If you process employee or customer or indeed anyone’s personal data then you must take steps (known as organisational and technical measures) to keep it safe i.e. confidential, free from loss/ damage and available for use when needed.

However, despite your efforts there may well come a time when you suffer a personal data breach.  It’s important to recognise when a breach has occurred and what to do.

GDPR defines a breach as “a breach of [your] security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Some examples are:

  • Sending an email containing someone’s personal information to the wrong person.
  • Leaving someone’s personal information on a photocopier where other people can see it.
  • Leaving a voice mail containing personal information about someone with the wrong person
  • Losing an unencrypted computer
  • Losing access to personal data following a ransomware attack
  • A file of papers going up in flames or being destroyed by flood.
  • Selling on a computer without properly erasing what personal data is on the hard drive.
  • Hackers gaining access to the HR part of your computer network.

All breaches should be documented but not all need reporting to the Information Commissioner’s Office (‘ICO’) or to the individual whose data it is.  You need to look at the level of risk of harm to the individual as a result of the breach in security.  If you do need to report it is without delay and no later than 72 hours from discovery of the breach.

If you fail to report/ notify the individual when you ought to then you can be fined by the ICO.

Even if you report you may get fined although more likely told to improve your security practices and how.   If you keep having breaches the ICO may decide to pay you a visit to conduct a security audit.

Breaches and ICO audits are a pain (although with audits some good can come of them).

If you need help to avoid a breach or you have had one contact me.

David Campbell


20 January 2021