Data breach lawyers in London and Thames Valley
Data breaches are unfortunately a fact of life and can be a stressful experience. The UK GDPR requires organisations to ensure they have robust breach detection, investigation and internal reporting procedures in place to help with decision-making about whether or not you need to notify the relevant supervisory authority or the affected individuals, or both.
Our team can offer a reassuring hand providing advice in the event of a data breach or investigation by the ICO and guide you through the process.
“Very professional, knowledgeable and accessible lawyers.”
Chambers and Partners
FAQs – Data breaches
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Data breaches cover a wide range of incidents. Some common examples include:
- Sending personal data to the wrong email recipient
- Proving data following a phishing scam
- Hacking of passwords, email accounts, networks and systems
- Accessing personal data on lost laptops or mobile devices
- Theft or loss of hard copy documents
All data breaches must be recorded by the controller, but only breaches which are likely to result in a risk to individuals’ rights and freedoms must be proactively notified to the ICO and only high risk breaches must be proactively notified to the individuals whose personal data is affected which must be assessed on a case-by-case basis and will be dependent on whether such individuals are likely to suffer harm as a result of the data breach.
The penalties for not complying with the data protection principles in UK GDPR law includes fines of up to £17.5 million or 4% of a company’s total worldwide annual global turnover.
Failing to notify a breach when required to do so can result in administrative fines of up to £8.7 million or 2% of annual global turnover, whichever is higher.
When deciding whether to make a report, you must consider the risk to the individual including the nature of the personal data, the severity of the breach, the possible consequences for the individual.
A data breach should be reported without undue delay (if it meets the threshold for reporting) and within 72 hours of becoming aware of the breach.