Data breaches are a significant business risk, yet many founders operate without a clear plan for what to do if one occurs or a full understanding of what constitutes a breach. Under UK GDPR, businesses have specific legal obligations when a breach occurs — including in some cases a duty to notify the ICO and affected individuals — making this a practical compliance requirement.
A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is not limited to cyberattacks — sending an email to the wrong person, losing a device with personal data, or accidentally publishing personal information all constitute breaches. Where a breach poses a risk to individuals' rights and freedoms, it must be reported to the ICO within a defined timeframe.
Not every breach requires reporting — only those likely to result in risk to individuals trigger the notification obligation. All breaches should be documented internally regardless of severity. Having a simple response process before an incident occurs — knowing who to notify and when — reduces the risk of a compliance failure compounding the original problem. Our guide to data breach response covers obligations and steps for UK businesses.