Data breach solicitors in London and Thames Valley
Webinar: How do I protect my business in the event of a personal data breach?
A company may suffer disastrous consequences because of a personal data breach; they can seriously harm a company’s finances and reputation by enabling criminals to utilise personal information to commit fraud and identity theft. Join our data protection team, for a quick overview of how to protect your business.
Tuesday 30 April, 11:00 AM – 11:30 AM BST
Visit our events page to register: How do I protect my business in the event of a personal data breach?
Data breach solicitors
Data breaches are unfortunately a fact of life and can be a stressful experience. The UK GDPR requires organisations to ensure they have robust breach detection, investigation and internal reporting procedures in place to help with decision-making about whether or not you need to notify the relevant supervisory authority or the affected individuals, or both.
Our team can offer a reassuring hand providing advice in the event of a data breach or investigation by the ICO and guide you through the process.
“Very professional, knowledgeable and accessible lawyers.”
Chambers and Partners
FAQs – Data breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
It is a wide definition and covers more than just deliberate data breaches.
Data breaches cover a wide range of incidents. Some common examples include:
- Sending personal data to the wrong email recipient
- Sending emails to multiple recipients without using the ‘BCC’ function
- Proving personal data following a phishing scam
- Hacking of passwords, email accounts, networks and systems
- Accessing personal data on lost laptops or mobile devices
- Altering personal data without permission
- Theft or loss of hard copy documents (such as print outs)
Not all breaches need to be reported. If the breach is likely to result in a risk to individuals’ rights and freedoms it must be notified to the ICO. If there is a ‘high risk’ to the individuals’ rights and freedoms, then it will also need to be notified to the individuals whose personal data is affected.
Therefore, on becoming aware of a personal data breach, organisations need to take steps to contain the breach and assess the risks so a decision can be made on whether it needs to be reported to the ICO, individuals, or both.
Even if there is no obligation to report the breach, organisations must keep a record internally of all breaches that occur.
If a breach is notifiable to the ICO, it needs to be reported without undue delay and in any event within 72 hours of becoming aware of the breach.
Organisations must provide the following when reporting a breach to the ICO:
- a description of the nature of the personal data breach including, where possible the categories and approximate number of individuals and personal data records concerned;
- the name and contact details of the data protection officer (if there is one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
Failing to notify a breach when required to do so can result in a fine of up to £8.7 million or 2% of annual global turnover, whichever is higher.
However, the penalties for not complying with the data protection principles in the UK GDPR, including the requirement that you have appropriate security measures in place to protect personal data, can attract higher fines of up to £17.5 million or 4% of the annual global turnover.
The ICO also has other enforcement powers such as the power to issue enforcement notices and conduct audits.
