How We Handle GDPR Data Breach Notifications
Under UK GDPR, certain types of personal data breaches must be reported to the Information Commissioner's Office (ICO) within 72 hours of becoming aware. This article explains our obligations and how we work with you when a breach occurs.
What Counts as a Personal Data Breach?
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes:
- A hacker gaining access to your user database
- An email containing personal data sent to the wrong recipient
- A misconfigured storage bucket exposing personal data publicly
- An employee accidentally deleting a database containing personal records
Our Role as Data Processor
As your data processor, we are legally required to notify you without undue delay after becoming aware of a breach that affects personal data we process on your behalf. In practice, we aim to notify within 4 hours of confirming a breach.
Your Role as Data Controller
You (the client) are the data controller and are responsible for:
- Assessing whether the breach is likely to result in a risk to individuals' rights and freedoms
- Notifying the ICO within 72 hours if the breach is likely to result in such risk
- Notifying affected individuals if the breach is likely to result in a high risk to their rights
How We Support You
- We provide a detailed incident report including: what data was affected, how many individuals, what happened, and what we have done to contain it
- We assist you in completing the ICO notification form
- We advise on technical remediation to prevent recurrence
- We are available as a technical resource during any ICO investigation
Documentation
Even if you determine the breach does not need to be reported to the ICO, you must document it internally. We will provide you with all the technical details needed for your breach register.