The ICO exists to empower you through information.

How to use this report

Please see below for suggested actions and further reading based on your answers to the nine questions. You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.

Do you, or someone in your business, know what a personal data breach is? - No

 

Your business needs to understand what a personal data breach is, so you know if one happens.

See personal data breaches for the definition.

Does your business have measures in place to help prevent personal data breaches happening? - No

 

Implement robust measures to reduce the chances of a personal data breach happening, such as:

  • checking your IT systems are safe and secure;
  • double checking addresses before sending emails and letters;
  • checking attachments and email chains only contain the personal data of the people who should see it; and
  • training staff to use the email ‘blind carbon copy’ (BCC) function correctly.

Do you have someone in your business responsible for dealing with any personal data breaches that happen? - Partially

 

Decide who in your business is responsible for dealing with personal data breaches.

Provide relevant training, support and resources.

See our how to respond to a personal data breach guidance for more information on what they need to know.

Regularly review and, where necessary, improve the support and resources available to them.

Tell your workers who that person is and how to contact them.

Has everyone in your business had training in how to avoid, recognise and report a personal data breach? - No

 

It’s vital you provide everyone in your business with training as soon as possible and that you refresh their training on a regular basis.

Training should include:

If a personal data breach happens, does the responsible person know what to do first to limit the consequences? - Partially

 

Your business needs to have a clear response plan and provide training to the responsible person in how to mitigate risk to affected people.

The training should provide clear guidance on the different steps and actions to take depending on what happened, and could include:

  • changing passwords;
  • disabling lost or stolen devices;
  • recalling emails; or
  • recovering lost data or systems.

Refer to our how to respond to a personal data breach guidance for more information.

Does the responsible person know how to assess how serious a personal data breach is? - No

 

The responsible person needs to know how to conduct a comprehensive risk assessment.

A risk assessment must be completed for every breach that happens, and it must be specific to that incident.

The assessment helps you decide if they need to tell the affected people and report it to the ICO.

Please read our guidance on understanding and assessing risk.

Does the responsible person know what to tell the affected people? - No

 

The responsible person needs to know what to tell those affected by a personal data breach and how soon they need to be told.

Please see:

Review new information about existing personal data breaches and reassess the impact to affected people, as this may change over time.

Does the responsible person know what information to record on your breach log? - No

 

Your business needs to decide how the responsible person records and reviews the facts about actual or potential personal data breaches. 

Your log should include:

  • its causes;
  • what happened;
  • the personal data affected;
  • the impact of the breach on those affected;
  • any steps the business took you took to reduce the consequences on those affected; and
  • reasons for deciding whether or not to report it to the ICO.

The responsible person needs to review the information in the breach log with relevant staff regularly. Take into account any ICO recommendations to help you avoid similar incidents happening again.

If new information comes to light about an existing personal data breach, they should update the log and reassess the impact on affected people.

They may need to tell those affected, and they may also need to report the breach to the ICO at this stage, explaining the reason for the delay.

Does the responsible person know whether they need to tell the ICO about the breach and, if so, what information to include in their report? - No

 

The responsible person should know whether they need to report a personal data breach to the ICO, how soon they need to tell us and what they should include.

Our self-assessment tool can help with this.

In addition, they can contact us to get advice about any breach, including whether or not they should report it.