How can we help?

Privacy and Data Protection

Data breach solicitors in London and Thames Valley


Webinar: How do I protect my business in the event of a personal data breach?

A company may suffer disastrous consequences because of a personal data breach; they can seriously harm a company’s finances and reputation by enabling criminals to utilise personal information to commit fraud and identity theft. Join our data protection team, for a quick overview of how to protect your business.

Tuesday 30 April, 11:00 AM – 11:30 AM BST

Visit our events page to register: How do I protect my business in the event of a personal data breach?

Data breach solicitors

Data breaches are unfortunately a fact of life and can be a stressful experience. The UK GDPR requires organisations to ensure they have robust breach detection, investigation and internal reporting procedures in place to help with decision-making about whether or not you need to notify the relevant supervisory authority or the affected individuals, or both.

Our team can offer a reassuring hand providing advice in the event of a data breach or investigation by the ICO and guide you through the process.

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Data breaches

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

It is a wide definition and covers more than just deliberate data breaches.

Data breaches cover a wide range of incidents. Some common examples include:

  • Sending personal data to the wrong email recipient
  • Sending emails to multiple recipients without using the ‘BCC’ function
  • Proving personal data following a phishing scam
  • Hacking of passwords, email accounts, networks and systems
  • Accessing personal data on lost laptops or mobile devices
  • Altering personal data without permission
  • Theft or loss of hard copy documents (such as print outs)

Not all breaches need to be reported.  If the breach is likely to result in a risk to individuals’ rights and freedoms it must be notified to the ICO.   If there is a ‘high risk’ to the individuals’ rights and freedoms, then it will also need to be notified to the individuals whose personal data is affected.

Therefore, on becoming aware of a personal data breach, organisations need to take steps to contain the breach and assess the risks so a decision can be made on whether it needs to be reported to the ICO, individuals, or both.

Even if there is no obligation to report the breach, organisations must keep a record internally of all breaches that occur.

If a breach is notifiable to the ICO, it needs to be reported without undue delay and in any event within 72 hours of becoming aware of the breach.

Organisations must provide the following when reporting a breach to the ICO:

  • a description of the nature of the personal data breach including, where possible the categories and approximate number of individuals and personal data records concerned;
  • the name and contact details of the data protection officer (if there is one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

Failing to notify a breach when required to do so can result in a fine of up to £8.7 million or 2% of annual global turnover, whichever is higher.

However, the penalties for not complying with the data protection principles in the UK GDPR, including the requirement that you have appropriate security measures in place to protect personal data, can attract higher fines of up to £17.5 million or 4% of the annual global turnover.

The ICO also has other enforcement powers such as the power to issue enforcement notices and conduct audits.

Key contacts

Read, listen and watch our latest insights

  • 26 March 2024
  • Privacy and Data Protection

AI Podcast: AI and Data Security

In the third and final podcast in our ‘AI Podcast’ trilogy, members of the data protection team, will be discussing how to use AI to process data safely. They will be looking closely at the risks for businesses and the types of data security protections you can put in place.

  • 26 March 2024
  • Privacy and Data Protection

Key considerations for data retention policies

In the ever-evolving landscape of data protection regulations, data retention stands as a crucial aspect of compliance and risk management for organisations across industries.

  • 18 March 2024
  • Privacy and Data Protection

Consent or pay: Issues and considerations, Meta’s potential breach

The ICO has stated that any organisation considering using “consent or pay” must ensure that the consent to processing of personal data for personalised advertising is being given freely, and is fully informed.

  • 13 March 2024
  • Privacy and Data Protection

21 March 2024 Deadline: Are your international data transfer agreements compliant?

If your organisation transfers personal data from the UK to another country, it needs to comply with statutory requirements to ensure adequate levels of protection for that data are in place.

  • 06 March 2024
  • Privacy and Data Protection

Personal Data Breaches – How do I deal with them?

This article will provide an overview of the steps to take when experiencing a personal data breach.

  • 05 March 2024
  • Privacy and Data Protection

How do I protect my business in the event of a personal data breach?

Don’t let your business fall victim to personal data breaches. Join Louise Keenan and Rebecca Dowle, for a quick overview of how to protect your business.