Breach of the Data Protection Act in the UK: What To Do

If your business handles personal data, a breach of the Data Protection Act 2018 (and UK GDPR) can happen faster than you think - a misdirected email, a lost laptop, or an unsecured spreadsheet in the cloud.

Don’t panic. With the right preparation and a clear response plan, you can reduce risk, meet your legal duties and protect trust with your customers and team.

In this guide, we break down what counts as a breach, when you must report it, the potential consequences, and practical steps to stay compliant under UK law.

What Is A Breach Of The Data Protection Act For Small Businesses?

Under the Data Protection Act 2018 (DPA 2018) and UK GDPR, a “personal data breach” is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In plain English - if someone who shouldn’t can see, change, lose or access personal data, that’s likely a breach.

Common Small Business Examples

• Sending invoices or HR records to the wrong customer or employee.
• Using email “To” instead of “BCC” on a customer mailing list.
• Malware or phishing that exposes customer names, emails, addresses or payment data.
• Unencrypted laptops or phones being lost or stolen.
• Staff sharing passwords or using weak credentials for cloud tools.
• A supplier (data processor) mishandling data due to poor security or unclear instructions.

Breaches can be intentional (e.g. external attack) or accidental (e.g. human error). Both can trigger legal duties.

Personal Data Vs. Special Category Data

Personal data is information that identifies a person (name, email, phone, address, IP address, etc.). Some data is more sensitive - “special category” data (e.g. health data, biometric data, religious beliefs) and criminal offence data. Breaches involving these usually carry higher risks and stricter expectations.

Do You Have To Report A Data Breach To The ICO?

Not all breaches must be reported, but you must assess them quickly. If a breach is likely to result in a risk to individuals’ rights and freedoms (e.g. risk of fraud, identity theft, discrimination, or financial loss), you must report it to the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it.

When You Must Notify

• Notify the ICO: If the breach is likely to pose a risk to individuals. If you miss the 72-hour window, you need to explain why.
• Notify affected individuals: If the risk is “high”, you must also inform the people affected without undue delay, in clear, plain language, including steps they can take to protect themselves.
• Keep records: You must log all breaches (even those you don’t report) - what happened, the likely impact, and what you did in response.

What To Include In Your ICO Report

• A description of the breach (what data, how many people, what happened).
• Likely consequences (e.g. risk of identity theft, distress, financial loss).
• Measures taken or proposed to address the breach and mitigate its impact.
• Contact details of your data protection lead/contact.

Having a clear Data Breach Response Plan makes this process much easier and helps you meet the 72-hour clock with confidence.

What Are The Consequences Of Breaching The Data Protection Act?

Consequences vary depending on seriousness, harm, and how you respond. The law expects you to act promptly, transparently and proportionately.

Regulatory Action And Fines

• Administrative fines of up to £17.5 million or 4% of annual worldwide turnover (whichever is higher) for the most serious infringements.
• Enforcement notices requiring you to change practices, delete data, or improve security.
• Audit and monitoring by the ICO, which can be time-consuming and disruptive.

In practice, the ICO looks at your preparedness and response. If you can show appropriate policies, training, contracts and a timely, honest response, this can significantly reduce the regulatory impact.

Claims, Costs And Reputational Damage

• Individuals may seek compensation for financial loss or distress.
• Incident response costs, forensic IT, PR support and system remediation.
• Loss of customer trust, reduced sales, and increased churn.

Strong privacy hygiene - clear policies, technical controls and supplier contracts - is the best way to prevent issues and to demonstrate you took “appropriate measures” if something does go wrong.

Common Causes Of Breaches In Small Businesses (And How To Avoid Them)

Most breaches are preventable with simple, consistent practices. Focus on the risks that matter most to SMEs: people, processes, and suppliers.

1) Human Error

Misdirected emails, wrong attachments and poor password hygiene are top causes. Reduce the risk by:

• Turning on multi-factor authentication (MFA) across email and key apps.
• Using automatic email delay/send checks for external recipients.
• Running short, practical staff training twice a year (phishing, safe sharing, device hygiene).
• Limiting access on a “need-to-know” basis.

2) Weak Or Misconfigured Tech

Unpatched systems, public links, and insecure cloud storage can expose data. Tackle this by:

• Using reputable cloud providers and defaulting to private access.
• Encrypting laptops and mobiles; enforce screen locks and remote wipe.
• Keeping software and devices up to date with automatic patching.
• Maintaining an asset register for devices holding personal data.

3) Supplier/Processor Mistakes

If a third-party provider processes personal data for you (a “processor”), you’re responsible for ensuring they offer adequate security and follow your documented instructions. Put a robust Data Processing Agreement in place, carry out due diligence, and monitor performance.

4) Unclear Privacy Practices

Ambiguity breeds risk. Be upfront with customers and staff about what you collect, why, and how long you keep it. Publish a clear, tailored Privacy Policy and keep it in sync with your actual data flows.

5) Cookies And Tracking

Cookies and similar tech are governed by PECR and UK GDPR. You generally need consent for non-essential cookies (analytics/marketing) and transparent information about what you use. Make sure you have the right notices and controls via a compliant Cookie Policy.

Practical Steps To Stay Compliant And Reduce Risk

Think of privacy compliance as an ongoing, manageable routine - not a one-off project. Here’s a practical, business-friendly approach that fits most SMEs.

