes data from your systems, the data cannot be retrieved and is not backed up;
a power failure renders Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. unavailable, and prevents you from accessing data;
you leave a document, CD or USB stick on a train. Even if you recover it at a later date, a A violation of a legal or moral obligation. will have occurred for the period it was outside your control; and
you send an email which contains customers' or Individuals hired personally to work under contracts of employment, usually in exchange for payment. Employees are normally fully integrated into the business and the employer exercises a large degree of control over their work.' personal information to the wrong address(es).

If a A violation of a legal or moral obligation. of Also known as a debenture, charge or mortgage, security over an asset or assets (such as cash, debts, real estate or equipment) is given by a borrower (and sometimes a third party such as a shareholder of the borrower) to a lender in case the borrower fails to make a payment due. Security is also used to refer to a personal guarantee of a borrower's payment obligations to a lender, typically given again by a shareholder and sometimes secured over the shareholder's personal assets. In the event of a borrower's failure to make a payment due to a lender, the lender will have the right to sell any asset secured or call in the guarantee. occurs which puts the confidentiality, availability or integrity of Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. you hold at risk, you should treat it in the first instance as a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. . The extent of your legal obligations when you become aware of such a potential data A violation of a legal or moral obligation. depends on the nature of the data affected and the potential risk posed to individuals.

For further guidance on what to do if you become aware or suspect that a data A violation of a legal or moral obligation. has occurred, see Q&A 2 and Checklist for responding to a data breach for a step-by-step checklist summarising the steps.

For guidance on steps you can take to minimise the risk of data Violations of a legal or moral obligation. occurring, see Secure data storage.

Obligations when a data breach occurs

Q2:What should I do if I become aware a personal data breach may have occurred?

When you become aware that a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. has occurred, you should take the following steps as soon as possible, and in most cases within 72 hours:

take practical steps to contain the A violation of a legal or moral obligation. and recover any data (see Q&A 3);
identify whether Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. is affected by the A violation of a legal or moral obligation. . Your legal duty to provide notice of Violations of a legal or moral obligation. only relates to Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. Violations of a legal or moral obligation. (see Q&A 4);
determine whether you are a A person or company which uses, stores or otherwise deals with personal data on instructions from someone else, eg a payroll provider is data processor for its clients of personal data about their staff. or a The person or company which decides how and why personal data will be processed. It may act on its own or jointly with other controllers., as your obligations are different depending on which role your business carries out (see Q&A 5);
assess the risk the A violation of a legal or moral obligation. potentially carries to individuals. The greater the risk, the more onerous the obligation to notify is (see Q&A 6);
notify the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. of the A violation of a legal or moral obligation. , where you have determined that the A violation of a legal or moral obligation. carries some potential risk to individuals (see Q&A 7);
notify the individuals whose data is affected, where the A violation of a legal or moral obligation. carries a high risk to the rights and freedoms of the individuals involved (see Q&A 11); and
keep a written record of the A violation of a legal or moral obligation. (see Q&A 12).

For a single page checklist summarising the steps and process set out above, see Checklist for responding to a data breach. Use Data breach toolkit for a how-to guide and the documents you need to deal with a data A violation of a legal or moral obligation. .

In more serious cases, failure to make the necessary notification or keep a written record of such Violations of a legal or moral obligation. can result in a significant fine of up to £8.7 million or 2% of your global The amount of money taken by a business, before deductions (eg expenses, tax etc). (whichever is higher, see Q&A 13). See Q&A 14 for more information.

Q3:What practical steps can I take to contain the breach and recover the personal data?

If you suspect a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. has occurred, your first priority should be containment and recovery. You should take any appropriate safeguarding measures immediately (eg remotely wiping or locking a lost or stolen device). It is important to respond quickly and effectively, to minimise any risk posed both to individuals who may be affected and to your business. You should make sure that your Anybody who works for a business, whether as an employee, casual worker, apprentice, agency worker or freelancer. are fully trained to identify potential data Violations of a legal or moral obligation. and that they understand and follow your internal reporting procedure in line with your policies.

