72 hours - how to respond to a personal data breach
A simple guide to help small companies and sole traders in the first 72 hours after discovering a breach.
If you think you’ve had a personal data breach – perhaps an email has been sent to the wrong person, a laptop was stolen from a car or you’ve lost files because of a flood – and you’re worried about what to do next, we can help.
Step one: Don’t panic
It’s understandable if you’re concerned about what happens next. But we’re here to help you understand what happened and to prevent it happening again.
More info
Not every breach reported to us results in formal action. Our main aim is to provide advice to help the organisations avoid similar incidents in the future.
Step two: Start the timer
By law, you've got to report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours.
More info
You might end up not needing to report it, but start a log anyway, to record what happened, who is involved and what you’re doing about it.
The clock starts from when you discovered the breach, not when it actually happened.
Step three: Find out what’s happened
Pull the facts together as quickly as possible.
More info
In your log, write down facts about the incident as you uncover them. This could be things like what happened and why, how many people were involved, a timeline of when it all happened, and what actions you’ve taken so far.
Step four: Try to contain the breach
Your priority is to establish what has happened to the personal data affected. If you can recover the data, do so immediately. Also you should do whatever you can to protect those who will be most impacted.
More info
If it’s been sent to someone by mistake, you could ask them to delete it, send it back securely, or have it ready for you to collect.
If you don’t know where it is, retrace your steps. If you think it’s been lost in an office or building, you could try calling the reception.
If you’re dealing with a stolen laptop and you’ve got the appropriate systems installed, wipe it remotely. This will help to minimise the risk of personal data falling into the wrong hands.
You could contain a cyber incident by changing all passwords and making sure your staff do the same.
If you need help thinking of other ways to contain the breach, you can contact us, and we’ll advise you.
Step five: Assess the risk
You should now assess what you feel the risk of harm is to those affected, whether that’s your customers, members or service users.
More info
By risk of harm, we mean any potential harm or detriment it may cause to people, eg safeguarding issues, identity theft or significant distress. You might be dealing with a simple mix-up where there’s little or no risk involved, or a serious breach that will have a lasting effect on people’s lives.
When assessing risk, it can help to put yourself into the shoes of those who have been impacted.
For example, supposing you email a hair appointment reminder to the wrong customer and they have deleted the email. If you were the customer you meant to remind, would you be worried? Unless there’s more to this than meets the eye, it’s unlikely you would need to tell the customer or the ICO.
We’ve made a guide to help small organisations understand risk in personal data breaches, and here are some examples of the different types of breaches you might come across.
If you’re unsure, you can contact us and we’ll help.
Step six: If necessary, act to protect those affected
If possible, you should give specific and clear advice to people on the steps they can take to protect themselves, and what you’re willing to do to help them. If you don’t think there’s a high risk to the people involved, you don’t have to let them know about the incident.
More info
Now that you’ve established what happened, tried to contain the breach and assessed the risk of harm to those who have been affected, your next step is to do what you can to protect them further.
Depending on the circumstances, this may include advising people to use strong, unique passwords, telling them to look out for phishing emails or fraudulent activity on their accounts and providing guidance on protecting themselves from identity theft.
There’s nothing stopping you telling people about the incident, even if you don’t think there’s a high risk to them, but you’ll want to balance any risk to them against the potential of causing unnecessary worry.
If you think there’s a high risk, then by law you have to tell them without undue delay. For example, if you feel there is a high risk of them having their identity stolen, then you have to let them know so they can be extra vigilant and take steps to protect themselves.
Step seven: Submit your report (if needed)
If the breach is reportable, you can report it online.
More info
If you’re unsure if your breach is reportable you can also use our self-assessment tool to help you decide or you can call our personal data breach advice line on 0303 123 1113.
When you report a breach, you’ll need to provide details such as what happened and when, your risk assessment, and what you’ve done to contain the breach. Please provide as much information as you can. This will help us give you the most relevant advice for the next steps you should take.
Don’t worry if you haven’t got all the information to hand straight away – the important part is letting us know that it’s happened before 72 hours have passed. You can always provide more later as part of a follow-up report if necessary. This should be completed without undue delay and should be an urgent priority for you.