The ICO exists to empower you through information.

This checklist is for sole traders and other small businesses in the UK. Use it to check how well you understand personal data breaches and how to respond to them.

Once you complete the checklist, you get a short report with practical actions you can take and additional guidance to improve how you deal with personal data breaches.

More information

A personal data breach is where personal data you’re responsible for is lost, accidentally destroyed, altered without proper permission, damaged or disclosed to someone it shouldn’t have been.

More information
Personal data breaches can be costly.  For example, the financial cost of recovering lost data, the staff time spent fixing a mistake and the reputational damage when customers have been put at risk. 
 

So, it makes good business sense to have robust measures in place to avoid a breach happening, such as:

  • check your IT systems are safe and secure;
  • double-check addresses before sending emails and letters;
  • check that attachments and email chains only contain the personal information of the people who should see it; and
  • train staff to send bulk emails correctly, such as by using mail merge services.

Understanding and assessing risk in personal data breaches

More information

It's important someone in your business has oversight of, and responsibility for, dealing with any personal data breaches that happen.

This could be you, or you can choose someone else.

You need to provide training, support and resources so they can complete this task effectively for your business.

Our how to respond to a personal data breach guidance explains what they need to know.

Make sure all your workers know who that person is and how to contact them.

More information
Your responsible person won't be able to do their job properly without the support of all their colleagues.
 
It's important everyone understands they have a vital role to play in maintaining good data protection practices.
 
 
Everyone should feel comfortable they know how to avoid personal data breaches, as well as how to recognise and report an actual or potential personal data breach to the responsible person.
More information
The responsible person needs to assess whether a personal data breach is likely to pose a high risk to people. If it does, there are additional steps you need to take.
 
There will always be other risks for you to consider, such as the risk to your reputation or finances. The responsible person’s first priority should be to look at the negative consequences to those affected.
 
To assess the risk, they need to think about how seriously any negative consequences may affect people and how likely those consequences are to happen.
 
Their risk assessment should also consider both the information available when your business became aware of the breach and any new information which comes to light as they investigate.
 
The information they consider should include: 
 
• the type of personal data involved; 
 
• how many people are affected; and
 
• how they are, or could be, affected.
 
If they decide that negative consequences are unlikely for those concerned, they might decide the risk is low. However, if the potential consequences are significant, they might consider the overall risk to be high, even if they’re unlikely to happen.
 
If they decide the situation is likely to pose a high risk to people, they must tell them as soon as possible and report it to the ICO.
 
If the situation is likely to pose a low risk to people, they don’t need to inform those affected or report it to the ICO.
 
Even if they don’t have all the information when your business becomes aware that a breach has happened, they should still begin their risk assessment based on what they know.
More information
If they’ve assessed that a personal data breach is likely to pose a high risk to people, they need to tell them as soon as possible.
 
Depending on the circumstances, they might consider sending an email or letter or contacting them by phone.
 
They need to describe, in clear and plain language:
 
  • what’s happened;
  • any likely negative consequences;
  • any steps the business took ok to reduce the negative consequences;
  • what people can do to protect themselves;
  • what you’re willing to do to help them; and
  • how they can contact you to get more information or help.
More information
You must have an up-to-date personal data breach log. This needs to document the facts relating to any personal data breach, including:
 
  • its causes;
  • what happened;
  • the personal data affected;
  • the impact on those affected;
  • any steps the business took to reduce the consequences to those affected; and
  • your reasons for deciding whether or not to report it to the ICO.
 
Use the log as a tool to identify trends, training needs or gaps in your processes.
 
Avoid similar incidents happening in the future by sharing findings at regular meetings and putting in place actions to fix the issues  the business identifies.
 
Consider recording near misses too, to help you avoid potential breaches becoming real ones in the future.
More information
After making their risk assessment, if the responsible person decides the risk to the affected people is low, they don’t have to report it to the ICO.
 
However, they need to be able to justify this decision, so they should document it in your breach log.
 
If they decide the risk to the affected people is high, they should report it to the ICO, describing;
 
  • what happened and when;
  • the outcome of their risk assessment;
  • the steps the business took to reduce the consequences of the breach on those affected; and
  • how the ICO can contact you if we need further information.
 
You must tell the ICO about any reportable personal data breaches within 72 hours of your business becoming aware of it.
 
You may provide this over time, if it’s not all available at the time of reporting.