For further guidance on the steps you can take to help minimise the risk of Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. Violations of a legal or moral obligation. occurring, and to limit the risks posed by such data Violations of a legal or moral obligation., see Secure data storage. Use Data breach toolkit for a how-to guide and the documents you need to deal with a data A violation of a legal or moral obligation. .

Q4:How can I identify whether personal data is affected by the breach?

A A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. is a A violation of a legal or moral obligation. of Also known as a debenture, charge or mortgage, security over an asset or assets (such as cash, debts, real estate or equipment) is given by a borrower (and sometimes a third party such as a shareholder of the borrower) to a lender in case the borrower fails to make a payment due. Security is also used to refer to a personal guarantee of a borrower's payment obligations to a lender, typically given again by a shareholder and sometimes secured over the shareholder's personal assets. In the event of a borrower's failure to make a payment due to a lender, the lender will have the right to sell any asset secured or call in the guarantee. which affects Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual.. Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. includes an individual's name, address, date of birth, contact details, or indeed any other information that would allow them to be identified. It also includes data generated by their own activity, such as (in the context of a website) their own contact lists or music playlists. For guidance on what constitutes a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. , see Q&A 1. If you believe a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. has occurred, you should progress with the steps set out in Q&A 2 (and see Checklist for responding to a data breach for a step-by-step checklist).

Your legal duties (eg to provide notice and keep a record) are more serious if the data A violation of a legal or moral obligation. affects Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual.. Conversely, if the data A violation of a legal or moral obligation. does not affect Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual., you do not have a legal obligation to provide notice or keep a written record of it. However, it is often advisable to do so, particularly if you deem the A violation of a legal or moral obligation. sufficiently serious. Although the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. will not penalise you for failing to notify or record such a A violation of a legal or moral obligation. , it can nevertheless be good practice to make sure you are meeting your obligations to store data securely (for further guidance see The rules about storing data).

Q5:How do I know whether I am a data processor or a data controller?

In most cases, unless your business merely provides facilities for storage of data, your business is likely to be a The person or company which decides how and why personal data will be processed. It may act on its own or jointly with other controllers.. In certain circumstances your business may be both a A person or company which uses, stores or otherwise deals with personal data on instructions from someone else, eg a payroll provider is data processor for its clients of personal data about their staff. and a The person or company which decides how and why personal data will be processed. It may act on its own or jointly with other controllers.. For further guidance on how to identify whether you are a In data protection law - the entity which decides how personal data will be processed and the purposes of processing. A data controller may be a person or a company. It may act on its own or jointly with other controllers. or In data protection: An entity which processes personal data on behalf of a controller. A processor may be a natural person or a company., see Data protection obligations.

If your business is a The person or company which decides how and why personal data will be processed. It may act on its own or jointly with other controllers. of the affected data, you should progress with the steps set out in Q&A 2 (and see Checklist for responding to a data breach for a step-by-step checklist).

If your busiis only a In data protection: An entity which processes personal data on behalf of a controller. A processor may be a natural person or a company. of the affected data, when you become aware of a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. you must notify the In data protection law - the entity which decides how personal data will be processed and the purposes of processing. A data controller may be a person or a company. It may act on its own or jointly with other controllers. without undue delay. You should also review any contract you have with the The person or company which decides how and why personal data will be processed. It may act on its own or jointly with other controllers., to see if you have any further obligations in the event of a data A violation of a legal or moral obligation. . Once you have done so, you will have met your legal obligations.

Q6:How do I assess the potential risk a personal data breach carries to individuals?

After becoming aware of a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. and determining that Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. you control is affected, you should then assess the potential risk the A violation of a legal or moral obligation. carries to individuals. You can use the ICO's self-assessment for data breaches tool to establish the risk posed by the data A violation of a legal or moral obligation. .

To help in assessing the risk posed by a data A violation of a legal or moral obligation. , you should consider the factors set out in the first column of the table below. Low, medium and high risk examples are also set out alongside each (In finance) A financier who provides finance to a business by buying the business's debts under the terms of a factoring agreement. below. These examples are included for guidance only, and all data Violations of a legal or moral obligation. must be considered objectively in the round when assessing risk.

