Hunter Law

  • Home
  • About
    • Support Team
  • Blog
  • Testimonials
  • Contact
  • Newsletter Sign Up
You are here: Home / Blog / How to manage personal data breaches at work

November 2024

How to manage personal data breaches at work

The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) require employers to keep all sensitive personal data they manage safe. It’s vital for every employee to play their part in handling data appropriately. And it’s the job of employers and HR to have clear policies and procedures in place and respond effectively if a breach occurs.

What is a personal data breach?

A personal data breach occurs when data is destroyed, lost, altered, or disclosed inappropriately. Breaches can range from simple human errors, such as sending an email to the wrong address, to more complex incidents like phishing attacks or hacking. Even verbal slips, like sharing confidential information overheard by someone else, can be problematic.

Why does GDPR matter?

Organisations can face hefty fines for sensitive data breaches—up to £17.5 million or 4% of global annual turnover. For example, Interserve, a construction company, was fined £4.4 million in 2022 for exposing the personal data of 113,000 employees.

Victims of breaches can pursue legal action. Manchester United, for instance, was sued after an email containing employees’ personal data was sent to casual staff, even though no fine was imposed by the ICO (Information Commissioner’s Office).

5 steps to manage a personal data breach

  1. Respond immediately

Immediate action can help prevent a small breach from escalating. Fast responses also protect affected individuals, reducing risks like identity theft.

  1. Have a procedure in place (and ensure all relevant employees know what it is)

Have a breach response plan in place and assemble a team from relevant departments like IT and HR.

  1. Contain the breach

Identify the breach’s scope, recover data if possible, and protect sensitive information by actions (eg change passwords).

  1. Assess the impact

Evaluate the scope of potential harm based on factors like the sensitivity of the data and who is affected.

  1. Document and report the breach

Notify the ICO within 72 hours if the breach poses a risk to individuals’ rights and freedoms. Regardless of whether it’s reported, keep records of the breach, its impact, and how it was handled.

Handling breaches swiftly and efficiently can limit legal, financial, and reputational damage while safeguarding affected individuals. Clear policies and regular staff training are essential, as is having the right IT structures in place to protect personal information.


If you enjoyed this blog then perhaps you’d like to sign up to our monthly newsletter. We’ll keep you updated on what’s new in employment law.

The team at Hunter Law is here for you. We can handle your HR issues, finesse your policies, and keep you up-to-date on evolving legislation. Please get in touch with our legal team, we’d love to help.

Newsletter Sign Up

Filed Under: Blog Tagged With: Newsletter November 2024

Hunter Law

1 Tonbridge Road
Maidstone
Kent
ME16 8RL

Tel: 01622 663355
Email: info@hunterlaw.uk

Discrimination Law Association logo

Discrimination Law Association Member

Solicitors Regulation Authority logo

Solicitors Regulation Authority

SRA Verification

Pricing information and complaints procedure

Defending employment tribunals – pricing and service information

Our Complaints Procedure

Privacy Notice

Privacy Notice

Copyright © 2025 Hunter Law

Hunter Law Limited is registered in England and Wales with registered company number 10336680.
Registered office: 2nd Floor, Medway Bridge House, 1-8 Fairmeadow, Maidstone, Kent, ME14 1JP.
We are also an authorised body regulated by the Solicitors Regulation Authority (authorisation number 634003).
Our professional rules may be accessed at Code of Conduct.