The ICO exists to empower you through information.

How to use this report

Please see below for suggested actions and further reading based on your answers to the nine questions. You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.

Do you, or someone in your business, know what a personal data breach is? - Yes


That's great. If you know what a personal data breach is, if it happens you can do something about it.

Does your business have measures in place to help prevent personal data breaches happening? - Yes


Having robust measures in place to help you and your staff avoid personal data breaches is crucial.

Make sure you're considering things like:

  • ensuring your IT systems are safe and secure;
  • double-checking addresses before sending emails and letters;
  • checking attachments and email chains only contain the personal data of the people who should see it; and
  • training staff to use the email ‘blind carbon copy’ (BCC) function correctly.

Remember to regularly review and amend the measures you have in place, and remind staff to use them.

Do you have someone in your business responsible for dealing with any personal data breaches that happen? - Yes


It's great you already have a person who’s responsible for dealing with personal data breaches.

It's important that you support them in their role, for example by regularly reviewing and, where necessary, improving the support and resources available to them. You also need to provide them with regular refresher training.

If they move on, you’ll need to choose someone to replace them, train the new person and tell everyone in your business who they are and how to contact them.

Has everyone in your business had training in how to avoid, recognise and report a personal data breach? - Yes


It's good you're providing training for your staff. To keep their knowledge up-to-date, you should provide regular refresher training, including:

If a personal data breach happens, does the responsible person know what to do first to limit the consequences? - Yes


By implementing a response plan, you've taken an important step to protect any personal data affected by a breach. But you need to treat it as a 'living document'. Regularly review the steps and actions you can take to limit the consequences, particularly if you've made changes to your business or if you've actually experienced and dealt with a breach. When something changes, update your response plan accordingly.


Does the responsible person know how to assess how serious a personal data breach is? - Yes


You’re in a good position if  your responsible person knows how to assess the severity of a breach and the level of risk it’s likely to pose to those affected.

We have a self-assessment tool on our website you can use if you need help with a personal data breach.

In addition, you can contact us to get advice about any breach, including to help you decide whether or not to report it.

Does the responsible person know what to tell the affected people? - Yes


By already having this in place, you have a good basis to be open and transparent and show people you care about their personal data.

Review new information about existing personal data breaches. Reassess the impact to affected people as this may change over time.

Does the responsible person know what information to record on your breach log? - Yes


You’re in a good position if your responsible person knows what to record on your breach log.

Remember that if new information comes to light about existing personal data breaches, they should update the log and reassess the impact to affected people. They may need to tell those affected and they may also need to report the breach to the ICO, explaining the reason for the delay.

Relevant staff should meet regularly with the responsible person to review the information in the breach log along with any ICO recommendations to ensure lessons are learned.

Does the responsible person know whether they need to tell the ICO about the breach and, if so, what information to include in their report? - Yes


While your responsible person knows when to tell the ICO about personal data breaches, they need to reassess this decision if new, relevant information comes to light.

Our self-assessment tool is there to help assess personal data breaches.

In addition, they can contact us to get advice about any breach, including whether or not they should report it.