Factors to consider	Low risk example	Medium risk example	High risk example
Type of A violation of a legal or moral obligation.	Temporary loss of access to Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. (with no actual loss of the data itself)	Accidental deletion of some Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual.	Unauthorised access to personal information, login details and/or payment details
Nature and sensitivity of affected data	Data which is already widely available in the public domain	Data which is not widely available in the public domain but which is not highly confidential	Medical information, financial information or other confidential information
Volume of data	A small extract from a single page of a document	A folder containing Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. relating to a number of individuals	All of the Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. you hold
Ease of identification of individuals from data	Encrypted data which is fully anonymised (without an encryption key)	Personal information about an individual, without their name	An individual's name, address and payment details and/or login details
Severity of potential consequences for individuals	No likely risk of loss or damage to individuals	Inconvenience caused by loss of access to data (rather than loss of data itself), such as delay in In relation to data protection, processing data covers any action taken in respect of the data, including: collecting, storing, using, disclosing and erasing or destroying it. payments or orders	Any risk of identity theft, fraud, physical harm, psychological distress, humiliation or damage to reputation
Number of individuals affected	No identifiable individuals affected	Several individuals affected (a very small proportion of your customers or Individuals hired personally to work under contracts of employment, usually in exchange for payment. Employees are normally fully integrated into the business and the employer exercises a large degree of control over their work.)	Many individuals (and/or a large proportion of your customers or Individuals hired personally to work under contracts of employment, usually in exchange for payment. Employees are normally fully integrated into the business and the employer exercises a large degree of control over their work.)

Any special characteristics of the individual(s) involved should also be taken into account. For example, where there has been a A violation of a legal or moral obligation. of data that relates to children or other vulnerable individuals, they may be placed at a greater risk of danger as a result. Similarly, any special characteristics of the The person or company which decides how and why personal data will be processed. It may act on its own or jointly with other controllers. should also be taken into consideration. For example, the nature of Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. processed by a medical organisation will increase the risk to individuals whose data is Violation of a legal or moral obligation. .

Although the above table can assist in assessing risk, ultimately there is no science to the assessment and it is for you to determine. You must be able to show that you have taken steps to make an objective assessment. In most cases, unless a A violation of a legal or moral obligation. is a temporary loss of access to data which causes inconvenience but ultimately results in no loss or damage to Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual., it is likely that there will be at least some potential risk to individuals.

Q7:When do I notify the ICO of the personal data breach?

If you decide that a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. potentially carries some risk to individuals, you should notify the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. without undue delay and, where feasible, within 72 hours of becoming aware of the A violation of a legal or moral obligation. . The 72-hour period begins when you become aware of the A violation of a legal or moral obligation. . The precise point when you become aware of a A violation of a legal or moral obligation. will depend on the particular circumstances, but as soon as you or one of your Individuals hired personally to work under contracts of employment, usually in exchange for payment. Employees are normally fully integrated into the business and the employer exercises a large degree of control over their work. realises that a A violation of a legal or moral obligation. has occurred, the 72-hour clock will begin. This emphasises the importance of having internal processes for notifying a A violation of a legal or moral obligation. . For a template A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. policy, see Personal data breach policy.

In certain limited circumstances, if you are unable to provide all of the information within the relevant 72 hour period, you can make a staged or delayed notification. However, you must give reasons for the delay. For instance, if your initial investigation uncovers a potential A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. but a more detailed forensic examination is required to uncover the full extent of the A violation of a legal or moral obligation. , you should make a staged notification where you notify the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. within 72 hours of becoming aware of the potential A violation of a legal or moral obligation. with as much detail as possible. You should then provide further full disclosure once the detailed forensic examination is completed. Alternatively, a delayed notification may be appropriate where you suffer a series of consecutive similar Violations of a legal or moral obligation. (for instance a targeted series of attacks by multiple hackers). In such circumstances, if the series of attacks continues for a period of more than 72 hours, you could temporarily delay making the necessary notification to the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. to enable you to focus on your primary purpose of containing the A violation of a legal or moral obligation. . So long as the Violations of a legal or moral obligation. relate to the same type of Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. and involve the same method, you can then report the series of Violations of a legal or moral obligation. as one once you have taken the necessary steps to contain the A violation of a legal or moral obligation. .

