Data Breaches

What is a personal data breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

But what does this actually mean in practice?

  • Personal data
    • For the data protection rules to apply, the breach must relate to personal data as opposed to purely commercial data which does not relate to individuals.
  • Breach of security
    • The data breach must be caused by a breach of security and does not include all “non-compliant processing” (for example, a company might be breaching the data protection rules by processing data without a privacy notice but this does not mean it has had a ‘personal data breach’). This links to the requirement that your organisation has appropriate technical and organisational measures in place to protect personal data.
  • Accident or deliberate
    • The breach can be caused by an accident (such as sending an e-mail to the wrong recipient) or a deliberate act which is unlawful (for example, allowing another organisation to access your CRM system without informing the relevant individuals).
  • Destruction, loss, alteration, disclosure or access
    • There are three main types of security breach:
    • Confidentiality Breaches (disclosure of, or access to, personal data): This includes providing personal information to someone that should not have access to it.
    • Integrity Breaches (alteration of personal data): This includes data becoming corrupt and irrecoverable.
    • Availability Breaches (loss of access to, or destruction of, personal data): Such as when paper records are lost due to flooding and there are no back-up copies.

What should you do if you suspect a personal data breach?

If you suspect a personal data breach (whether caused by you or someone else), you should know who to tell within your organisation – do you have a compliance team or someone who will be responsible for overseeing the management of the breach? The relevant persons must be told immediately.

Those responsible for managing the response to the breach should:

  • Contain, minimise and mitigate the breach, including making a recovery plan where relevant.
  • Preserve all evidence relating to the potential personal data breach.
  • Assess if the ICO, data subjects or any other parties require to be notified – is it a notifiable breach? If you are a consumer-based organisation, carefully consider the message you are issuing to your customers, supporters or clients.
  • Record the details of the personal data breach – this is a legal requirement.
  • Evaluate and share your learning within your organisation to ensure it does not happen again – make sure to update and fix any processes or systems which caused the breach.

How can we help?

Our Data Breach Response lawyers have extensive experience of assisting clients with various types and severities of data breaches – some of which have occurred on a cross-jurisdictional basis, and some of which have been caused by the organisation’s service providers.

Good governance

If you have a notifiable personal data breach, you only have 72 hours from becoming aware of the breach to inform the ICO. This means that your staff need to be able to act quickly, and a procedure outlining the process for dealing with a breach will assist with this. We regularly assist clients in preparing and implementing personal data breach policies and procedures within their organisations.

The best step in preventing a breach is to have appropriate security measures in place from the outset. This includes having in place good data governance by way of policies, procedures and training. We can help your organisation to identify what policies it needs, prepare and implement those policies, and provide tailored training sessions to staff on the meaning of those policies and how these operate in practice.

Assessing whether there has been a breach

We can assist you in understanding whether or not you have actually had a breach, or if it is instead a non-compliance issue.

For fast and effective assistance, our dedicated Data Breach Response Team can be contacted on 0300 303 1019.


Our specialist lawyers can assist you in evaluating whether the breach is notifiable to the ICO and in preparing the appropriate notification. We can also help you to understand whether the breach needs to be notified to affected data subjects, and to draft clear communications informing them of the breach.

We understand the need to strike the right balance and assure data subjects that your organisation is dealing with the breach while making sure you satisfy the legal requirements on the content of such notifications. We also find it is useful for clients to put together FAQ documents for customers and other affected data subjects to help manage the questions that data subjects may have following a breach.

  • "They are responsive and efficient, and there is a good depth of knowledge within the firm."


    Chambers UK Guide to the Legal Profession
  • MacRoberts LLP’s ‘excellent’ team is noted for its ‘quick turnaround time’ and ability to ‘deal with complex issues in an efficient manner’.

    Legal 500
  • "They are very good and very supportive - it feels like they are an extension of the business."

    Chambers UK Guide to the Legal Profession
  • "Let me thank you and your team for your time. Clearly, you present well, show mastery of your subject area and think on your feet."

    Major US Law Firm
  • "Their standards have been excellent - they are responsive and know the legal solutions but also the commercial considerations."

    Chambers UK Guide to the Legal Profession

Data Protection & Cyber Security

Cyber security and key changes under the GDPR and UK Data Protection Act 2018 affect almost all businesses. Our online hub contains a wealth of information and insights on what your businesses should be doing to ensure full compliance with the law.

Latest updates from @MacRoberts