Data Breaches
What to Do If You Have a Data Breach
A calm, practical first-response plan for when personal data may have been lost, exposed, or stolen.
What you will learn
- What counts as a data breach
- The immediate steps to take
- When and how to notify the Commissioner and affected people
- How to learn from an incident
Overview
A data breach is one of the most stressful things that can happen to a business, but a clear plan turns panic into process. This module gives you a practical first response for when personal data may have been lost, exposed, or stolen.
Why this matters
How you respond in the first hours and days matters as much as the breach itself. A fast, organised response limits harm to the people affected and shows the Commissioner that you acted responsibly.
What counts as a breach
A breach is not only a dramatic cyberattack. It includes everyday incidents such as:
- a lost or stolen laptop, phone, or USB drive
- an email or letter sent to the wrong person
- a misconfigured system that exposes records
- a hack, ransomware, or unauthorised access by staff
The first steps
- Contain it. Stop the leak. Disable access, recover devices, take a system offline if needed.
- Assess the risk. What data, how many people, and how much harm could result.
- Record it. Log what happened, when you found it, and what you did.
- Notify if required. Tell the Commissioner and affected people where the Act requires it.
- Recover and learn. Fix the root cause and update your safeguards.
Notifying the Commissioner and individuals
Whether a breach must be reported depends on the risk it poses to the people affected. Where notification is required, report it without undue delay, and tell affected individuals where they need to take steps to protect themselves.
After the incident
- Carry out a simple root-cause review.
- Note the lessons and the changes you made.
- Update training and safeguards so the same thing cannot recur.
Common mistakes
- Waiting to "be sure" before starting containment.
- Failing to keep a record of the incident and your decisions.
- Treating the breach as closed once contained, without fixing the cause.
Best practices
- Have a short, written incident plan before anything happens.
- Keep a breach register, even for incidents you decide are not notifiable.
- Practise the plan so your team knows who does what.
Put this into practice
Work through a breach step by step, assess whether it is notifiable, and produce the records you need.
Use the Data Breach WizardFrequently asked questions
Key takeaways
- A breach is any loss, exposure, or unauthorised access to personal data.
- Contain it first, then assess the risk to the people affected.
- Notify the Commissioner and affected individuals where the Act requires it.
- Record what happened and what you changed, so it does not happen again.
