Assessing and reporting breaches
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Assessing and reporting breaches
You have procedures to assess all security incidents and then report relevant breaches to the ICO within the statutory time frame.
Ways to meet our expectations:
- You have a procedure to assess the likelihood and severity of the risk to individuals as a result of a personal data breach.
- You have a procedure to notify the ICO of a breach within 72 hours of becoming aware of it (even when all the information is not yet available) and you notify the ICO on time.
- The procedure includes details of what information must be given to the ICO about the breach.
- If you consider it unnecessary to report a breach, you document the reasons why your organisation considers the breach unlikely to result in a risk to the rights and freedoms of individuals.
Can you answer yes to the following questions?
- Are staff aware of the policies and procedures and are they easy to find?
- Do staff understand how to conduct the risk assessment?
- Do they know when a breach needs to be reported to the ICO?