What businesses should do if a data breach occurs?
Under the GDPR personal data controllers are required to report personal data security breaches to the data protection authority within 72 hours of becoming aware of the breach.
Not all breaches are reportable. It is essential you create a robust plan for detecting and identifying breaches quickly, escalating them through your organisation, assessing and containing breach, reporting to the ICO (and possibly individuals) where necessary, and taking steps to ensure breaches do not reoccur.
We set out in the below flowchart some key considerations for deciding whether a breach is reportable. As well as any obligation on the data controller to self-report to the ICO, in all cases there is a duty to contain any security breach, mitigate its effects and keep a detailed record of all incidents (even those you decide not to report to the ICO).
Please note breach reports can be made via the ICO website form or by telephone.