See Q&A 8 for guidance on how to notify the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals.. If you determine a A violation of a legal or moral obligation. poses a high risk to individuals, you should also take steps to notify the individuals concerned as soon as possible. For guidance on how to make a notification to individuals concerned, see Q&A 11 and Notice of a personal data breach (affected individuals) for a template you can use.

On the other hand, if you determine that a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. is unlikely to result in a risk to individuals, you are not obliged to notify the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. or any individuals of the data A violation of a legal or moral obligation. . You should still keep a written record of such Violations of a legal or moral obligation., though (see Q&A 12 and Template personal data breach register).

Q8:How do I notify the ICO of the personal data breach?

Unless you decide that the A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. is unlikely to result in a risk to the rights and freedoms of individuals, you must notify the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. of the A violation of a legal or moral obligation. without undue delay and, where feasible, within 72 hours of becoming aware of it. You can report the A violation of a legal or moral obligation. either:

by telephone, on 0303 123 1113; or
by completing the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals.'s online form, available on the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals.'s Report a breach web page. Choose the 'The General Data Protection Regulation. This could refer to either the EU GDPR or the UK GDPR. The EU GDPR regulates data processing across the EEA. The UK GDPR retains the EU GDPR in domestic law following Brexit. or DPA 2018 A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. ' option and click on 'Report a data security breach'. The Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals.'s form to report a A violation of a legal or moral obligation. can then be downloaded and filled in. The completed form can either be emailed to the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. (icocasework@Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals..org.United Kingdom of Great Britain and Northern Ireland, with 'A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. notification' in the subject field) or sent by post to: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. The online form option is appropriate where you have experienced a data A violation of a legal or moral obligation. but are confident that you have dealt with it appropriately, or you are still investigating the A violation of a legal or moral obligation. and will be able to provide further information later on. You can also use the online form to report Violations of a legal or moral obligation. outside the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals.'s normal opening hours.

When notifying the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals., you will be asked for details of the A violation of a legal or moral obligation. , including the nature of the data A violation of a legal or moral obligation. and the affected data, the number of individuals and approximate number of data records affected, and details of a contact at your business from whom more information can be obtained. You will also be asked when and how you found out about the A violation of a legal or moral obligation. , what the likely consequences of the A violation of a legal or moral obligation. will be, and what measures you have taken to both address and minimise the risk associated with the A violation of a legal or moral obligation. .

See Personal data breach policy for a template that will allow you to produce an internal policy to help you comply with your obligation to notify the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. of a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. .

Q9:Does Brexit mean I have to notify any other authorities about personal data breaches?

It depends where your business processes data.

Following Brexit, the The EU General Data Protection Regulation which lays down rules on how individuals' personal data is collected, used and stored in the EEA. has been retained in United Kingdom of Great Britain and Northern Ireland law as the The UK General Data Protection Regulation which lays down rules on how individuals' personal data is collected, used and stored in the UK. Following Brexit, the EU GDPR was retained in domestic UK law as the UK GDPR. Together with the Data Protection Act 2018, the UK GDPR forms the backbone of data protection law in the UK.. The The UK General Data Protection Regulation which lays down rules on how individuals' personal data is collected, used and stored in the UK. Following Brexit, the EU GDPR was retained in domestic UK law as the UK GDPR. Together with the Data Protection Act 2018, the UK GDPR forms the backbone of data protection law in the UK. applies to data controllers and processors based in the United Kingdom of Great Britain and Northern Ireland, as well as those outside the United Kingdom of Great Britain and Northern Ireland whose data In relation to data protection, processing data covers any action taken in respect of the data, including: collecting, storing, using, disclosing and erasing or destroying it. relates to individuals in the United Kingdom of Great Britain and Northern Ireland. The Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. remains the supervisory authority in respect of United Kingdom of Great Britain and Northern Ireland The area of law which deals with the way in which data can be handled. law and United Kingdom of Great Britain and Northern Ireland data In relation to data protection, processing data covers any action taken in respect of the data, including: collecting, storing, using, disclosing and erasing or destroying it.. This means that if your United Kingdom of Great Britain and Northern Ireland based business only processes Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. of individuals in the United Kingdom of Great Britain and Northern Ireland, which is unlikely to affect individuals outside the United Kingdom of Great Britain and Northern Ireland, then you will only need to notify the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. about Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. Violations of a legal or moral obligation..

