-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: Staff with responsibility for processing personal information are able to recognise and escalate personal data breaches.
Risk: Without technological protection and organisational measures, there is a risk that staff may not be aware of or able to recognise a personal data breach. This may breach articles 5 (1) (f), 33 and 34 of the UK GDPR.
Ways to meet our expectations:
- Train staff to recognise and report personal data breaches before they work with personal information.
- Provide periodic staff refresher training to recognise and escalate personal data breaches.
- Reinforce training with reminders (eg posters, newsletter sections, emails and intranet bulletins).
- Incorporate anonymised examples of personal data breaches into data protection training, particularly if training is tailored to specific business areas.
- Include in the training an adequate explanation of how each personal data breach occurred to raise awareness and mitigate against future occurrences of each type of incident.
- Provide written, easily accessible staff guidance on recognising and handling personal data breaches.
- Implement a culture of trust so employees feel able to report near misses.
Options to consider:
- Ask for input and direction into the personal data breach training content from the Data Protection Officer (DPO) or Information Governance team members, as appropriate.
- Test staff understanding at the end of the training, possibly including a minimum pass mark, to ensure training is effective.
Control measure: Decision-makers are equipped to make informed decisions about personal data breaches.
Risk: If senior staff are unable to assess the severity of a personal data breach and the risk to people impacted, this may breach articles 5 (1) (f), 33 and 34 of the UK GDPR.
Ways to meet our expectations:
- Provide specialised personal data breach training to decision makers so they are able to effectively carry out this aspect of their role.
- Provide supplementary guidance to personal data breach decision makers (eg security incident flowcharts).
- Regularly refresh specialised training.
Options to consider:
- Ask for input and direction on the content of specialised personal data breach training from the DPO or Information Governance team.
- Ask for feedback from decision makers on the effectiveness of the training and act on any recommendations.