A short guidance note explaining the GDPR obligations on businesses in the event of a data breach and containing a link to a template Data Incident Policy.

What does the law require?

The GDPR introduces new requirements regarding data breaches. A data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data or getting hacked.

Broadly speaking, subject to some exceptions, where your agency is acting as a “data controller”, you must notify the ICO without undue delay, and in any event within 72 hours of becoming aware of a data breach. Again subject to certain exceptions, individuals may also need to be informed without undue delay for particularly high risk breaches.

Where your agency is acting as a “data processor”, the GDPR requires your agency to inform the client (i.e. the data controller) about a data breach without undue delay (and assist the client in compliance with its obligations regarding data breach notification).

What do you actually need to do?

You will need to check your procedures and determine how you would handle a data breach if one were to occur. You should consider whether you need to revise your procedures and make any changes. This will help you to make a decision about whether you need to notify the ICO, the client, or the relevant individuals in the event of a data breach.

In light of the tight timescales for reporting a data breach, it is important to have robust breach detection, investigation and internal reporting procedures in place. If your agency does not have any policies in this area, it is important that they are created and periodically reviewed and updated as necessary to ensure they are effective and meet your agency’s requirements.

It is also important that the policies are actually implemented within your agency. The relevant personnel must be actively made aware of the policies, trained on the requirements, and required to comply. You should make sure that your staff understand what constitutes a data breach, and that this is more than just a loss of personal data (for example it could include where personal data are sent to the wrong recipient).

How can the IPA help?

The IPA has produced a template Data Incident Policy for agencies to use as part of the development and rolling-out of agencies’ own internal data protection policies and procedures. The Policy explains how to identify actual and suspected data breaches, and sets out a process to respond quickly and appropriately to such incidents.

Please note that the Data Incident Policy is intended as an example and to be used as a starting point only. It is not intended to be comprehensive or a finalised policy and will not, by itself, guarantee that your agency achieves full compliance with the GDPR. It is critical that you thoroughly review the Data Incident Policy and customise it to fit your agency’s business before rolling it out internally within your agency.

The Data Incident Policy is designed to work in conjunction with the other policies referred to in this Guidance as well as any other policies and procedures your agency may have. The Policy includes highlighted guidance notes and square bracketed words – these should be addressed and eventually removed as part of the implementation of the Policy. The Policy also includes some background guidance notes in red at the start of the document, these red notes should also be removed as part of the finalisation of the policy.

Last updated 01 May 2024