If, however, your data In relation to data protection, processing data covers any action taken in respect of the data, including: collecting, storing, using, disclosing and erasing or destroying it. affects individuals outside the United Kingdom of Great Britain and Northern Ireland, you may need to report data Violations of a legal or moral obligation. to other The area of law which deals with the way in which data can be handled. authorities, as well as the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals.. Before the end of the Brexit transition period on 31 December 2020, United Kingdom of Great Britain and Northern Ireland businesses A promise to do or not do something, commonly contained in a contract. cross-border data In relation to data protection, processing data covers any action taken in respect of the data, including: collecting, storing, using, disclosing and erasing or destroying it. within the The European Economic Area. The EU member states, plus Iceland, Lichtenstein and Norway. were able to identify a single lead supervisory authority for that data In relation to data protection, processing data covers any action taken in respect of the data, including: collecting, storing, using, disclosing and erasing or destroying it. (eg the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals.), to avoid having to deal with more than one The European Economic Area. The EU member states, plus Iceland, Lichtenstein and Norway. supervisory authority. From 1 January 2021, however, your business will need to report data Violations of a legal or moral obligation. to both the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. and the local supervisory authority in the relevant The European Economic Area. The EU member states, plus Iceland, Lichtenstein and Norway. country. If you will be carrying out cross-border data In relation to data protection, processing data covers any action taken in respect of the data, including: collecting, storing, using, disclosing and erasing or destroying it. with more than one The European Economic Area. The EU member states, plus Iceland, Lichtenstein and Norway. country, review your business's structure and consider whether you will be able to have a single alternative lead supervisory authority in the The European Economic Area. The EU member states, plus Iceland, Lichtenstein and Norway., which you report to alongside the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals.. This may be the case if you have an office, branch or other establishment in an The European Economic Area. The EU member states, plus Iceland, Lichtenstein and Norway. country. If you do not have an The European Economic Area. The EU member states, plus Iceland, Lichtenstein and Norway. establishment, then you will now need to report to both the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. and the separate supervisory bodies for every The European Economic Area. The EU member states, plus Iceland, Lichtenstein and Norway. country in which your In relation to data protection, processing data covers any action taken in respect of the data, including: collecting, storing, using, disclosing and erasing or destroying it. activities have been subject to the A violation of a legal or moral obligation. . For further guidance if your business processes data outside the United Kingdom of Great Britain and Northern Ireland, see Sharing personal data outside the UK.

Bear in mind that if you have no office, branch or other establishment in an The European Economic Area. The EU member states, plus Iceland, Lichtenstein and Norway. country but you are offering Physical items being sold. Distinguished from digital content and services, neither of which are physical items., services or monitoring the behaviour of individuals there, then you may be required to appoint an The European Union representative to act on your behalf in relation to your compliance with the The EU General Data Protection Regulation which lays down rules on how individuals' personal data is collected, used and stored in the EEA.; see Data processing agreements and data sharing agreements for more information.

Q10:When do I notify the individuals whose data has been affected about a personal data breach?

Where a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. carries a high risk to the rights and freedoms of individuals, and unless one of the exceptions set out below applies, you should inform those individuals who have been affected without delay.

Notification is not required if:

you have in place protection measures which render the affected Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. unintelligible to any person not authorised to access it (for example, where it's encrypted);
having become aware of the A violation of a legal or moral obligation. , you have taken measures to minimise the potential high risk to individuals, so that is is no longer likely to materialise (for instance where customers' usernames have been compromised, you have suspended the accounts of the affected individuals so that unauthorised transactions cannot take place – although bear in mind you'll only be able to rely on this if you're certain no damage could have been done before you took these measures); or
notification to individuals would require disproportionate effort (for instance where a large number of individuals are affected and you have incomplete or outdated contact details for such individuals). In such circumstances you should make a general public communication (such as a press release or statement on your business's website).

