Managing a personal data breach—process flowchart
Managing a personal data breach—process flowchart

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Managing a personal data breach—process flowchart
  • Stage 1—assemble data breach team
  • Stage 2—preliminary assessment
  • Stage 3—containment and recovery
  • Stage 4—assess and record
  • Stage 5—notify the ICO (if required)
  • Stage 6—notify data subjects (if required)
  • Stage 7—notify other relevant parties
  • Stage 8—prevent future breaches

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

This Practice Note illustrates how to manage a data protection breach under the EU General Data Protection Regulation (GDPR). It reflects reporting and recording requirements under the GDPR together with data breach management guidance issued by the Information Commissioner's Office (ICO). It also contains information previously set out in ICO guidance on data security breach management which predated GDPR, but contained additional useful practical information. It maps out a process, providing guidance and links to relevant precedents for each stage of that process. It can also be used for cybersecurity breaches.

Click below for a PDF version of this Flowchart that you can download and print.

Data protection breach management workflow


See Precedents: Personal data breach plan, Data breach report form—internal, and Data breach assessment and action plan, which guide you through each stage of this workflow.

Stage 1—assemble