GDPR Breach: What is the protocol?

Last week we shared with you the six key areas within your organisation that you can look at the changes you can start making today to ensure that you are  GDPR compliant on 25th May 2018. In a nutshell, the regulation was created to streamline and simplify our data protection laws and to give people more control over how their personal data is used.

Realistically, none of the processes outlined in the legislation are unreasonable. For the most part, they allow a business to work smarter, more securely, and also more ethically. A big part of making the shift for most companies is first and foremost a change in culture and a slight mindset shift. Yes, over the next five months, to achieve said culture change involves the investment of both time and money in training, and changing processes within communication, data processing/management, and marketing. But the crux of the matter is that every change you are going to make between now and May, is going to lead to the greater good and betterment of your business.

All this being said, it is incredibly important that you know what to do in times that things go wrong; and they will go wrong,  human error is inevitable. Thus, it is vital that a part of your mindset shift towards GDPR readiness is that you prepare yourself for breach reporting.

How can it happen?

I’m sure we’ve all been there when we’ve meant to send an email to one person and ended up sending it to someone else by mistake. Whether it’s a slip of the mouse or just an honest error and you don’t notice until it is too late, if that email has sensitive information attached, then you’ve just caused a breach. The easiest way to determine whether or not you should report a mishap to the ICO is if it causes detriment to the data subject or not. Potential detriment is easily definable by private aspects of a person’s life, such as financial information or nonpublic identifiers; their passport number for example, being wrongly shared.

Reporting a breach

From the point of a data breach, you only have 72 hours to act and to report your transgression. If you miss the three-day deadline, it is critical to supply a reason as to why. Planning ahead will allow you to minimise the likelihood of this happening.

You can report your companies breach to the ICO in a number of ways. You can call them on 0303 123 1113, or you can fill a form on their website and send to or Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

You’d need to make the data subject aware and in extreme circumstances, you might need to alert the authorities.

What happens next?

In most circumstances, it is highly likely that pending investigation no further action will be taken by the ICO, but this incident will highlight the key areas in which you can improve to prevent the event occurring again. A fine is only incurred as a result of a severe breach or in the event of malicious, deliberate, or negligent foul play.

There are a number of changes that you can begin to make today in order to make your business GDPR compliant and streamline processes to minimise the potential for any errors and breaches.

For further help and advice on making your business compliant and making changes to your existing technology, please get in touch. Contact us today by calling 01204 860050 or emailing us on

Free eBook
Test your Internet Security IQ