The timing of when you actually notify the affected individuals of a high risk A violation of a legal or moral obligation. will depend on the level of risk posed. If there is an immediate and acute risk to individuals, for instance where payment information has been compromised and you have evidence that it is likely to be used to make unauthorised transactions, prompt communication would be required. In exceptional circumstances, such as where you become aware individuals' payment information is being misused, this may require you to notify the affected individuals before you notify the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals..

See Q&A 11 for guidance on how to notify affected individuals and Notice of a personal data breach (affected individuals) for a template notice you can use.

Q11:How do I notify the individuals whose data has been affected about a personal data breach?

The notification to those concerned should be written in clear and plain language and should inform the individuals of the circumstances of the A violation of a legal or moral obligation. . The Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. advises that, as a minimum, this should include the contact information for your The area of law which deals with the way in which data can be handled. In a company: A legally defined term used to refer to the director, company secretary or managers of a company. Officers of a company have certain duties and responsibilities towards the company and can be held liable for company law breaches. (if you have one) or other relevant individual within your organisation, the likely consequences of the A violation of a legal or moral obligation. and the measures you have taken or propose to take to deal with it and (if relevant) to mitigate any possible adverse effects. It should also provide advice on practical steps they should take as a result and how you can help them. For a template notice, see Notice of a personal data breach (affected individuals).

Outside of exceptional cases with a particularly acute risk, the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. can generally assist you in determining when and how you should notify the affected individuals of a data A violation of a legal or moral obligation. . You should Alternative Investment Market, a sub-market on the London Stock Exchange for growing companies to work in cooperation with the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. when notifying affected individuals, and the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. has the power to require you to make a notification if you have not already done so. At the same time, you should not simply rely on the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. to determine whether you have an obligation to notify the affected individuals after a data A violation of a legal or moral obligation. , nor should you view notification to the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. as the end of your legal obligations. Regardless of whether the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. orders you to do so, you always have a legal obligation to carry out the The process of looking at what hazards may be present when doing a certain activity, or in a certain area, and the steps which can be taken to eliminate or reduce those dangers. described in Q&A 6 above, and if necessary make the appropriate notification to individuals.

Q12:Do I need to keep a record of the breach?

You should keep a written record of all Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. Violations of a legal or moral obligation. that have occurred in your business, regardless of whether they need to be reported to the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals.. This will enable you, where required, to demonstrate that you have complied with your notification duties under The area of law which deals with the way in which data can be handled. laws. The written record should set out the facts, the effects and the remedial action taken in relation to each A violation of a legal or moral obligation. . It could also include steps you have taken following your investigation into the cause of the A violation of a legal or moral obligation. to prevent it from recurring (eg providing training to Anybody who works for a business, whether as an employee, casual worker, apprentice, agency worker or freelancer. if it was caused by human error).

This record might be kept in an internal A violation of a legal or moral obligation. notification register. For a template register, see Template personal data breach register.

Failing to notify or record a personal data breach

Q13:What happens if I fail to take action after a personal data breach occurs?

In the most serious cases, failure to notify the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. (or the affected individuals, if required) of a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. can result in a significant fine of up to £8.7 million or 2% of your global The amount of money taken by a business, before deductions (eg expenses, tax etc). (whichever is higher). Failure to record a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. can also result in the same level of fine. Note that if the A violation of a legal or moral obligation. took place prior to 25 May 2018, the level of fine that can be imposed is different. See Q&A 14 for more information.

The Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. has a range of penalties and sanctions that it can impose where there has been a A violation of a legal or moral obligation. . Generally, less serious or first-time offences are likely to result in a less serious penalty, however this will depend on all of the circumstances. The Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. has discretion to issue the penalties set out below to anyone who fails to properly notify a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Warnings
If the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. believes that you have not yet Violation of a legal or moral obligation. The area of law which deals with the way in which data can be handled. law, but that you are likely to do so unless you change something about the way you are handling data Violations of a legal or moral obligation., they can issue a warning. For example, they could issue a warning if you do not have a policy for dealing with a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. , or if you do not keep an internal A violation of a legal or moral obligation. register. If you ignore this warning, and fail to then respond promptly and appropriately to a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. , the penalties imposed on you could be much more severe.
Reprimands
A reprimand is a formal warning that you have Violation of a legal or moral obligation. The area of law which deals with the way in which data can be handled. law. You may be reprimanded in addition to other penalties. If you have been reprimanded and you later A violation of a legal or moral obligation. The area of law which deals with the way in which data can be handled. law in a similar way, the penalties imposed on you could be much more severe.
Orders to notify individuals
If you fail to properly notify an individual of a high risk A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. that affects them, it is likely that, along with any other penalties imposed on you, the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. will order you to make the necessary notification. It may set a new deadline for you to do so, and if you fail to follow the order it may penalise you again, much more severely.
Orders to change your In relation to data protection, processing data covers any action taken in respect of the data, including: collecting, storing, using, disclosing and erasing or destroying it. systems
If the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. believes that the systems you use to process Any information about an identifiable, living person. Information which cannot be used to identify someone on its own will still be personal data if it can be used in combination with other information to identify that individual. are not compliant with The area of law which deals with the way in which data can be handled. law (eg you have poor data Also known as a debenture, charge or mortgage, security over an asset or assets (such as cash, debts, real estate or equipment) is given by a borrower (and sometimes a third party such as a shareholder of the borrower) to a lender in case the borrower fails to make a payment due. Security is also used to refer to a personal guarantee of a borrower's payment obligations to a lender, typically given again by a shareholder and sometimes secured over the shareholder's personal assets. In the event of a borrower's failure to make a payment due to a lender, the lender will have the right to sell any asset secured or call in the guarantee. systems and policies, or you fail to record data Violations of a legal or moral obligation.), it may order you to alter your systems to fix these problems.
Temporary or permanent bans on data In relation to data protection, processing data covers any action taken in respect of the data, including: collecting, storing, using, disclosing and erasing or destroying it.
A ban on data In relation to data protection, processing data covers any action taken in respect of the data, including: collecting, storing, using, disclosing and erasing or destroying it. (even only a temporary one) will usually only be issued if you have very severely Violation of a legal or moral obligation. The area of law which deals with the way in which data can be handled. law. To receive such a ban, there would likely need to be a significant failure by you to meet your legal obligations after a high risk A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. .
Fines
Failure to properly notify or to record a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. can be met with a fine of up to £8.7 million or 2% of your global The amount of money taken by a business, before deductions (eg expenses, tax etc). (whichever is higher), depending on the severity of the wrongdoing. While fines anywhere near that size are extremely unlikely for all but the biggest Violations of a legal or moral obligation. by major Private companies limited by shares incorporated and registered in England and Wales. , smaller fines could be imposed alongside other penalties if you fail to respond promptly or adequately to a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. (particularly for deliberate attempts to conceal or downplay such a A violation of a legal or moral obligation. , or failures which relate to particularly sensitive data).

Obligations when a data breach occurred before 25 May 2018

Q14:What should I do if I become aware a data breach may have occurred before 25 May 2018?

If you discover a potential A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. within your business, and the A violation of a legal or moral obligation. occurred before 25 May 2018, your obligations to notify, if necessary, the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. and the individuals concerned are the same as if the A violation of a legal or moral obligation. had happened after that date. You should therefore follow the same procedure set out above in Q&A 2 and following.

If it is clear that the A violation of a legal or moral obligation. took place before 25 May 2018, then the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. is likely to apply the previous rules in relation to the fines that it can impose for a data A violation of a legal or moral obligation. . The maximum fine that it can impose under the previous rules is £500,000. If, however, the A violation of a legal or moral obligation. took place just before 25 May 2018, or if it began prior to that date and continued afterwards, the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. may take that into consideration in determining whether to apply the old penalty regime or the new one. Under the new rules, where a business has failed to properly notify or record a A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. , the Information Commissioner's Office. An independent body which upholds information rights in the public interest, promoting and policing data privacy for individuals. can impose a fine of up to £8.7 million or 2% of your global The amount of money taken by a business, before deductions (eg expenses, tax etc). (whichever is higher), depending on the severity of the wrongdoing.