Notification requirements

GDPR introduces a duty on all organisations to notify the relevant supervisory authority about certain types of personal data breach. Where a cybersecurity breach is likely to result in a risk of adversely affecting individuals’ rights and freedoms, GDPR requires that the data controller notifies the Information Commissioner’s Office without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. Where there is high risk to individuals, you must also inform the affected individuals without undue delay. This is not required if appropriate technical and organisational protection measures have been applied to the personal data, such as encryption and, possibly, pseudonymisation. You will also have to notify the police when it is suspected that the breach has arisen from a criminal act. An organisation is considered to be aware when it has a reasonable degree of certainty that a security incident has occurred and that this has led to personal data being compromised. For more information, see the Law Society’s Guide to GDPR:


The General Data Protection Regulation (GDPR) and the Data Protection Act 2018

Under GDPR and the Data Protection Act 2018, businesses and their staff are responsible for the security, compliance and governance of their data. GDPR is based around six privacy principles together with the accountability principle. In addition to these principles, individuals have specific rights in relation to their personal information placing certain obligations on organisations that are responsible for processing it. An overview of these principles is available on the Information Commissioner’s Office website: