When and how do we need to report a personal data breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Under the GDPR, organisations must notify the ICO of a breach within 72 hours of becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of individuals. Organisations must also notify those concerned, where a breach is likely to result in a high risk to their rights and freedoms without undue delay.

If you use a data processor, and they suffer a breach, then they must inform you without undue delay as soon as they become aware – you are responsible for the breach-reporting obligations under the GDPR.

The Information Commissioner advises that all health service organisations in England must now use the IG Toolkit Incident Reporting Tool. This will report IG SIRIs to NHS Digital, DHSC, ICO and other regulators.

(The IG Toolkit is now replaced with the DSPT).