Lesson 04intermediateKnowledge

Data Breaches

72 hours. Know what to do before the clock starts.

Overview

A data breach can happen to any organisation. The difference between a manageable incident and a regulatory disaster is often how quickly and correctly you respond. Answer the five questions below as if you might be the person who receives the breach report at 4pm on a Friday.

Read before you answer

A personal data breach is any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This is broader than most people initially assume: it includes not just malicious external attacks, but accidental incidents β€” a misdirected email, a lost unencrypted USB drive, a file shared with the wrong person β€” as well as internal incidents such as an employee accessing data they are not authorised to see, or a system failure that corrupts personal data. The legal obligations triggered by a breach depend on the risk level: not every breach requires notification, but every breach requires documentation.

When a breach is discovered, the controller must assess its likely risk to individuals' rights and freedoms. If the breach is unlikely to result in any risk, it should be documented internally but no notification is required. If the breach is likely to result in a risk, it must be reported to the relevant supervisory authority (in the UK, the ICO) within 72 hours of becoming aware β€” not within 72 hours of the breach itself occurring, but from when the organisation becomes aware. Partial notifications are acceptable if not all information is available within 72 hours, provided the outstanding information is submitted without further undue delay. If the breach is likely to result in a high risk to individuals β€” their rights, finances, health, safety, or reputation β€” then the affected individuals must also be notified directly, without undue delay.

The content of a supervisory authority notification must include: a description of the nature of the breach and the categories and approximate number of individuals and records affected; the contact details of the data protection officer or other contact point; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects. Regardless of whether the breach meets the notification threshold, it must be documented in an internal breach register. This register serves two purposes: it provides evidence of the organisation's awareness and response process, and it enables the supervisory authority to assess whether the organisation is systematically identifying and managing breaches correctly.