Back to Insights

Personal Data Breaches: What Businesses Must Do Beyond ICO Reporting

by Eileen Barr
Lines of computer code representing cybersecurity and personal data breach risks

Personal Data Breaches: What Do You Really Need to Do (Beyond Reporting to the ICO)?

Personal data breaches are scary. And for good reason.

Hardly a week goes by without headlines about cyberattacks, lost data, or accidental disclosures affecting businesses and their customers. Beyond reputational damage, data breaches can lead to regulatory investigations, fines, and loss of customer trust. For the individuals affected by a breach, the impact can be severe as their private information could be put into the wrong hands.

When a breach happens, businesses often panic. You might have policies and procedures in place for dealing with a breach – but dealing with one in reality is different. So, what do you need to know?

Reporting to the ICO – Obvious but When is it Required?

One of the first questions we receive from clients when they discover a breach is:

“Do we need to report this to the ICO?”

And for good reason! Under data protection law, organisations must report certain personal data breaches to  the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. Failure to do so can result in the ICO taking enforcement action (over and above any enforcement action they might take due to the breach occurring in the first place). So, understandably ICO reporting is at the front of everyone’s minds when a breach occurs.

But you are not required to report every personal data breach.

A breach only needs to be reported if it is likely to result in a risk to the rights and freedoms of individuals. Some breaches may pose little to no risk to the individuals affected so do not require notification.

However all breaches must be documented internally.

What Else do You Need to Think About When a Breach Happens?

It’s important to avoid the trap of focusing only on ICO reporting when a breach takes place. Other things you need to think about are:

1. Risk Assessing

The first step is to understand what has caused the breach and what the impact the breach might have on individuals.

Key questions include:

  • What type of personal data was involved? The more sensitive it is the more serious the breach
  • How many people are impacted?
  • Could the breach lead to identity theft, fraud, or harm?
  • Do you know why the breach happened and are you satisfied it’s not an ongoing incident? (an accidental email to the wrong person would be unlikely to be ongoing. A cyber or ransomware attack could be and you would need to take steps to shut this down)

This risk assessment helps you focus on your next steps, including if you need to report to the ICO

2. Mitigate the Impact of the Breach

Once the risk is assessed you should identify if there is a way to reduce the risk or severity of any harm.

What steps you take will depend on the exact nature of the breach, for example:

  • Revoking access to personal data shared incorrectly (for example by sending a link to a SharePoint site to the wrong person)
  • Wiping lost or stolen devices
  • Identifying and contacting anyone who has been given access to the data accidentally
  • Seeking support from experts

3. Notifying People Affected by the Breach

For serious breaches you may need to inform the individuals affected. The test here is: does the breach pose a high risk to individuals’ rights and freedoms. Like ICO notification you need to consider the data that has been breached and the risk this poses to those impacted.

If you decide you need to notify individuals you must inform them of: what has happened, what the consequences might be, who they can contact for more information and what is being done to mitigate the breach. Where you can, you should tell people what they can do to protect themselves.

Any breach you believe you need to inform individuals about must also be notified to the ICO.

4. Investigate the Cause and Prevent Future Breaches

Reporting Is Important—but It’s Not the End

Reporting a breach to the ICO is a legal obligation in certain cases. But reporting alone does not protect your business. Instead you should look at the factors above and take steps to: mitigate the impact of breaches and learn lessons to prevent future breaches

Practical Tips for Businesses

To be prepared for a breach you should have:

  • A data breach response plan – including how any risks will be assessed and who is responsible for decision making
  • A process for training staff training on: preventing breaches and recognising and escalating incidents
  • Regular reviews of security and data protection measures

Whilst we always hope a breach won’t happen, not having proper preparation in place could result in a breach having a much more serious impact on your business than it needs to be.

Need Help With Data Breaches?

If you’d like support with breach reporting, risk assessments, incident response plans, or data protection compliance in general our team is happy to assist.

Eileen Barr

Eileen Barr

Senior Associate
Read full bio
Back to Insights

Share

Related Insights

View all insights
Couple attending a family mediation session in Scotland to resolve separation issues

Family Mediation in Scotland: A Better Alternative to Court

by
Man typing on a laptop with padlock overlay representing AML and source of funds checks when buying a home in Scotland

AML Checks for First-Time Buyers in Scotland: What You Need to Know

by
Repairs

The Housing (Scotland) Act 2025 – Repairs for Registered Social Landlords

by
Mould growth on the wall of a private rented property, highlighting damp and mould issues addressed by Scotland’s 2026 landlord regulations

The Investigation & Commencement of Repair (Scotland) Regulations 2026

by
Regulation of Heat Networks

Regulation of Heat Networks: What do you need to know?

by
violent profits

What are Violent Profits?

by
Secret Link