Boddy Matthews

  Boddy Matthews  

Personal data breach: What do I do?


What counts as a personal data breach?


A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It includes breaches arising from both deliberate and accidental actions.


How will I recognise / detect a personal data breach?


You will need to implement a data breach detection and response procedure. Ensure you have appropriate controls and security monitoring systems in place to flag up breaches. Ensure you keep your systems and servers up to date and perform regular cyber breach assessments. You may wish to appoint a data protection officer (DPO) to ensure compliance. In some circumstances you must appoint a DPO. Ensure everyone knows who the DPO is and what the key possible breaches to your business may be.


I have detected a breach, what do I do?


Once you have detected a breach, time is of the essence so knowing how to respond quickly will be key. Implement a data breach response policy and ensure all employees and the DPO if appointed are familiar with it.

Assess the severity of the breach and whether it is likely to result in a risk to individual’s rights and freedoms. In assessing the risk to rights and freedoms you will need to consider the negative impacts the breach will or is likely to have on a case by case basis.


If it is likely that there will be a risk then you must notify the ICO.


If it is unlikely to result in a risk to a data subjects’ rights and freedoms then you don’t have to report it. You should document all decisions for later justification, whether or not you report the breach. This should be on an internal breach register.


The breach is likely to result in a risk to data subjects’ rights and freedoms, how do I report it?


You must report such breaches to the ICO without undue delay, but no later than 72 hours after becoming aware of the breach.


You must report the following information to the ICO:

  • the nature of the personal data breach including estimated number of individuals affected and categories of records concerned;
  • contact details of the data protection officer or other contact point
  • the likely consequences of the personal data breach; and
  • the measures taken or proposed to deal with the personal data breach.

Do I need to tell affected individuals about the breach?


If the breach is likely to result in a high risk to the rights and freedoms of individuals, then you must inform those concerned directly and as soon as possible. The ICO has provided guidance on how to assess a high risk.


What if I fail to report the breach?


Failure to report a breach when required to do so could result in:

  • A significant fine up to 10 million euros or 2 per cent of your global turnover.
  • Negative reputational and brand damage.

Office Address


Boddy Matthews Limited
7-11 High Street
Reigate, Surrey




+44 (0) 1737 339838

Chambers / Legal 500


undefined undefined

Follow Us


Facebook Twitter Pinterest Linkedin

Legal Information


Company Information
Terms of Business
Anti-Bribery & Corruption Statement
Slavery & Human Trafficking Statement
Diversity Policy
Privacy Policy
Cookie Policy