Managing personal data breaches

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Managing personal data breaches
  • Data security requirements
  • What is a personal data breach?
  • Why should you worry about personal data breaches?
  • What if you use a data processor?
  • Breach management
  • Data Breach Team
  • Containment and recovery
  • Assess and record the risk
  • Notification of breach
  • More...

Managing personal data breaches

Data security is a cornerstone of the UK General Data Protection Regulation (UK GDPR). The sixth data protection principle (the integrity and confidentiality principle) requires you to take appropriate technical and organisational measures to process personal data in a manner that ensures appropriate security, including:

  1. protection against unauthorised or unlawful processing

  2. accidental loss, destruction or damage

This Practice Note reflects ICO guidance on personal data breaches under the GDPR. It also contains additional useful practical information set out in ICO guidance on data security breach management issued under the previous data protection regime.

This Practice Note also reflects guidance issued by the European Data Protection Board (EDPB). According to the ICO, although the UK has left the EU, these guidelines continue to be relevant.

Data security requirements

Article 32 puts more flesh on the bones of the GDPR’s integrity and confidentiality principle. You are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account:

  1. the nature, scope, context and purpose of processing

  2. the risk of varying likelihood and severity for the rights and freedoms of data subjects

Your security measures should include, as appropriate:

  1. the pseudonymisation and encryption of personal data

  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

  3. the ability to restore the availability and access

Popular documents