1 media

GDPR and personal data breaches

With the implementation of GDPR, the law calls for all organisations to report certain types of personal data breach to the relevant data protection authority within 72 hours of becoming aware of the breach.

Under GDPR, companies have a duty to alert the authority following a data breach. Even in the event that you aren’t required to notify, you must keep a record of any personal data breaches. Failure to follow the correct procedures after a breach of data can lead to serious consequences. As it’s never been more important to understand what to do if someone gets past your security, prevention is key. Get in touch with Blackhawk Intelligence today so our team of data security experts can help to review how your organisation is handling personal data of your clients and the procedures to follow should a data breach happen.

Defining a personal data breach

Because personal data breaches have a relatively large list of causes and effects, it’s important to know the official definition of one. The UK Information Commissioner’s Office (ICO) defines it as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” This can include:

  • access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen;
  • alteration of personal data without permission; and
  • loss of availability of personal data.

Recital 87 of the GDPR states that when a security incident occurs, you must take steps to identify whether it includes a personal data breach and if it does then you must take action.

What to do when a data breach occurs

When you have fully confirmed that a personal data breach has occurred, there are two separate GDPR articles you must follow: Article 33 and Article 34.

Article 33

Article 33 states that you must notify the relevant supervisory authority within 72 hours of discovering the breach unless the data are unlikely to result in a risk to the rights and freedoms of the subject. This notification must come in the form of a very specific letter, including information on:

  • The nature of the personal data breach, including the approximate number of data subjects and records concerned and their categories.
  • The name and contact details of the data protection officer or another contact point where more information can be obtained.
  • The likely consequences of the data breach.
  • The measures being taken or proposed to address the breach and mitigate any possible proposed effects.

As the data protection authority will use this document to access if you’re complying with GDPR, it’s vital to include the right information. In some instances, companies also include digital forensics details which our team of digital forensics experts can help.

Article 34

Article 34 states that when the personal data breach is likely to result in a high risk to the data subject, then you must notify them immediately. The communication should be in clear and plain language, and contain all of the information laid out in article 33. However, it does not have to be sent if:

  • There are appropriate technical and/or organisational protection measures on the affected data. This particularly applies to methods of encryption and similar scrambling of unauthorised data.
  • You have taken measures to ensure there is no longer any risk to the data subject (and you can prove it).
  • It would involve a disproportionate effort. In this case, however, you must still notify the subject via a public message or similar method that ensures that the data subjects hear about it.

Remember that under Article 34 the data protection authorities can form their own risk assessment, and if they believe the data subject is at risk and none of the above conditions is met, they can – and will – force you to inform the data subject.


The standard punishment for failure to comply with the GDPR is a fine, the size of which is decided by the ICO after an investigation. Previously ICO fines were limited to £500,000 maximum, however, under the new laws these fines can reach up to €20,000,000 (£17,830,000) or 4% of global turnover (whichever is greater) for the most serious cases. As a way of comparison, in 2015 TalkTalk was fined £400,000 for failing to take necessary steps towards increasing security, leading to the loss of data for over 150,000 customers. Had they been operating under GDPR, that fine would instead have been approximately £59,000,000. Data breaches happen regularly and companies are being fined – you can see an extensive list of every legal action the ICO has taken here, including the size of the fine and the cause.

Protect your data with Blackhawk

Personal data breaches can happen to any company, big or small, and it’s not always due to your systems. Having the right knowledge and mindset can prevent just as many attempts as good security. At Blackhawk Intelligence, we can assist with both: our experts can work on every aspect of your cybersecurity to ensure you’re covered from all angles.

For more information on how we can keep your data under your control, get in touch on 020 7788 8983


Make An Enquiry
  • +44 (0)20 8108 9317
  • enquiries@blackhawkintelligence.com