The responsible person needs to assess whether a personal data breach is likely to pose a high risk to people. If it does, there are additional steps you need to take.
There will always be other risks for you to consider, such as the risk to your reputation or finances. The responsible person’s first priority should be to look at the negative consequences to those affected.
To assess the risk, they need to think about how seriously any negative consequences may affect people and how likely those consequences are to happen.
Their risk assessment should also consider both the information available when your business became aware of the breach and any new information which comes to light as they investigate.
The information they consider should include:
• the type of personal data involved;
• how many people are affected; and
• how they are, or could be, affected.
If they decide that negative consequences are unlikely for those concerned, they might decide the risk is low. However, if the potential consequences are significant, they might consider the overall risk to be high, even if they’re unlikely to happen.
If they decide the situation is likely to pose a high risk to people, they must tell them as soon as possible and report it to the ICO.
If the situation is likely to pose a low risk to people, they don’t need to inform those affected or report it to the ICO.
Even if they don’t have all the information when your business becomes aware that a breach has happened, they should still begin their risk assessment based on what they know.