Breaches of Data Protection

Data Protection Breaches do happen as we know –  Personal data breaches occur when persons data has been accidentally or unlawfully:

  • Destroyed
  • Lost
  • Altered
  • Disclosed without authorisation, whether that be accidentally or deliberately.

What is required when a breach happens?
Under the GDPR, it is required that when certain types of breaches involving personal data occur, these will need to be reported to the relevant supervisory authority within 72 hours of becoming aware of it. Following on from this, should the breach be of such a high risk to the data subject, they should be informed without delay.

Records will need to be maintained by the party who is liable for the breach. The way in which you will need to assess the breach is to identify the risk the breach poses to the data subject’s rights and freedoms as well as the severity of that risk. We would recommend legal advice is taken at that stage, if not, documentation is key to being able to justify why a breach has not been reported.

However, with appropriate measures to prepare for, manage and react to data breaches and ultimately reduce the possibility of their occurrence, it is possible that certain breaches do not have to be reported. It is therefore key to establish how in your day to day business, breaches could occur. It is very easy for these to happen, for example leaving your phone on the train or sending an email to the wrong recipient. Certain scenarios require simple solutions; however this will not always be the case.

Should a breach need to be reported, Article 33 of the GDPR sets out what needs to be reported when a breach occurs, this includes:

  • The nature and extent of the personal breach.
  • Who your Data Protection Officer or other point of contact is, and their contact details.
  • What are the likely consequences of this data breach.
  • Measures taken by yourself as the controller to address and mitigate the effects of the breach itself.

Any failure to disclose a breach, even if this be due to internal analysis suggesting it does not need to be reported, may result in the aforementioned fines. Therefore advice should always be sought in these scenarios.

Data, IT & Technology Team

  • All departments
  • Agricultural Law
  • Banking and Finance
  • Brexit
  • Commercial Law
  • Commercial Property
  • Competition Law
  • Construction
  • Consumer Law
  • Corporate - MBOs & MBIs
  • Corporate Governance
  • Corporate Law
  • Corporate lending
  • Data Protection - Marketing
  • Data, IT & Technology
  • Debt Recovery
  • Dispute Resolution
  • Disputes - Business
  • Disputes - Declarations of trust
  • Disputes - Probate and inheritance
  • Disputes - Professional negligence
  • Disputes - Restrictive Covenants
  • Disputes - Shareholders & Partnership
  • Disputes - Tenants in Residential Property
  • Disputes - Wills, trusts & probate disputes
  • Disputes and Small Claims
  • Disputes Construction
  • Disputes with Co-owners
  • Divorce
  • Employee - Termination
  • Employer - Termination
  • Employment
  • Employment - Business protection
  • Employment - Collective consultations
  • Employment - Contracts, services, consultancy
  • Employment - Employee benefits
  • Employment - Employee Procedures
  • Employment - Equality, discrimination and harassment
  • Employment - Family Friendly Rights
  • Employment - GDPR and Data Protection
  • Employment - Post employment obligations
  • Employment - Redundancy & Reorganisation
  • Employment - Settlement Agreements
  • Employment - Tribunal Claims
  • Employment - TUPE
  • Employment - Wages, holiday and sick pay
  • Employment - Workers rights
  • Employment Tribunal claims
  • Estate Administration
  • Expat Legal Services
  • Family Law
  • Financial Services
  • Franchising
  • GDPR
  • Help to Buy
  • Immigration law
  • Intellectual Property
  • International Legal Services
  • Key Property Contacts
  • Land and Property Disputes
  • Land, development and construction
  • Lasting Powers of Attorney
  • Leasehold
  • Licensing Law
  • Money, Tax and Inheritance
  • New Build Conveyancing
  • New Businsess
  • Private Wealth and Inheritance
  • Professional Negligence
  • Property Finance
  • Property Law
  • Recovery & Insolvency
  • Regulatory, Compliance & Competition
  • Residential Property
  • Residential Property - Completions
  • Residential Property - Shared Ownership
  • Terms and Conditions

Latest news & insights

Contact us

    The information you submit will be handled in accordance with our privacy policy.


    60 St Martins Lane, Covent Garden, London WC2N 4JS 

    +44 (0) 203 755 0557



    Building 2  Watchmoor Park, Riverside Way, Camberley, Surrey  GU15 3YL

    +44 (0)1276 686 222


    Wokingham (Appointment only)

    4 The Courtyard, Denmark Street, Wokingham, Berkshire RG40 2AZ

    +44 (0)118 977 4045


    © 2021 Herrington Carmichael LLP. Registered in England and Wales company number OC322293.

    Herrington Carmichael LLP is authorised and regulated by the Solicitors Regulation Authority.

    Privacy Policy   |   Legal Notices, T&Cs, Complaints Resolution   |   Cookies

    Client Feedback   |   Diversity Data