Managing a Data Breach

September 15th, 2020

The recent personal data breach in the cabinet office highlights the importance of managing and processing personal data.

The personal data breach by the Cabinet Office in respect of those named in the 2019 New Year’s Honours List, which saw the addresses of virtually all those recognised with an honour published on the official government website, has once again shone the spotlight on the importance of managing the process of protecting personal data, ensuring that steps are taken in a prompt and efficient manner if a data breach takes place.

What happened?

On 27th December 2019, a file containing the full list of recipients of a New Year’s honour was uploaded to the Government’s website. The file is alleged to have contained the details of virtually all recipients’ addresses, including those of celebrities such as the singer Elton John, cricketer Ben Stokes, presenter Gabby Logan and chef Ainsley Harriott. The details could be viewed by the general public for a number of hours before the file was eventually removed from the website the following day, by which time the error had hit the front pages of the national newspapers, calls for a public inquiry had begun and the breach had been labelled as a ‘complete disaster’ by a former Cabinet minister.

What must my business do in the event of a data breach?

Chiefly, under the new data protection laws, it is vital than upon discovering any personal data breach which could risk an individual’s rights and freedoms, you must notify the Information Commissioner’s Office (‘ICO’) within 72 hours of you becoming aware of it.

When notifying the ICO, you must, insofar as possible, give details of the nature of the data breach including the categories and number of individuals and data records concerns, details of your business’ Data Protection Officer (if any), your understanding of the potential consequences of the breach and a description of the measures taken – or proposed to be taken – by the business in order to mitigate the breach.

If there has been a breach which is likely to result in a particularly high risk to the rights and freedoms of individuals, the legislation states that you must inform those concerned as soon as possible. The rationale for this is so that the individuals can then also take steps to protect themselves from the fallout from the data breach. The individuals concerns should be provided with a point of contact at the business (most likely the business’ Data Protection Officer), a description of the likely consequences of the data breach and a description of the measures taken – or proposed to be taken – by the business in order to mitigate the breach.

Data breach penalties

Reporting a notifiable data breach to the ICO is of vital importance. Failure to do so can result in a significant penalty to the business, namely a fine of up to 10m Euros or 2% of the business’ global turnover.

What steps can be taken to prevent this occurring again?

The business should undertake a root-and-branch review of its processes and procedures to locate the cause and reasons behind why the data breach occurred and how it came to happen. The business will need to be able to locate this point of weakness and then it can work to strengthen its existing procedures or indeed implement need processes in order to enhance its protection and safekeeping of the personal data that it processes.

Typical practical steps that can be taken to prevent a recurrence of a personal data breach include:

  1. providing training and regular updates to staff;
  2. undertaking a thorough security and data protection audit;
  3. implementing or updating internal and external data protection policies and data processing agreements;
  4. implementing or updating disaster recovery and data breach plans;
  5. ensuring practical measures are adhered to, including encrypting devices and data, maintaining strong passwords, locking computers when they are left unattended, keeping confidential information in locked drawers etc.

How Can Verisona Law Help Me and My Business?

At Verisona Law, we can assist you and your business in preparing for the GDPR and ensuring your business is compliant by:

  1. reviewing your business’s data protection and privacy policies;
  2. reviewing your business’s data processing agreements;
  3. carrying out a data audit of your business;
  4. providing training to your business’s staff and board members; and
  5. assisting your business in the event of it suffering a personal data breach.

If you would like further information, please contact Grant Usher (Associate) at or via telephone on 023 9231 2058.