Data Breach Notification Rules
A personal data breach is any security incident that leads to data being lost, stolen, altered or disclosed without authorisation. The law sets strict rules on when you must report one.
This is general guidance on the notification duties; have an incident plan ready before you ever need it.
When You Must Tell the ICO
If a breach is likely to risk people's rights and freedoms, you must notify the ICO without undue delay and within 72 hours of becoming aware of it. If it is unlikely to cause risk, you record it but need not report it.
When You Must Tell Individuals
Where a breach is likely to result in a high risk to people — for instance exposing financial or health data — you must also tell the affected individuals so they can protect themselves.
What to Record
- What happened and when you discovered it.
- The data and number of people affected.
- The likely consequences.
- The steps you took to contain and remedy it.
Frequently Asked Questions
What if I am not sure whether it is reportable?
Assess the risk quickly and document your reasoning. If in genuine doubt, the safer course is usually to report within the 72-hour window.
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.