Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

Data breach response plan: hints and tips

If you experience a data breach, time is of the essence. Firstly, you should consult with your data protection officer to confirm whether there is a reporting obligation. If it is a reportable breach as defined within the UK GDPR, you have 72 hours to inform the appropriate supervisory authority(the Information Commissioner's Office (ICO) in the UK). Our data breach response plan will guide you through the steps to take when you identify a breach. 

The most important points to consider are: 

  • Plan a clear data breach response - it saves time and effort. 
  • Identify whether it is a personal data breach and whether it is reportable. 
  • Promptly discuss possible mitigation measures with your data protection officer (DPO). 
  • Review all the steps outlined in the example process below 
  • Decide whether you need to notify the ICO. 
  • Finally, if deemed significant, notify the affected individuals. 

In this article: 

Actions to take in the event of a data breach: sample process 

If you notice or even suspect a data breach, you should act quickly – if you don’t, the consequences for your company may be extensive. Fines and reputational damage are possible outcomes. Therefore, it makes sense to follow a proven process to create your data breach response plan.  

Step 1: Contact your data protection officer 

The first point of contact in the event of a data breach is your DPO. Provide as much detail about the breach as possible so that he or she can help you assess the damage and identify the next steps. 

If your company does not have a DPO, for example, because it is not mandatory for you due to the size of the company or industry, you can get information and guidance from the ICO’s website.

We give a basic overview about a data protection officer in this blog

Step 2: Review the case 

The UK GDPR does not require you to report every breach. Before you decide whether the breach is reportable, you need to review the facts in detail to identify the level of risk to the rights and freedoms of the data subjects. Whilst every data breach will involve a risk, the deciding factor in whether to report it is determined by the level of that risk, for example, low, normal or high. Your data protection officer will help you assess these risks. 

Low risk

Examples of low risks include:  

  • the loss of a storage medium that contains personal data, but it is encrypted, for example, the storage is password protected. (Here you can find information about backup and data recovery)
  • a letter sent incorrectly but returned unopened to your address.  
  • the loss of an internal company list containing employees' private phone numbers. 

Normal to medium risks

Normal to medium risks include, for example, newsletters that have been sent that clearly show all recipients email addresses. Although the group of people here is usually extensive, the disclosure of e-mail addresses may be less sensitive than, for example, the forwarding of bank details. 

High risks

Personal data, such as medical diagnoses or bank details can have extensive consequences for the data subjects if viewed by third parties. Data breaches in connection with such sensitive information should be classified as "high". 

Summary: check what specific data has been lost and how many people are affected by the data breach. The more extensive the loss, sensitive the information and the larger the group of people affected, the higher the risk. 


Step 3: Implement mitigation plans 

As soon as you understand the situation, you should implement risk mitigation actions as best you can. For example, if you have lost access to data for internal servers, you should change the passwords immediately. If security gaps in the system allow a hacker attack to succeed, you should contact your IT specialist and eliminate the risk. 

Another useful tool to have prepared in advance in the event of a data breach is list of actions and information to collect. You can consult this in an emergency to ensure you gather the relevant details to ensure you can make the correct decisions on further preventative measures. Include the relevant people to contact in case of an emergency, for example in IT Security, so that you and your employees can react quickly in case of doubt. 

Step 4: Notify the ICO 

Where a data breach is deemed to have normal to medium risks or high risks, the ICO must be informed. You have 72 hours from the moment you become aware of the breach to notify the authority. Whilst you might not notify the authority for a low-risk breach, you should still take measures to avoid similar cases in the future.  

Tip: If you cannot respond within 72 hours for compelling reasons, you must include a justification for the delay with your notification. If this is understandable (for example, because you were busy taking countermeasures to mitigate the damage), you will generally not face additional penalties for the failure to report on time. 

A good data breach response plan will include a sample notification to the supervisory authority. In it, you should be able to enter what exactly has happened, how many people are likely to be affected, what measures will be taken and what the possible consequences are. You should also include the contact details for your DPO. 

Step 5: Notification of data subjects 

Data subjects must be informed if you have identified that there is a high risk of impact to the individual freedom or personal rights of those people affected. This could be, for example, the unauthorized disclosure of bank details or health data. 

Data subjects do not usually have to be notified if, for example, you have lost data on encrypted storage media that is not accessible to third parties. The obligation to notify data subjects may also not apply if you have prevented high risks to the rights and freedoms of individuals by implementing risk prevention measures during the breach. 

Step 6: Future considerations 

You may see alarm bells that indicate unauthorised persons are trying to access internal systems, re-evaluate the risk likelihood criteria and update the mitigation controls to further prevent this from becoming a reality.  

Identify potential data mishaps and review how you can prevent these. For example, is storage media or the data saved on it encrypted? If not, you should consider implementing such precautions.  

Do your employees know how to report an actual or suspected data leak? If there is no DPO, your company should at least have a central point of contact for security and data protection issues. This person will help you review ongoing data protection measures and implement the breach action plan when required. 

Conclusion: Mastering data breaches with confidence 

When a data breach is suspected or discovered, you must act quickly. We have created a template that includes actions to follow in the event of breach. You also have access to a qualified data protection officer who is available to advise you throughout the process. Together with the DPO, you can take preventative measures to avoid data breaches in the future and maintain your company’s reputation. Active communication of your data protection measures to your customers and partners demonstrates that your company is professional and trustworthy.  

You have further questions regarding DPO, or you're already looking for an external solution? Our experts will be happy to answer any question. Feel free to reach out for a free consultation!

Book an appointment


whitepaper-download whitepaper-download

6 most common UK GDPR mistakes

How to avoid them?

Download your Guide

About the author

Ren Watson

As a results-focussed analyst, Ren has worked in many industries including finance, charity and start-ups and became interested in data protection as a focus over the last decade. Using her analyst skills alongside her data protection expertise, she has consulted with charity, media and energy companies to understand their data protection requirements and has provided guidance and support for implementation of multiple privacy programmes. Today, she provides multi-functional support and awareness within DataGuard and to clients to promote privacy beyond compliance.

Explore more articles