How can we help?

Privacy and Data Protection

Data breach lawyers in London and Thames Valley


Data breaches are unfortunately a fact of life and can be a stressful experience. The UK GDPR requires organisations to ensure they have robust breach detection, investigation and internal reporting procedures in place to help with decision-making about whether or not you need to notify the relevant supervisory authority or the affected individuals, or both.

Our team can offer a reassuring hand providing advice in the event of a data breach or investigation by the ICO and guide you through the process.

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Data breaches

A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Data breaches cover a wide range of incidents. Some common examples include:

  • Sending personal data to the wrong email recipient
  • Proving data following a phishing scam
  • Hacking of passwords, email accounts, networks and systems
  • Accessing personal data on lost laptops or mobile devices
  • Theft or loss of hard copy documents

All data breaches must be recorded by the controller, but only breaches which are likely to result in a risk to individuals’ rights and freedoms must be proactively notified to the ICO and only high risk breaches must be proactively notified to the individuals whose personal data is affected which must be assessed on a case-by-case basis and will be dependent on whether such individuals are likely to suffer harm as a result of the data breach.

The penalties for not complying with the data protection principles in UK GDPR law includes fines of up to £17.5 million or 4% of a company’s total worldwide annual global turnover.

Failing to notify a breach when required to do so can result in administrative fines of up to £8.7 million or 2% of annual global turnover, whichever is higher.

When deciding whether to make a report, you must consider the risk to the individual including the nature of the personal data, the severity of the breach, the possible consequences for the individual.

A data breach should be reported without undue delay (if it meets the threshold for reporting) and within 72 hours of becoming aware of the breach.

Key contacts

Read, listen and watch our latest insights

  • 19 September 2023
  • Privacy and Data Protection

Organisations’ use of social media: Data protection

Social media applications (or commonly known as ‘apps’) are being developed all the time and we are constantly being introduced to new social media platforms, some of which take almost no time to gain huge popularity.

  • 22 August 2023
  • Privacy and Data Protection

Overview of Data Subject Access Requests

In recent months, we have witnessed a series of high-profile data breaches that have brought data protection issues to the forefront of the public’s mind and with this comes an increase in Data Subject Access Requests (DSARs).

  • 16 August 2023
  • Privacy and Data Protection

PSNI and Electoral Commission Data Breach

Both the UK Electoral Commission and the PSNI, announced serious data breaches. This article looks at what happened to cause the breaches, and what lessons employers can learn from this about processing data and how to protect the information.

  • 09 August 2023
  • Privacy and Data Protection

Penalties for data breaches

Individuals and organisations alike are increasingly reliant on technology to assist with all kinds of functions – from communicating and sharing data to strengthening security and recruiting staff.

  • 27 July 2023
  • Privacy and Data Protection

Nigel Farage v NatWest: When you can’t bank on data protection?

If you have seen the headlines recently, you will have read that NatWest CEO Dame Alison Rose has resigned from her position following the row over Nigel Farage’s bank account and the disclosure of his banking data.

  • 21 July 2023
  • Privacy and Data Protection

What will happen if the Metaverse comes to life?

Metaverse talk has seemingly died down when just a few months ago it was a popular topic on the internet. This is no surprise since Mark Zuckerberg – the CEO of Meta Platforms, formerly ‘Facebook’ – has stopped discussing the Metaverse after a period of actively promoting it.