If you discover a data breach, the next 72 hours are critical. The actions you take, and the order in which you take them, will determine the extent of the financial, regulatory, and reputational consequences that ensue. But it’s not a time for panic, it’s a time for careful planning. This guide provides an overview of your duties under the relevant legislation, the applicable deadlines, and the key steps to follow (always in conjunction with qualified legal advice). 

What are our obligations when a data breach occurs?

When a GDPR breach occurs – a spreadsheet sent to the wrong person, a stolen laptop, or a phishing attack – the law imposes several core duties on your organisation:

Duty to assess
Once you discover a breach, your first legal duty is to assess the potential risks it poses to the individuals whose data is affected (e.g., identity theft, financial loss, or distress).

Duty to notify the regulator
If the breach is likely to result in a risk to the rights and freedoms of individuals, you are legally required to report it to the Information Commissioner’s Office (ICO) no later than 72 hours after becoming aware of it.

Duty to inform individuals
‍If the breach is likely to result in a "high risk" to individuals, you must also inform the affected people directly and "without undue delay." This is to allow them to take steps to protect themselves.

Duty to document
‍Whether or not you are required to report the breach, you must document it internally. This record should detail the facts of the breach, its effects, and the remedial action you've taken.
‍

Common myths around GDPR and data breaches

There are a few common misunderstandings about the rules the Information Commissioner’s Office sets for businesses to follow when responding to a data breach. Let’s deconstruct them.
‍

Myth: We’ve just discovered a breach that happened 48 hours ago. We only have 24 hours to respond.

Reality: The clock doesn’t start ticking from the time the breach happens. It starts when you have a "reasonable degree of certainty" that a security incident has occurred that has led to personal data being compromised.

Example: A web server is hacked at 4 am on Sunday, allowing access to customers’ personal data. You are made aware of this when a systems administrator reviews the logs at 10 am on Monday and calls you to report the issue. The 72-hour deadline, therefore, expires at 10 am on Thursday.

Myth: We’re obliged to report any data loss or breach to the ICO, or we could face a fine.

Reality: You’re not required to report every data breach to the ICO. The threshold for mandatory reporting is if the breach is "likely to result in a risk to the rights and freedoms of individuals." However, you may wish to seek expert legal advice if you’re unsure whether a breach meets this threshold.

Example: A lost, encrypted company mobile phone might not be reportable. A customer database leaked on the dark web almost certainly is.

Myth: There’s no way we can gather all the information we need in three days – our response will be late.

Reality: You don't need to provide a complete forensic report within the initial window. The ICO allows for an initial notification within 72 hours, followed by more detailed information in phases as your investigation progresses.

Example: You submit an initial notice within 72 hours with the basics: what happened, what data may be affected, DPO contact, and immediate steps – flagging it as preliminary and giving a reasonable date when you’ll follow up with more comprehensive information.

‍

What are the potential costs of a data protection (GDPR) breach?

When a data breach occurs, the immediate focus is often on the technical fix. However, the financial impact on a business is far broader and can be felt long after the initial incident is contained.

You could face substantial fines

For the most serious violations, the ICO can impose fines of up to £17.5 million or 4% of your company's global annual turnover, whichever is higher.

You may be liable for compensation claims

Individuals affected by a breach may have the right to claim compensation for both material damage (e.g., financial loss) and non-material damage (e.g., distress).

You can incur significant legal and remediation fees

Costs can include fees for specialist advice, IT forensics to investigate the breach, PR firms to manage communications, and the cost of setting up services like credit monitoring for affected individuals.

‍

Data protection terms in plain English

‍

What does UK law say about data breaches?

In the UK, the rules for handling data breaches are primarily set out in two key pieces of legislation: the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). Together, they establish a clear framework of responsibilities for businesses.

Legally, a 'personal data breach' is more than just a cyber-attack. It's defined as any security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This covers everything from a sophisticated ransomware attack to an employee sending an email to the wrong person or leaving a company laptop on a train.

Need legal advice on a data breach you’ve discovered?

Contact Complex Law