Data Breaches

What to Do If You Have a Data Breach

A calm, practical first-response plan for when personal data may have been lost, exposed, or stolen.

Intermediate 14 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • What counts as a data breach
  • The immediate steps to take
  • When and how to notify the Commissioner and affected people
  • How to learn from an incident

Overview

A data breach is one of the most stressful things that can happen to a business, but a clear plan turns panic into process. This module gives you a practical first response for when personal data may have been lost, exposed, or stolen.

Why this matters

How you respond in the first hours and days matters as much as the breach itself. A fast, organised response limits harm to the people affected and shows the Commissioner that you acted responsibly.

What counts as a breach

A breach is not only a dramatic cyberattack. It includes everyday incidents such as:

  • a lost or stolen laptop, phone, or USB drive
  • an email or letter sent to the wrong person
  • a misconfigured system that exposes records
  • a hack, ransomware, or unauthorised access by staff
Note. If personal data has been lost, exposed, altered, or accessed without authorisation, treat it as a potential breach and start your process.

The first steps

  1. Contain it. Stop the leak. Disable access, recover devices, take a system offline if needed.
  2. Assess the risk. What data, how many people, and how much harm could result.
  3. Record it. Log what happened, when you found it, and what you did.
  4. Notify if required. Tell the Commissioner and affected people where the Act requires it.
  5. Recover and learn. Fix the root cause and update your safeguards.
Watch out. Do not destroy evidence or quietly "tidy up" before you understand what happened. You may need the details to assess and report the breach accurately.

Notifying the Commissioner and individuals

Whether a breach must be reported depends on the risk it poses to the people affected. Where notification is required, report it without undue delay, and tell affected individuals where they need to take steps to protect themselves.

Legal note. The precise notification threshold and timeframe are set by the Act and the Office of the Information Commissioner's guidance. Confirm the current requirements rather than relying on a number from memory.

After the incident

  • Carry out a simple root-cause review.
  • Note the lessons and the changes you made.
  • Update training and safeguards so the same thing cannot recur.

Common mistakes

  • Waiting to "be sure" before starting containment.
  • Failing to keep a record of the incident and your decisions.
  • Treating the breach as closed once contained, without fixing the cause.

Best practices

  • Have a short, written incident plan before anything happens.
  • Keep a breach register, even for incidents you decide are not notifiable.
  • Practise the plan so your team knows who does what.

Put this into practice

Work through a breach step by step, assess whether it is notifiable, and produce the records you need.

Use the Data Breach Wizard

Frequently asked questions

Any incident where personal data is lost, stolen, exposed, altered, or accessed without authorisation. It includes a lost laptop or an email sent to the wrong person.

Key takeaways

  • A breach is any loss, exposure, or unauthorised access to personal data.
  • Contain it first, then assess the risk to the people affected.
  • Notify the Commissioner and affected individuals where the Act requires it.
  • Record what happened and what you changed, so it does not happen again.

Related

Ask the Privacy Assistant

Beta