Personal Data Breach Response

Help when you need it most

Organisations of all types and sizes are affected by Personal Data Breaches and incidents affecting the personal data they hold. Most do not involve large scale cyber incidents and size is no indicator of the seriousness with which you are expected to handle them. The GDPR introduced strict rules on the logging, assessment and reporting of breaches requiring organisations of every size to contact the ICO (and potentially affected individuals) about reportable breaches within 72 hours.


Every member of your staff needs to understand what constitutes a personal data breach and how to react when they observe an event which may constitute or lead to one. While IT security measures are a part of this, the loss of a laptop, a misdirected email or the loss of paper documents are all events which need to be treated under your Personal Data Breach process.


Once a Personal Data Breach has been identified you need to be able to carry out an assessment of the risks to the individuals affected. This assessment needs to consider a number of areas including the way the breach occurred, the data involved and the potential impact on the people affected. It must be conducted in timely manner in order to decide whether a formal report needs to be made to the ICO.

Logging & Reporting

Not every personal data breach needs to be reported to the ICO or the individuals affected but all need to be logged with sufficient detail to demonstrate the process you went through and why the decision not to report was made. If you do make the decision to report to the ICO, you will need to provide information about what happened, the steps you have taken and the risks you have identified to the people affected. The ICO will expect you to have made the decision - based on your assessment of the risks - about whether or not to inform the individuals affected. Not being able to do so will reflect poorly on the systems and controls you have in place.

Our Solution

Our Personal Data Breach Response managed privacy service ensures you are able to act quickly and effectively to assess incidents affecting personal data.

We operate on a retainer basis which offers you the best possible response time 24 hours a day. We will help you formulate a response plan covering areas such as:
- Staff training & awareness
- Defining the stages of an incident
- Internal reporting methods
- Creation of an Incident Response Team
- Investigation & classification
- Mitigation steps
- Access to Data Protection expertise
- Assessment of the risks to individuals
- Methods to log incidents
- Review of incident logs
- Liaison with the ICO
- Remedial action to processes
By having us in place before an incident happens you will have the reassurance that, should the worst happen, you will be able to respond and have ready access to Data Protection expertise rather than having to find it in the middle of a crisis. Our onboarding process ensures we have the understanding of your organisation needed to respond as soon as we are made aware of an incident. Your IT and operational teams will then be able to focus on their specialisms while we work with them on the Data Protection impacts.

Tell us how we can help

How it works

Our main role in your breach response is to carry out an assessment of the risks to the individuals affected by a personal data breach. We have developed a proprietary risk scoring methodology based on commonly accepted principles. This is then used to inform a recommendation as to whether the breach needs to be reported to the ICO and the affected individuals. We ensure that all incidents involving personal data receive appropriate treatment and review - crucially including those which may fall outside your IT security policy's definition of an incident. We help you maintain your logs of personal data incidents, reviewing them on a regular basis and helping to ensure necessary changes are embedded into your policies and processes.
  • 24/7/365 telephone line answered in your company name.
  • direct access to skilled personnel.
  • time spent and fixed cost options.
  • independent review and assessment of your DPIA.
The number of people whose sensitive details were accidentally exposed in an email by Surrey County Council leading to a fine of £120,000.

ICO Guidance on sending personal data by email

Test us out for free

Have a question about responding to a Personal Data Breach you would like answered? Book a free 30 minute online meeting with one of our qualified staff or submit a ticketed query about an incident you are currently dealing with (office hours only).