Map Your Data

• List the personal data you collect, where it’s stored, and who you share it with.
• Identify special category data (e.g. health info for wellness programs) and apply extra safeguards.
• Check international transfers (including cloud tools that store data overseas) and ensure appropriate safeguards.

Set Your Legal Foundations

• Publish and maintain a Privacy Policy that reflects real-world practices.
• Use a Data Processing Agreement with all processors (e.g. IT support, marketing platforms, payroll providers).
• Where you share data as separate controllers with partners, consider a Data Sharing Agreement to set clear responsibilities.
• Put in place an internal Data Breach Response Plan so your team knows exactly what to do.

Train Your Team

• Onboarding and refresher training covering phishing, secure sharing, and breach reporting.
• Clear do’s and don’ts for tools like messaging apps and cloud drives. If you’re using cloud storage, make sure it’s configured appropriately and consider whether your chosen tool is GDPR compliant in practice.

Prepare For Rights Requests

Individuals have rights to access and delete their data (among others). Have a simple process and scripts for handling a Subject Access Request within one month, and know when exemptions might apply. If you’re assessing deletion requests, this guide on GDPR data deletion is a handy sense-check.

Housekeeping That Pays Off

• Enable MFA across critical accounts; enforce strong passwords via a manager.
• Rotate and revoke access when staff change roles or leave.
• Schedule periodic reviews of your privacy notices, cookie banners and supplier list.
• Confirm your ICO fee position annually - some businesses are exempt; check the rules on ICO fee exemptions.

What To Do If A Breach Happens In Your Business (Step-By-Step)

Speed and structure matter. Here’s a straightforward playbook you can follow today - and customise in your Data Breach Response Plan.

1) Contain And Secure

• Stop the bleeding: reset passwords, revoke access, remove publicly shared links, disconnect infected devices, and apply patches.
• Preserve evidence for investigation (don’t wipe logs).

2) Assemble Your Response Team

• Nominate an incident lead (often your founder/ops lead) and involve IT, HR and communications as needed.
• Contact critical suppliers if the issue involves their systems.

3) Assess The Risk

• What data was affected? How many people? Is it special category data?
• What’s the likelihood of harm (financial loss, identity theft, distress)?
• Document your analysis - you will need this for your records and any ICO report.

4) Decide On Notifications

• ICO: If risk is likely, report within 72 hours. If your report is incomplete, you can provide details in phases.
• Individuals: If high risk, notify affected people promptly with clear, practical advice (e.g. password resets, credit monitoring).

5) Remediate And Learn

• Fix root causes (technical and human), update policies, adjust settings and provide targeted training.
• Review contracts and consider strengthening your Data Processing Agreement or switching suppliers if needed.
• Update your records and, if relevant, your Privacy Policy and Cookie Policy to reflect any changes.

If timelines or thresholds feel unclear in the moment, it’s wise to get tailored advice quickly. A short call can save a lot of stress and reduce regulatory risk.

FAQs: Breaching The Data Protection Act As A UK SME

Is Every Security Incident A Reportable Breach?

No. You must record all breaches, but you only report to the ICO if the incident is likely to result in a risk to individuals’ rights and freedoms. If the data was encrypted, the risk may be lower - but you still need to assess and document your reasoning.

What If A Supplier Causes The Breach?

You remain responsible for compliance as the controller. Your first step is containment and assessment, then decide on notifications. Strong processor terms and practical oversight are essential - a robust Data Processing Agreement sets expectations and gives you audit/assurance options.

Do I Need A Data Protection Officer (DPO)?

Most small businesses don’t need a formal DPO, but you should appoint someone to lead privacy compliance and incident response. If you conduct large-scale monitoring or process large volumes of special category data, you may need a DPO - get advice if you’re unsure.

How Long Do I Have To Keep Breach Records?

There’s no fixed period in the legislation, but you must be able to demonstrate compliance. As a practical rule, align breach logs with your general compliance record-keeping (often at least a few years) and your internal retention schedule.

What About Marketing And Cookies?

PECR sits alongside UK GDPR. You usually need consent for non-essential cookies and must offer a clear choice (no pre-ticked boxes). Make sure your notices are accurate and easy to understand, backed by a current Cookie Policy.

Key Takeaways

• A breach of the Data Protection Act/UK GDPR includes any incident that compromises the confidentiality, integrity or availability of personal data - not just hacking.
• Assess incidents quickly. If there’s likely risk to individuals, you must notify the ICO within 72 hours, and notify affected people if the risk is high.
• Prepare in advance: a tailored Data Breach Response Plan, clear Privacy Policy, and strong supplier contracts such as a Data Processing Agreement and Data Sharing Agreement reduce risk and demonstrate compliance.
• Invest in simple controls that work: MFA, encryption on devices, access controls, regular training, and a sensible process for Subject Access Requests.
• Keep good records - of your data flows, decisions, breaches (even non-reportable ones) and remediation. Documentation matters if the ICO asks questions.
• If in doubt about thresholds, timelines or whether to notify, get advice quickly. A prompt, well-documented response can significantly limit regulatory and reputational impact.

If you’d like help putting practical privacy foundations in place - or you’re dealing with an incident right now - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.