Why it matters
Major data breaches are no longer rare events. They’re real, rising, and risky. Under UK GDPR, organisations have a legal obligation to manage and report breaches appropriately. The Information Commissioner’s Office (ICO) has recently updated its guidance to place greater emphasis on a “report early, update later” approach. This means your response plan must be quick, clear, and proactive.
Step 1: Prepare before a breach happens
You can’t wait for a breach to happen to start planning. Preparation is key:
- Recognise what a breach looks like. A breach isn’t just a hack – it’s any loss, unauthorised access, or misuse of personal data. That includes sending data to the wrong recipient or losing an unencrypted device.
- Train your team. Human error causes more than 80% of breaches. Regular GDPR and security training helps employees recognise risks and respond appropriately. Our platform offers trackable training to keep your team sharp.
- Have a breach response plan. Know who will respond, how incidents are escalated, and how decisions are made. The Data Breach Procedure in our platform guides you through this setup.
Step 2: When a breach occurs, act fast
The clock starts ticking the moment you discover a breach.
- Assess the breach. You will need to determine:
- What data was involved?
- Whose data was affected?
- Was the data exposed to unauthorised individuals?
- Is there a risk to people’s rights and freedoms?
- Decide if it should be reported. If there’s any risk to individuals, you must report it to the ICO within 72 hours. If you’re unsure, it’s safer to report early — the ICO now encourages this approach.
Data Compliance Pro will guide you through these steps and automatically generate a report, ready for you to email to the ICO.
Step 3: Report early, update later
The ICO wants early notification, even if all the details aren’t clear.
- Use our Data Breach module to capture and report what you know.
- Keep investigating after you’ve submitted the initial report.
- Update the ICO with new findings, steps taken, and additional impact assessments as they become available.
Our platform supports ongoing breach documentation and updates to help you meet this requirement.
Step 4: Mitigate harm & recover data
- Take action to contain the breach:
Revoke access, fix misconfigurations, and patch vulnerabilities. - Recover data if possible:
Restore from backups and investigate the extent of loss. - Limit potential damage:
Cancel affected credentials, notify third parties if needed, and support affected individuals.
Step 5: Communicate with affected individuals
If a breach is likely to result in a high risk to the rights and freedoms of individuals (e.g. identity theft, discrimination, reputational damage), you must inform them without delay.
Data Compliance Pro will guide you through this assessment.
Step 6: Follow up & learn from the breach
- Continue your investigation. Find root causes and identify security gaps.
- Update the ICO. Report further details and outcomes once the situation is fully understood.
- Review and update your processes. Log lessons learned, improve your training, and refine your response plan.
How We Help
With Data Compliance Pro you can:
- Assess and report breaches with step-by-step guidance.
- Automatically generate your Data Breach Procedure.
- Train your team to prevent human error.
- Track and document your compliance actions.
- Generate ICO-ready reports and updates.
Don’t wait for a breach to get your plan in place. Start preparing today.