loading icon

Employers handle a vast amount of sensitive personal data, and under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA), they are responsible for keeping it safe. This task often falls heavily on Human Resource teams, who must not only protect data but also respond effectively if a breach occurs. 

What is a Personal Data Breach?

A personal data breach occurs when data is destroyed, lost, altered, or disclosed without proper authorisation. Breaches can range from simple human errors, such as sending an email to the wrong address, to more complex incidents like phishing attacks or hacking. Even verbal slips, like sharing confidential information overheard by someone else, count as breaches.

Why It Matters

Not all breaches have severe consequences, but those involving sensitive data can result in significant penalties. Organisations can face hefty fines—up to £17.5 million or 4% of global annual turnover. For example, Interserve, a construction company, was fined £4.4 million in 2022 for exposing the personal data of 113,000 employees.

Moreover, victims of breaches can pursue legal action. Manchester United, for instance, was sued after an email containing employees’ personal data was sent to casual staff, even though no fine was imposed by the ICO (Information Commissioner’s Office). 

How to Manage a Breach

  1. Act Quickly: Immediate action can help prevent a small breach from escalating. Fast responses also protect affected individuals, reducing risks like identity theft.
  2. Get Organised: Have a breach response plan in place and assemble a team from relevant departments like IT and HR.
  3. Contain the Breach: Identify the breach’s scope, recover data if possible, and protect sensitive information by actions such as changing passwords.
  4. Assess the Impact: Evaluate the potential harm based on factors like the sensitivity of the data and who is affected.
  5. Report the Breach: Notify the ICO within 72 hours if the breach poses a risk to individuals’ rights and freedoms.
  6. Document the Incident: Regardless of whether it’s reported, keep records of the breach, its impact, and how it was handled.

Handling breaches swiftly and efficiently can limit legal, financial, and reputational damage while safeguarding affected individuals. Regular staff training and enhanced data protection measures are essential for minimising the risk of future breaches.

Rebecca Procter 2
How we can help

Contact Jon Dunkley today for an informal chat, without obligation.

Contact Jon Dunkley