Notifying individuals
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Notifying individuals
You have procedures to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
Ways to meet our expectations:
- You have a procedure setting out how you will tell affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.
- You tell individuals about personal data breaches in clear, plain language without undue delay
- The information you provide to individuals includes the DPO’s details, a description of the likely consequences of the breach and the measures taken (including mitigating actions and any possible adverse effects).
- You provide individuals with advice to protect themselves from any effects of the breach.
Can you answer yes to the following questions?
- Would individuals say that they were told about personal data breaches in a helpful and timely way?
- Did they get the information they needed?
- Were they satisfied with the steps you took to mitigate the impact?