Self-assessment for data breaches
-
1. A personal data breach (PDB) can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. Have you determined whether a PDB has occurred?
Yes
-
2. Making your own assessment, does the breach involve the personal data of living individuals?
Yes
-
3. Following your own assessment, is there likely to be a high risk to individuals’ rights and freedoms?
No
-
4. How likely is it that the breach will result in a risk to individuals?
I'm not sure
-
5. Do you consider the data to be contained and the risk to data subjects mitigated?
Yes
Yes, the risk to the data subject has been mitigated
Based on your assessment the likelihood of risk to data subjects appears to be unlikely, you should keep an internal record of the breach as detailed in Article 33 (5) of the GDPR, including what happened, the effects of the breach and remedial actions taken.
There is no requirement to notify the ICO but you should also record the reason for your decision in your internal breach record. If new information which affects the circumstances of this breach comes to light, you should reassess the risk and whether it becomes reportable at that point.
You may want to take a screen shot of this page or use your browser to print the page so that you have a record of your assessment.
Return to the Report a breach page.