Personal data breaches (2024)

Table of Contents
At a glance In brief What is a personal data breach? What breaches do we need to notify the ICO? What information must a breach notification to the Information Commissioner contain? When do we have to tell individuals about a breach? What information should we tell individuals who have been affected by the breach? How do we notify a breach? What should we do to prepare for breach reporting? FAQs

At a glance

  • Part 3 of the DPA 2018 introduces a duty on all organisations to report certain types of personal data breach to the Information Commissioner. You must do this within 72 hours of becoming aware of the breach, where feasible.
  • If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
  • You should ensure you have robust breach detection, investigation and internal reporting procedures in place.

In brief

  • What is a personal data breach?
  • What breaches do we need to notify theICO about?
  • What information must a breach notification to the Information Commissioner contain?
  • When do we have to tell individuals about a breach?
  • What information should we tell individuals who have been affected by the breach?
  • How do we notify a breach?
  • What should we do to prepare for breach reporting?

What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

What breaches do we need to notify the ICO?

You only have to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals. If leftunaddressed such a breach is likely to have a significant detrimental effect on individuals. For example:

  • result in discrimination;
  • damage to reputation;
  • financial loss; or
  • loss of confidentiality or any other significant economic or social disadvantage.

In more serious cases, for example those involving victims and witnesses, apersonal data breach may cause more significant detrimental effects on individuals.

You have to assess this on a case by case basis and you need to be able to justify your decision to report a breach to the Information Commissioner.

See Also
89 Must-Know Data Breach Statistics [2022]Impact of cyber attack on your businessData Breach Response: A Guide for BusinessWhat is a notifiable data breach?

What information must a breach notification to the Information Commissioner contain?

You must include:

  • a description of the nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned;
    • the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer (if you have one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures you have taken, or propose to take, to deal with the personal data breach and, where appropriate, of the measures you have taken to mitigate any possible adverse effects.

When do we have to tell individuals about a breach?

If a breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those concerned directly without undue delay.

A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO.

The duty to tell an individual about a breach does not apply if:

See Also
How Long Does It Take to Detect and Respond to Cyberattacks?

  • you have implemented appropriate technical and organisational measures which were applied to the personal data affected by the breach (for example the data has been securely encrypted);
  • you have taken subsequent measures which will ensure that any high risk to the rights and freedoms to individuals is no longer likely to materialise; or
  • it would involve disproportionate effort.

Where a communication of a breach would involve disproportionate effort, you must make the information available to individuals in another, equally effective way, such as a public communication.

You may restrict the information, either wholly or partly, that you provide to individuals affected by a breach under certain circ*mstances. This is when doing so is a necessary and proportionate measure:

  • to avoid obstructing an official or legal inquiry, investigation or procedure;
  • to avoid prejudicing the prevention, detection, investigation or to prosecution of criminal offences or the execution of criminal penalties;
  • to protect public security;
  • to protect national security; or
  • to protect the rights and freedoms of others.

What information should we tell individuals who have been affected by the breach?

You must give individuals information including:

  • a description of the nature of the personal data breach;
  • the name and contact details of the data protection officer (if relevant) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures you have taken, or propose to take, to deal with the personal data breach and, where appropriate, of the measures you have taken to mitigate any possible adverse effects.

How do we notify a breach?

You have to report a notifiable breach to the ICO without undue delay and within 72 hours of when you became aware of it. Part 3 of the DPA 2018 recognises that it will often be impossible for you to investigate a breach fully within that time-period and allows you to provide information in phases. If you cannot provide all the information required above within 72 hours, you must also explain reasons for the delay in your breach notification.

If the breach is sufficiently serious to warrant notification to the public, you must do so without undue delay.

Failing to notify a breach when required to do so can result in a significant fine up to£8.7m or 2 per cent of your global turnover.

To notify the ICO of a personal data breach, please see our pages on reporting a breach.

What should we do to prepare for breach reporting?

You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.

You should ensure that you have an internal breach reporting procedure in place. This will help decision-making about whether you need to notify the Information Commissioner or the affected individuals.

In light of the tight timescales for reporting a breach, it is important to have robust breach detection, containment, management and mitigation policies and procedures in place.

Personal data breaches (2024)

FAQs

How do you respond to a personal data breach? ›

72 hours - how to respond to a personal data breach
  1. Step one: Don't panic. ...
  2. Step two: Start the timer. ...
  3. Step three: Find out what's happened. ...
  4. Step four: Try to contain the breach. ...
  5. Step five: Assess the risk. ...
  6. Step six: If necessary, act to protect those affected. ...
  7. Step seven: Submit your report (if needed)

Find Out More
Why does iPhone say all my passwords appeared in a data leak? ›

If you get a notification on your phone that says “data leak,” don't panic! Yes, it means your data has ended up in a data breach, and unauthorized individuals can access your accounts and personal information. But you can view and fix the compromised passwords in your iPhone's settings straight away.

