Global menu

Our global pages


Breach Management Post GDPR

  • United Kingdom
  • Technology, Media and Telecoms - General


One of the areas of the new General Data Protection Regulations 2016 (“GDPR”) (and the forthcoming new Data Protection Act) that causes businesses the greatest concern is the imposition of the new legal obligations relating to Personal Data Breaches; i.e. any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Failure to comply with these obligations could expose a Data Controller (the organisation controlling the processing of personal data), and now Data Processors (organizations processing personal data on behalf of a Data Controller) to a risk of enforcement action, including potentially substantive fines and possible claims for compensation or damages.

The Article 29 Working Party (the collective group of Data Protection Supervisory Authorities, including the United Kingdom’s Information Commissioner) has published its draft Guidelines on Personal Data Breach notification, which sets out its initial position in respect of breach notification.

Current position

Under the existing Data Protection Act 1998, there is no obligation to notify either the supervisory authority, which in the UK is the Information Commissioner’s Office (“ICO”) or any individual who may be impacted by a Personal Data Breach.

From 25 May 2018, the GDPR imposes obligations on both Data Controllers and Data Processors to report Personal Data Breaches without “undue delay”. However, what is reported and to whom differs dependant who has knowledge of the breach.

Data Processors

Data Processors are required to notify the Data Controller of any Personal Data Breach without undue delay after they become aware of the breach. This extends to any Personal Data Breaches, irrespective of whether or not the breach would, or would be likely to, result in damage to the individuals the personal data relates to. This would also include “near misses” i.e. situations where a personal data breach has been contained without exposing any individuals to a risk of harm, such as misdirected emails or attachments, where the recipient has agreed to delete the only copies of the email.

Data Controllers

Data Controllers in the UK are required to notify the ICO of any high risk breach and provide details within 72 hours of becoming aware of it. However, the Guidelines now provide that, where the breach arises from the actions of a Data Processor, the 72 hours will normally commence once the Data Processor becomes aware that a breach has occurred .

Where the breach is a “near miss”, i.e. the breach is unlikely to result in a risk to individuals, there is no obligation on a Data Controller to notify the supervisory authority. However, when considering whether the “near miss” amounts to a risk to individuals, consideration needs to be made, not just as to the impact of any loss or damage to the data, but also any temporary impact. The Guidelines given as an example, medical information in a hospital being made unavailable, even on a temporary basis, and the impact on the patients of their personal data being unavailable, even for a short period of time.

The Guidelines also suggests that there may also be situations where a breach has occurred, was deemed not to amount to a high risk, at the time the breach occurred, e.g. where the information was held on encrypted media, but subsequently, the security on the media has been circumvented or “cracked”. This position poses a number of problems, including the bureaucracy of retaining, indefinitely, detailed records in respect of all security measures used to protect any personal data, not just by the Data Controller but also by any Data Processor, in relation to any low risk Personal Data Breach, and the problems in investigating further the events giving rise to the Personal Data Breach once it a potentially a “high risk” breach. This could be further complicated if any Data Processors involved no longer hold records, or even exist, when the security has been rendered ineffective.

Breach management

When handling any breach, there are a number of key elements, including:-

  • Reporting - Is there a clear and defined channel/ and processes to manage a report of an actual or suspected data breach.

Notwithstanding the breach reporting requirements, it is important to have a clear breach management process in place, both in terms of ensuring that

o staff and Data Processors are able to easily report any suspected data breaches,

o details of any serious breach are escalated to senior management, together with sufficient information to allow them to make decisions in respect of the breach.

For Data Processors, whilst the GDPR places an obligation to notify the Data Controller promptly, the sooner the Data Controller is notified of a breach, the sooner it can implement measures to contain the breach, and thus reduce the potentially increasing liability.

  • Verification – has a breach occurred, if so, how?

It is important not just to identify whether the breach has or is occurred, but also to plan measures to contain or mitigate the suspected breach, that can be implemented either immediately or once the breach has been confirmed.

  • Containment – is the breach ongoing?

Are there any steps that can be used to stop the breach continuing? However, before containing the breach, it may be useful to take specialist advice as to whether this may hinder the identification of the cause of the breach or the apprehension of the offenders.

  • Mitigation – what can be done to limit the impact of the breach?

This relates not just in respect of the individuals whose data has been placed at risk, but also the continued operation of the business.

The breach management process should be able to draw in key personnel and senior managers, not just in legal and IT (including any Data Protection Officer) but also in PR/Communications and any operational units potentially impacted by the breach or any attempts to contain the breach. Where the breach has arisen as a result of the (in)actions of a Data Processor, the contract manager, and possibly a representative of the Data Processor should also be involved.


Once it has been established that a Data Breach has occurred, the ICO should be notified of the breach, together with any relevant information that has been gleaned as to the causes and potential impact of the breach.

If there is insurance cover, it may require that the insurers are promptly notified of the potential breach, as they may wish to have some input into the breach management process.

If there is a suspicion that the breach was the result of a criminal activity, it would also be appropriate to inform the police at this point in time.

What should be in a report?

Under the GDPR, the Data Controller is required to provide the following information to the Supervisory Authority:-

  • a description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned;
  • the name and contact details of the relevant Data Protection Officer or contact point;
  • the likely consequences of the data breach; and
  • measures taken or proposed by the controller to address the breach and/or mitigate its effects. This will include, if held, any evidence that Data Protection by Design and Default methodology was used during the development and implementation processes.

It is unlikely that all this information will be available within the 72 hours. In which case, the Supervisory Authority should be provided with the information as and when it is available, rather than delaying the report of the breach until all the information has been gathered.

A failure to notify the Supervisory Authority within the 72 hours, without a good reason, could expose the Data Controller to fines of up to the greater of 2% of global annual turnover for the preceding financial year of €10million.

Costs of a breach

An assessment should be undertaken, as soon as possible, as to the potential scope and damage caused by the breach, not just in terms of volume and types of information at risk, but also the potential damage the breach could cause the data subjects. This, in turn, will give an indication as to the potential liability that the breach could cause.

The impact of a data breach will potentially include:-

  • Fines of up to the greater of 4% of global annual turnover for the preceding financial year or €20 million in relation to the breach;
  • Civil claims for damages arising from the breach.
  • Costs incurred in mitigating the breach; and
  • Damage to brand/reputation.

Notifying data subjects

The GDPR also places a general obligation to notify individuals about the breach without undue delay, if the breach is likely to result in a high risk.

If there are ongoing investigations, it is may be reasonable to delay going public until these are sufficiently progressed, but it is important to ensure that the Supervisory Authority is aware of the reasons why the individuals affected by the breach are not being notified immediately.

There is also a risk of further reputational damage if the delay in notification is excessive, either from the date the breach commenced or the date the organisation became aware of the breach, unless there are extenuating circumstances that justify the delay, such as where the disclosure would jeopardise a criminal investigation.


When dealing with a breach, it is important to have prepared for it, both in terms of implementing adequate data security measures to tried prevent it, as well as having clear and defined processes to manage the breach and reduce the impact on the individuals who may be affected by it.