Detecting and reporting data breaches for the GDPR

Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information. 

The small business guide to detecting and reporting data breaches

The GDPR requires you to have suitable processes defined and in place to detect, investigate and report data breaches.

What are Data Breaches?

The definition of a data breach according to the GDPR is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

It is essential to understand that data breaches are not just limited to malicious attacks on your website or computer network. They include staff error, such as loss of a phone, laptop or portable USB drive, or even leaving a print-out on a train.

What you need to do if you suffer a data breach

If you lose control of data, in any format, that could personally identify one of your customers, employees or even suppliers you have suffered a data breach. At this point you need to evaluate how it happened and establish the size of the breach, bringing in external expertise if needed. You should then take steps to prevent it happening again. Lastly decide who, according to the law, needs to be informed (see below).

Do I need to tell anyone about a Data Breach?

It depends. You may choose to report a breach just to be safe, but the GDPR makes allowance for breaches where "the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons". You should start by judging the severity of the breach:

Low Risk


Example: You leave a spreadsheet with a dozen customers' names, email addresses and account balances on the train. This poses no obvious risk to the rights and freedoms of your customers.


Recommended Actions:
  • Improve internal procedures to ensure this is unlikely to happen again.

Moderate Risk


Examples: You dispose of an office computer without wiping the hard-drive; you know your website was hacked, granting access to the database of customer information - however, your customers' passwords are encrypted using appropriate technology.


Recommended Actions:
  • Improve internal procedures to ensure this is unlikely to happen again / host your website more securely.
  • Report the breach to the ICO - call their helpline on 0303 123 1113 to discuss what happened.

High Risk


Examples: Your website or network is compromised and all customer information and passwords are stolen; you lose a USB drive with a full copy of your customer database on it; you leave sensitive customer information, relating to health, religion, social issues, etc. in a public place.


Recommended Actions:
  • Improve internal procedures to ensure this is unlikely to happen again / host your website more securely.
  • Report the breach to the ICO - call their helpline on 0303 123 1113 to discuss what happened.
  • Report the breach to all affected customers, typically by email. Use appropriate means to force a reset of all passwords.

How long do I have to take these steps?

You have a legal obligation to report the data breach within 72 hours and to report the breach to customers (if necessary) without undue delay. You should call the ICO Helpline as soon as the breach is detected, even if you don't have full details.

Detecting Data Breaches

Despite the GDPR's insistence that you must have "robust breach detection" in place, data breach detection is a technical challenge for small businesses. It is incredibly common to find a domestic internet connection and an inexpensive or ageing router attempting to protect an entire business network from today's online threats.

Domestic internet connections and routers are entirely oblivious to the idea of data leaks and breaches - they have no facilities to detect, prevent or report if someone is trying to gain access to your network, or if someone is taking a copy of your private information. As breaches are not limited to "hacks" but also incorporate data loss through staff error there are very few services that can provide this.

BREAKING NEWS: To help solve this obvious need in the market for SME's, we have just launched a new product to allow small businesses to detect Data Breaches however they occur: Data Cuckoo. You can find full information on the Data Cuckoo website.

Also, I suggest you ask your IT Support company to makes sure all computers and phones are up-to-date, make sure your router is updated or replaced with an up-to-date quality model, and install a firewall and anti-virus software on each computer. I would also suggest the adoption of encrypted USB drives for transporting customer data.

If you have a website, it would be worth asking your web host to document what they are doing to detect data breaches (typically hacks) and how they report them to you.

Further information on the data breaches can be found on the ICO's website.