How to manage a personal data breach

Copyright © 2025 LexisNexis
Published by a LexisNexis Risk & Compliance expert
Practice notes
Data Protection Toolkit

How to manage a personal data breach

Copyright © 2025 LexisNexis

Published by a LexisNexis Risk & Compliance expert

Practice notes
Data Protection Toolkit

Data security is a cornerstone of the UK General Data Protection Regulation (UK GDPR). The sixth data protection principle (the integrity and confidentiality principle) requires you to take appropriate technical and organisational measures to process personal data in a manner that ensures appropriate security, including:

  1. protection against unauthorised or unlawful processing

  2. accidental loss, destruction or damage

This Practice Note reflects ICO guidance on personal data breaches under the UK GDPR. It also contains additional useful practical information set out in ICO guidance on data security breach management issued under the previous data protection regime. This guidance has now been withdrawn.

This Practice Note also reflects guidance issued by the European Data Protection Board (EDPB). According to the ICO, although the UK has left the EU, these guidelines continue to be relevant.

Data security requirements

Article 32 puts more flesh on the bones of the GDPR’s integrity and confidentiality principle. You are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,

Powered by Lexis+®
Jurisdiction(s):
United Kingdom
Key definition:
Personal data definition
What does Personal data mean?

Personal data means data relating to a living individual who can be identified from such data, either alone or with other information in the data controller’s possession. It includes opinions about, and intentions in relation to the data subject.

Read more readmore

Popular documents

Can I charge a fee for dealing with a data subject access request?

Can I charge a fee for dealing with a data subject access request?The General Data Protection Regulation (GDPR) provides for enhanced rights for data subjects including providing rights of rectification, erasure and restriction of processing, data portability, a right to object to processing and a

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a