Data Breaches Under the New Data Protection Law

BlogBusiness Evolution Posted: Tuesday 28th February 2017 by

The Europe-wide General Data Protection Regulation (‘GDPR’) comes into force on 25 May 2018. It brings with it many changes such as larger fines for personal data breaches.

This post sets out the consequences of a breach on or after that date, and what organisations should be doing now to minimise the risk of one occurring:

What is a data breach?

In simple terms, a data breach is where employee or customer personal data [information from which a living person can be identified] is lost, destroyed, unlawfully accessed etc.

What’s the risk to employees/ customers?

Loss of control over their personal data, identity theft, fraud, financial loss etc.

If we have a breach do we have to tell anyone?

YES. You should tell the Information Commissioner (ICO) without undue delay (not later than 72 hours) after having become aware of the breach unless the breach is unlikely to result in harm to the individuals affected.

What should I tell the Commissioner?

Tell them the nature of the breach, give them a contact within your organisation and tell them what you are doing to address the breach.

Should we tell the affected individual(s)?

YES if the breach is likely to result in a high risk of harm. Do so without undue delay.

Will we be fined?

Possibly. How much depends on the nature, gravity, and duration of the breach, the number of individuals affected and the level of damage suffered by them.  The ICO will also look at whether the breach was intentional or negligent, your culpability, action you have taken, how cooperative you have been, your previous ‘record’ etc.

What’s the maximum fine for a data breach?

Up to 10,000,000 EUR, or in the case of an organisation, up to 2 % of total worldwide annual turnover – whichever is higher.

There may also be reputational damage and the cost of staff time putting matters right.

So what should we be doing?

Speak with your IT team and ensure that you have appropriate (to the risk/ harm) technical measures in place.

From a people perspective put in place appropriate organisational (policies and procedures/ staff training) measures.  The importance of such policies (which sets out the organisations approach to data protection) and staff training (which reinforces any policies) cannot be underestimated as it is usually employee error that results in a data breach.

In order to decide what is appropriate organisations need to look at what employee/ customer information you handle, who has access to it, how it is handled, how sensitive it is as well as the likelihood of unauthorised access and the harm that might result if that were to happen.


Don’t take chances. Review your risk now. Ensure that your staff know what is expected of them.

For further advice or training in this area or data protection/ GDPR generally contact David Campbell at:

Tel: 01902 246 995

Mobile: 07397 943394


Share This