Data Protection Breach Reporting Procedure (Sept25)

Our responsibility

We are responsible for ensuring that personal data processed by us is not:

  • accessed without authority;
  • processed unlawfully;
  • lost;
  • destroyed; or
  • damaged.

Nevertheless, we realise that from time-to-time things may go wrong and we might fail to achieve one or more of our data protection responsibilities.

If this does happen, it is essential that we take steps to try and put things right. However, we can only do this if we know that there has been a problem.

We all have a duty to report any actual or suspected data breaches, regardless of whether you have discovered them or have caused them.

What is a personal data breach?

A personal data breach can broadly be defined as ’a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’

Data breaches can include:

  • sending personal data to the wrong person (e.g., a misdirected e-mail);
  • a failure to redact confidential information when providing documents to a client;
  • files or computers containing personal data being lost or stolen;
  • our IT system being hacked;
  • abuse by staff (e.g., when a departing member of staff takes confidential client information with them);
  • alteration of personal data without permission (e.g., where it appears records have been falsified to cover up a mistake);
  • loss of personal data (e.g., when records have been wrongfully or mistakenly deleted); and
  • a breach by a data processor acting on our behalf (e.g., your payroll services company suffers a breach affecting your data).

Personal data breaches can happen for a wide range of reasons, including human error, cyber-attacks, deceit, loss or theft of equipment and inadequate or inappropriate access controls.

If you are unsure whether a particular circumstance or incident constitutes a personal data breach, please refer the matter to the Timothy Halliday who is our Data Protection Manager (DPM) or another Director in their absence for guidance.

Reporting a personal data breach

All personal data breaches must be reported to the DPM immediately upon discovery. This remains the case irrespective of whether you are working in the office or remotely when you become aware of the breach.

Reports should be made using the Access Legal Compliance Breach Reporting module.

Managing data protection breaches

There are four key steps to our data protection breach management plan:

  • Containment and recovery
  • Assessment and ongoing risk
  • Notification of breach
  • Evaluation and response

Containment and recovery

The DPM, in conjunction with the reporting person, must:

  • Take steps to recover any lost data and limit the damage that the breach could cause;
  • Decide who will lead the investigation into the breach; and
  • Find out who needs to be aware of the breach and tell those persons what they are expected to do (if anything) to assist in the containment and recovery of the breach.

Assess the risks

The DPM will assess the potential adverse consequences of the breach for the data subjects/ individuals concerned (the people that the personal data in question belongs to), the potential severity or scale of the breach and the likelihood of the adverse consequences occurring.

Notification of breach – ICO

We have a duty to report all personal data breaches to the ICO that are likely to result in a risk to the rights and freedoms of individuals. If we decide that a breach is not reportable, we must be able to justify this decision and document the reasoning behind it. The ICO website includes a useful self-assessment tool which can help to determine if a data breach needs to be reported to them.

 The DPM is responsible for ensuring that all relevant data breaches are reported to the ICO without undue delay and no later than 72 hours after having become aware of it. If it takes longer, we must give reasons for the delay. Article 33(4) of the UK GDPR allows us to provide the required information in phases, as long as this is done without undue further delay, the investigation is prioritised and expeditated and the ICO are informed as to when we expect to submit more information.

 The DPM will report the breach to the ICO in accordance with the reporting methods set by the ICO.

When reporting a breach, the UK GDPR says we must provide:

  • a description of the nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned; and
    • the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer (if our organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

It is extremely important that the ICO is informed of all notifiable breaches as a failure to do so can result in a heavy fine of up to £8.7m or 2% of the firm’s global turnover.

Notification of breach – affected individual(s)

The individuals (data subjects) affected by the data breach must be informed directly and without undue delay (i.e. as soon as possible). Where there is deemed to be a high risk to the rights and freedoms of the affected individual(s), the requirement to inform the individual(s) is higher than the requirement to notify the ICO, therefore they should be informed first (before the ICO – although note the 72 hour rule regarding reporting to the ICO), particularly if there is a need to mitigate an immediate risk of damage.

 The affected individual(s) must be informed of the nature of the personal data breach, in clear and plain language, and at least:

  • the name and contact details of any data protection officer you have, or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to deal with the personal data breach and, where appropriate, a description of the measures taken to mitigate any possible adverse effects; and
  • given contact details should they require further information or help.

If possible, you should give specific and clear advice to individuals on the steps they can take to protect themselves, and what you are willing to do to help them. Depending on the circumstances, this may include such things as:

  • forcing a password reset;
  • advising individuals to use strong, unique passwords; and
  • telling them to look out for phishing emails or fraudulent activity on their accounts.

Notification of breach – SRA and other third parties

The COLP must be notified of all personal data breaches. If they determine that the breach constitutes a serious breach of the SRA’s regulatory arrangements, they will need to promptly notify the SRA about it.

The COLP will also give consideration as to whether any other third parties should be notified to help to reduce the risk of financial loss to individuals i.e. the police, insurers, professional bodies, the bank, etc.

Evaluation and response

The final step is to evaluate our response to the data breach.

It is important to establish whether the breach was caused by an isolated incident as a result of human error or is part of a wider systematic issue, so that we can try to stop the same or a similar breach from occurring in the future.

Any lessons learned will be shared across the firm as appropriate.

The COLP will review records of data breaches periodically to establish any trends, root causes of breaches and near misses and how we can prevent recurrences and will take appropriate follow-on action e.g. require refresher data breach training to be completed or provide support and supervision to staff.

As a result of a breach, we may experience a higher volume of data protection requests or complaints, particularly in relation to access requests and erasure. We will have a contingency plan in place to deal with the possibility of this and will continue to deal with such requests or complaints alongside any other work generated as a result of the breach

Recording a data protection breach

The DPM will record any data protection breach in the Access Legal Compliance Breach Reporting module. All breaches will be recorded, regardless of whether or not they need to be reported to the ICO.

When logging a data breach in the Access Breach Reporting module, you will have the option to selected ‘ICO’ as the type of breach. Once logged, this will then be escalated to management to investigate.

If the breach needs to be reported to the ICO, the module will take the investigator through the steps to do this. The ICO’s response can also be recorded in the system.

If there has been an incident that could lead to a data breach, this can be logged in the Risk Register. Different incident types will allow for the record to be logged accurately. If the incident is then escalated to a breach, this can be tracked through the breach section on the record or in the dedicated Breach Reporting module and linked back to the incident.

If one incident contains several different breaches, the advanced modules will allow you to link them all together.

Review of this procedure

This procedure will be reviewed at least annually by the DPM Timothy Halliday.

September 2025

Go Back
01538 755 761
Email Us

©eric-whitehead 2026. All rights reserved