Search

How can we help?

Privacy and Data Protection

Data breach solicitors

 

Data breaches are unfortunately a fact of life and can be a stressful experience to navigate.

The UK GDPR requires organisations to ensure they have robust breach detection, investigation and internal reporting procedures in place.  Organisations are under an obligation to act promptly and mitigate the risks of any breach and, depending on the risks, may have reporting obligations to the ICO, the data subjects, or both.

It is crucial that businesses understand and comply with their obligations.

Understanding Data Breaches

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Often, the term ‘data breach’ will prompt images of an unauthorised third party hacking into a company’s computer system and stealing personal data.  This is due, in part, to the fact that these are the types of breaches that hit the headlines.  Whilst this is indeed a personal data breach, the definition above is much broader and could even cover an unauthorised employee altering personal data.

In practice, for most organisations, the most common personal data breaches involve personal data being sent to the wrong email recipient or sending emails to multiple recipients without using the ‘BCC’ function.

Personal data breaches can have a devastating impact on both businesses and data subjects. For businesses, it can impact their operations and lead to financial loss (such as a fine from the ICO, compensation to individuals, and the cost of remedying any breach), reputational damage and legal claims.  For individuals, the breach could cause them to lose control of their personal data and could result in identity theft, emotional distress and financial loss.

Why You Need a Data Protection Breach Solicitor

Our team here have extensive experience in data protection law and advising businesses of all sizes and resources on their data protection obligations, including data breach management. We can help you navigate the legal process and take steps to better protect your business and mitigate your risks

Our Data Breach Solicitors Services

We can advise you on all aspects of data breach management including:

  • UK GDPR provisions and obligations relating to data breaches including timeframes for breach notification and potential penalties
  • Internal data breach reporting procedures
  • Policy documentation
  • Data breaches and mitigating the risks following a breach
  • Risk assessments
  • Reports to the ICO and data subjects
  • Investigations by the ICO
  • Preventative measures including providing tailored training for employees and senior management

Preventing Future Data Breaches

It’s crucial that lessons are learnt from data breaches and that businesses take the time to review and consider their practices and processes.

Steps that could be taken include:

  • Providing training to help identify data breaches, promote best practice and set out procedures to be followed, including breach reporting;
  • Having clear policies and procedures in place (and points of contact) to assist in the event of a data breach;
  • Having support mechanisms in place, especially for new starters;
  • Encouraging double checking;
  • Encouraging data breach reporting; and
  • Implementing greater security controls

Contact Our Expert Data Breach Solicitors

If you need any assistance with data breaches or data protection in general please do get in contact with our data protection team.

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Data breaches

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

It is a wide definition and covers more than just deliberate data breaches.

Data breaches cover a wide range of incidents. Some common examples include:

  • Sending personal data to the wrong email recipient
  • Sending emails to multiple recipients without using the ‘BCC’ function
  • Proving personal data following a phishing scam
  • Hacking of passwords, email accounts, networks and systems
  • Accessing personal data on lost laptops or mobile devices
  • Altering personal data without permission
  • Theft or loss of hard copy documents (such as print outs)

Not all breaches need to be reported.  If the breach is likely to result in a risk to individuals’ rights and freedoms it must be notified to the ICO.   If there is a ‘high risk’ to the individuals’ rights and freedoms, then it will also need to be notified to the individuals whose personal data is affected.

Therefore, on becoming aware of a personal data breach, organisations need to take steps to contain the breach and assess the risks so a decision can be made on whether it needs to be reported to the ICO, individuals, or both.

Even if there is no obligation to report the breach, organisations must keep a record internally of all breaches that occur.

If a breach is notifiable to the ICO, it needs to be reported without undue delay and in any event within 72 hours of becoming aware of the breach.

Organisations must provide the following when reporting a breach to the ICO:

  • a description of the nature of the personal data breach including, where possible the categories and approximate number of individuals and personal data records concerned;
  • the name and contact details of the data protection officer (if there is one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

Failing to notify a breach when required to do so can result in a fine of up to £8.7 million or 2% of annual global turnover, whichever is higher.

However, the penalties for not complying with the data protection principles in the UK GDPR, including the requirement that you have appropriate security measures in place to protect personal data, can attract higher fines of up to £17.5 million or 4% of the annual global turnover.

The ICO also has other enforcement powers such as the power to issue enforcement notices and conduct audits.

Key contacts

Louise Keenan

Associate

View profile

+44 118 960 4614

Read, listen and watch our latest insights

art
  • 24 January 2025
  • Privacy and Data Protection

UK Data Protection: A look back at 2024 and what to expect in 2025

On 15 January 2025, Louise Keenan and Shauna Jones hosted our webinar “UK Data Protection: what happened in 2024 and what’s in store for 2025.” Our webinar is available for you to watch, but in this article, we will provide a brief summary of what was discussed.

art
  • 20 January 2025
  • Employment

AI Opportunities Action Plan – The impact of AI on employment

The Government has announced its ‘AI Opportunities Action Plan’ in which it plans to increase the use of AI across the UK to ensure the UK is a world leader in the field. 

art
  • 16 January 2025
  • Corporate and M&A

Business Asset Disposal Relief: Changes to CGT Relief and the Consequences for Business Owners

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

Pub
  • 10 January 2025
  • Privacy and Data Protection

UK Data Protection: What happened in 2024 and what’s in store in 2025?

It’s been a year of political change and uncertainty for data protection. Join our data protection webinar, where we will discuss the implications of the Data Protection and Digital Information Bill not passing and the upcoming Digital Information and Smart Data Bill from the King’s Speech, which will affect existing laws.

art
  • 06 January 2025
  • Privacy and Data Protection

WhatsApp in the Workplace

This article explores the potential risks of using WhatsApp for workplace communications, the implications for GDPR compliance and under UK legislation, and provides practical tips for employers to mitigate these risks.

art
  • 16 December 2024
  • Privacy and Data Protection

Recognising DSARs: top tips for organisations

The UK GDPR grants Data Subjects, who are the individuals to whom the personal data relates, rights over their personal data, including the rights of access, correction and erasure.