What Is a Data Breach and What are Your responsibilities as a Business?

In this blog, we explore: what constitutes a data breach and personal data; the responsibilities of businesses processing this data; who regulates data breaches in the UK; and key steps you can take in the event of a data breach. 

What is a data breach?

According to GOV.UK, “a data breach is a security incident that results in personal data you or your company holds being: lost or stolen, destroyed without consent, changed without consent or accessed by something without permission.” Some of the most common causes of a data breach include stolen information (often resulting from simple human error); ransomware attacks (where threat actors encrypt data and demand a ransom payment for its release); and phishing (where third parties create sites or emails that look genuine but contain malicious links).  

What is personal data?

Personal data refers to information that directly identifies an individual, such as a person’s name or address, or information that can indirectly identify an individual like a personal email address or telephone number.

Who’s responsible for protecting personal data?

Anyone within an organisation that directly or indirectly interacts with personal data has a responsibility to ensure it’s handled in a responsible and GDPR-compliant manner.

Data controllers, including businesses, organisations, charities and associations, have the responsibility of deciding how personal data is processed and protecting it from harm.

Dara controllers can delegate the processing of personal data to what is known as a ‘data processor,’ but they still retain responsibility for the security of personal data. Data processors, of course, have to protect people’s personal data, but they’re only acting as per a controller’s instructions.

What is a data controller?

In simple terms, a data controller is the organisation that solely or jointly determines the purpose and means of processing personal data. For more information, refer to the GDPR guidelines.

What is a data processer?

A data processer is the organisation processing personal data on behalf of the data controller.

Do I need a data protection officer (DPO)?

Under GDPR law, data controllers and processors are required to designate a data protection officer where:

  • Processing is carried out by public authority or body, except for courts acting in their judicial capacity
  • Core activities of the controller or processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale
  • Core activities of the controller or processor consist of processing (on a large scale) of special categories of data pursuant to GDPR Article 9, or personal data relating to criminal convictions and offences referred to in GDPR Article 10

The DPO should report into the highest level of management within the organisation, and be appointed if any of the above points are met, regardless of company size. A DPO doesn’t have to be an internal employee; you’re able to outsource this.  

Even if you’re not regulatory obligated to appoint a DPO, it’s highly recommended as good practice to have at least one data privacy officer in place.

It should be noted at the time of writing, UK data protection law is currently being revised and as such, your obligations, as well as requirements to appoint a DPO, may change in the near future.

Who’s liable and accountable for a data breach?

Data owners are accountable for data security, and for this reason, are usually held liable for any damage (and associated claims for compensation payable to an individual) if its processing activities infringe on UK GDPR.

Who regulates data breaches in the UK?

The Information Commissioner’s Office (ICO) is responsible for enforcing Part 3 of the UK Data Protection Act 2018 (the UK implementation of GDPR). The act introduces a duty on all organisations to report certain types of personal data breaches to the Information Commissioner. You must do this within 72 hours of becoming aware of the breach — where feasible.

Can you be fined for a data breach?

Yes! Firstly, you can be fined up to £8.7m or 2% of your global annual turnover if you fail to notify the ICO of a breach when required to do so. This can be combined with the ICO’s other enforcement powers to fine organisations up to £17.5m or 4% of global annual turnover for serious breaches of data protection principles. In both cases, the fine is whichever figure is higher.

What enforcement powers does the ICO have?

As well as issuing the fines mentioned above, the ICO has several enforcement tools, such as assessment notices, warnings, reprimands and enforcement notices. The ICO takes a risk-based approach to enforcement, focusing more on cases involving reckless or deliberate harms, and is therefore unlikely to take enforcement action against any organisation genuinely seeking to comply with the provisions of the legislation. Nor does it seek to penalise organisations where a member of staff has made a genuine mistake when acting in good faith and in the public interest; for example, in an emergency situation or to protect someone’s safety.

data breach guide for businesses. Data padlock

What to do in preparation for a data breach and when the worst happens

It’s critical to have an incident response plan (IRP) that’s regularly reviewed, tried and tested. An effective IRP should:

1. Engage third-party specialists, including your cyber insurers (if applicable), incident responders, crisis communications specialists, IT forensics, external counsel and TransUnion who offer a data breach service for your consumer remediation needs

2. Consider how your business will function if systems are taken down

3. State how you’ll manage regulators, including the ICO, and handle any litigation from those impacted

4. Have the tools and expertise in place to take down data from the internet

5. Communicate no wider than necessary and only in confirmed facts when outside of the breach working group, and consider what could be held against you in any future litigation.

6. Understand investigations can take many months to complete depending on the complexity of the incident

7. Be ready at all times with third-party specialists and internal stakeholders on deck for any data crisis — and tested offline backups in place

How quickly should a data breach be reported?

By law, you must report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours. That threshold is dependent on the likelihood of the breach resulting in a risk to the rights and freedoms of individuals impacted. If left unaddressed, risks could include:

  • Discrimination
  • Reputational damage
  • Financial loss
  • Loss of confidentiality

You must also communicate the data breach to all individuals impacted without undue delay where there’s a high risk to their rights and freedoms. This high risk means the threshold is higher than that for reporting an incident to the ICO.

In summary

A data breach is an event in which personal data has been lost, changed, accessed or shared without permission of the individual who that data is about. Organisations that deal with personal data have a responsibility to protect and use it appropriately and compliantly as part of GDPR law. The ICO is responsible for enforcing GDPR and DPA laws for personal data breaches and has enforcement powers inclusive of fines. In the event of a breach, businesses must act to investigate, mitigate and respond. When a data breach occurs, businesses communicate with the ICO (where the threshold is met) within 72 hours, and have a duty to inform affected individuals in a timely manner. 

If you’re a consumer with questions or issues related to your personal credit report, drivers history report, disputes, fraud, identity theft, credit report freeze or credit monitoring services, please visit our Customer Enquiries page for assistance.

Contact Us

TransUnion would like to send you original insight, commentary and research on data, software and analytics, early notifications of exclusive events and information about our products and services. If you would like to receive that information, please let us know using the following options:

Business enquiries: If you have a non-sales related query please call us on (+44) 0113 388 4300

Please read our privacy notice , which explains who we are, how we collect and use your personal information and how you can exercise your privacy rights.

We're sorry, your request failed. Please try again in a little while.