loading icon
Legal 500 Logo

Managing personal data breaches in the workplace

Nov 12, 2024

Employers handle a vast amount of sensitive personal data, and under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA), they are responsible for keeping it safe. This task often falls heavily on Human Resource teams, who must not only protect data but also respond effectively if a breach occurs. 

What is a Personal Data Breach?

A personal data breach occurs when data is destroyed, lost, altered, or disclosed without proper authorisation. Breaches can range from simple human errors, such as sending an email to the wrong address, to more complex incidents like phishing attacks or hacking. Even verbal slips, like sharing confidential information overheard by someone else, count as breaches.

Why It Matters

Not all breaches have severe consequences, but those involving sensitive data can result in significant penalties. Organisations can face hefty fines—up to £17.5 million or 4% of global annual turnover. For example, Interserve, a construction company, was fined £4.4 million in 2022 for exposing the personal data of 113,000 employees.

Moreover, victims of breaches can pursue legal action. Manchester United, for instance, was sued after an email containing employees’ personal data was sent to casual staff, even though no fine was imposed by the ICO (Information Commissioner’s Office). 

How to Manage a Breach

  1. Act Quickly: Immediate action can help prevent a small breach from escalating. Fast responses also protect affected individuals, reducing risks like identity theft.
  2. Get Organised: Have a breach response plan in place and assemble a team from relevant departments like IT and HR.
  3. Contain the Breach: Identify the breach’s scope, recover data if possible, and protect sensitive information by actions such as changing passwords.
  4. Assess the Impact: Evaluate the potential harm based on factors like the sensitivity of the data and who is affected.
  5. Report the Breach: Notify the ICO within 72 hours if the breach poses a risk to individuals’ rights and freedoms.
  6. Document the Incident: Regardless of whether it’s reported, keep records of the breach, its impact, and how it was handled.

Handling breaches swiftly and efficiently can limit legal, financial, and reputational damage while safeguarding affected individuals. Regular staff training and enhanced data protection measures are essential for minimising the risk of future breaches.

Rebecca Procter 2
How we can help

Contact Jon Dunkley today for an informal chat, without obligation.

Contact Jon Dunkley

 

Wollens Footer Logo

Facebook social icon Twitter social icon Linkedin social icon Instagram social icon Youtube social icon

 

Wollens is a trading style of Wollen Michelmore LLP, which is a limited liability partnership, registered in England and Wales with the registered number OC369936. The registered office is At Harbourside, 67 The Terrace, Torquay, TQ1 1DP. The term ‘partner’ is used to refer to a member of Wollen Michelmore LLP or to an employee or consultant with equivalent standing or qualification. A list of members can be found at www.wollens.co.uk.

Wollen Michelmore LLP is authorised and regulated by the Solicitors Regulation Authority –SRA No. 565599.

© 2019 Wollen Michelmore All Rights Reserved | VAT no: 124 1592 37

 

 

South Devon Office

At Harbourside, 67 The Terrace,
Torquay, TQ1 1DP
01803 213251
[email protected]

 

 

Exeter Office

Aperture,
Pynes Hill, Rydon Lane,
Exeter EX2 5AZ
01392 274006
[email protected]

 

 

North Devon Office

Avery House, Liberty Road,
Roundswell Business Park,
Barnstaple
Devon  EX31 3TL
01271 342268
[email protected]