Read More
What are examples of a data breach choose multiple answers? ›

Read on, and we'll discuss the seven most common types and how they can affect your business.
  • Stolen Information. ...
  • Ransomware. ...
  • Password Guessing. ...
  • Recording Keystrokes. ...
  • Phishing. ...
  • Malware or Viruses. ...
  • Distributed Denial-of-Service (DDoS)

See More
Which answer best describes a data breach? ›

Answer. A data breach occurs when the data for which your company/organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity.

View More
Can I claim compensation for a data breach? ›

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. This includes both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress).

Show Me More
Is Apple data leak warning real? ›

You will be warned about your passwords determined to possibly be in a data leak. Your actual passwords are never shared with Apple, and Apple does not store the information calculated from your passwords. You can disable this feature at any time by going to Settings > Passwords > Security Recommendations.

Continue Reading
Should I change my password if it was in a data leak? ›

You should absolutely change passwords immediately if you've been informed that you've been a victim of a data leak. The best course of action is to detect compromised passwords (which may apply to more than one site if you, like many, repeat passwords) and replace them with a strong password.

Find Out More
Should I delete compromised passwords? ›

Reset Passwords: Immediately require all users to change their passwords, especially for accounts where compromised credentials were used. Review Access Controls: Ensure that the principle of least privilege is applied—users should only have access to the information necessary for their role.

Show Me More
What are 5 consequences of a data breach? ›

Data breaches can affect the brand's reputation and cause the company to lose customers. Breaches can damage and corrupt databases. Data breaches also can have legal and compliance consequences. Data breaches also can significantly impact individuals, causing loss of privacy and, in some cases, identity theft.

Get More Info
How serious is a data breach? ›

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of ...

Tell Me More

What is most likely to result in a data breach? ›

The vast majority of data breaches are caused by stolen or weak credentials. If malicious criminals have your username and password combination, they have an open door into your network.

Learn More Now
What are 4 consequences of data breach? ›

When it comes to the consequences of data breach, the repercussions are far-reaching and deeply impactful. These breaches have evolved from mere cyber security issues to instigators of financial losses, reputational damage, legal troubles, regulatory fines, and a profound erosion of consumer trust.

Learn More Now
Which of the following is not a privacy breach? ›

Answer.

Natural disasters are not typically considered a cause for privacy breaches/incidents.

Get More Info
How does personal data get leaked? ›

A data leak is when information is exposed to unauthorized people due to internal errors. This is often caused by poor data security and sanitization, outdated systems, or a lack of employee training. Data leaks could lead to identity theft, data breaches, or ransomware installation.

Find Out More
What is the first step you should take after a data breach occurs? ›

Contain the Cyber Breach

The first step you should take after a data breach is to determine which servers have been compromised and contain them as quickly as possible to ensure that other servers or devices won't also be infected. Here are a few immediate things you can do to attempt to contain a data breach.

Find Out More
What is the first step when dealing with a breach of data? ›

1) Inform your Data Protection Officer: As soon as a personal data breach is identified, the first and foremost task is to inform and involve the DPO in your organisation.

Know More
What is the first thing that you should do when a data breach occurs? ›

If you're notified that your personal information was exposed in a data breach, act immediately to change your passwords, add a security alert to your credit reports and consider placing a security freeze on your credit reports.

Discover More
Who should you contact if a personal data breach occurs? ›

You have to report a notifiable breach to the ICO without undue delay and within 72 hours of when you became aware of it. Part 3 of the DPA 2018 recognises that it will often be impossible for you to investigate a breach fully within that time-period and allows you to provide information in phases.

Get More Info
Top Articles
Should You Pay Off Debt, or Should You Save and Invest? | The Motley Fool
Stash vs. Acorns: Which Investing App Is Right for You?
Ups Hours Today
Craigslist Near Baltimore Md
Kyndryl and Excellium collaborate to help Luxembourg enterprises protect their critical assets
What Lies Behind Excellium Services’ Acquisition By Sonae IM - Silicon Luxembourg
Polar Express Party- The whole shibang! - Party Like a Cherry
Engaging Polar Express Activities (Free File) for Kindergarten & First Grade
Legoland Deutschland Resort - tickets, prijzen, kortingen, tijden, wat te verwachten
LEGOLAND Duitsland | Tips & Aanbiedingen
Craigslist Demotte Indiana
Sams Gas Price Fullerton
Latest Posts
A 28-year-old single mom who started a $2 million business says she relies on 5 strategies to build more wealth for the future
How To Start a Blog And Make Money For Beginners in 2024
Article information

Author: Jonah Leffler

Last Updated:

Views: 5950

Rating: 4.4 / 5 (65 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Jonah Leffler

Birthday: 1997-10-27

Address: 8987 Kieth Ports, Luettgenland, CT 54657-9808

Phone: +2611128251586

Job: Mining Supervisor

Hobby: Worldbuilding, Electronics, Amateur radio, Skiing, Cycling, Jogging, Taxidermy

Introduction: My name is Jonah Leffler, I am a determined, faithful, outstanding, inexpensive, cheerful, determined, smiling person who loves writing and wants to share my knowledge and understanding with you.