Search

How can we help?

Privacy and Data Protection

Data breach lawyers in London and Thames Valley

 

Data breaches are unfortunately a fact of life and can be a stressful experience. The UK GDPR requires organisations to ensure they have robust breach detection, investigation and internal reporting procedures in place to help with decision-making about whether or not you need to notify the relevant supervisory authority or the affected individuals, or both.

Our team can offer a reassuring hand providing advice in the event of a data breach or investigation by the ICO and guide you through the process.

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Data breaches

A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Data breaches cover a wide range of incidents. Some common examples include:

  • Sending personal data to the wrong email recipient
  • Proving data following a phishing scam
  • Hacking of passwords, email accounts, networks and systems
  • Accessing personal data on lost laptops or mobile devices
  • Theft or loss of hard copy documents

All data breaches must be recorded by the controller, but only breaches which are likely to result in a risk to individuals’ rights and freedoms must be proactively notified to the ICO and only high risk breaches must be proactively notified to the individuals whose personal data is affected which must be assessed on a case-by-case basis and will be dependent on whether such individuals are likely to suffer harm as a result of the data breach.

The penalties for not complying with the data protection principles in UK GDPR law includes fines of up to £17.5 million or 4% of a company’s total worldwide annual global turnover.

Failing to notify a breach when required to do so can result in administrative fines of up to ÂŁ8.7 million or 2% of annual global turnover, whichever is higher.

When deciding whether to make a report, you must consider the risk to the individual including the nature of the personal data, the severity of the breach, the possible consequences for the individual.

A data breach should be reported without undue delay (if it meets the threshold for reporting) and within 72 hours of becoming aware of the breach.

Key contacts

Read, listen and watch our latest insights

art
  • 04 December 2023
  • Privacy and Data Protection

The UK-US data bridge for transfers of personal data – Melanie Pimenta writes for Business Voice magazine

In Business Voice magazine, Melanie Pimenta, Senior Solicitor at Clarkslegal writes that transferring data can be a tricky business and the risks of getting it wrong can be costly both reputationally and financially.

Pub
  • 21 November 2023
  • Privacy and Data Protection

Privacy matters: How the 8 data subject rights protect personal data

In this guide we explore the 8 data subject rights under the UK GDPR and discover how they play a vital role in preserving your organisation’s privacy standards in an increasingly interconnected world.

Pub
  • 21 November 2023
  • Privacy and Data Protection

Overview of Data Subject Access Requests

In recent months, we have witnessed a series of high-profile data breaches that have brought data protection issues to the forefront of the public’s mind and with this comes an increase in Data Subject Access Requests (DSARs).

art
  • 17 November 2023
  • Corporate and M&A

Should AI delete humans out of the legal sphere?

AI could potentially streamline routine legal tasks. However, there are consequences to consider when it comes to AI in the legal sphere.

art
  • 15 November 2023
  • Privacy and Data Protection

Can an employer monitor employees at work?

This brings up the question of whether an employer can lawfully monitor their employee, without their knowledge, if they suspect wrongdoing?

art
  • 30 October 2023
  • Privacy and Data Protection

New UK-US data bridge for transfers of personal data

A new data bridge, which is an extension of the EU-US Data Privacy Framework (“the DPF”), will enable UK businesses to transfer personal data to certified US organisations without the requirement of having the usual safeguards in place or performing a transfer risk assessment.