Data Breaches under the GDPR
Data breaches are back under the spotlight following the decision by the Information Commissioner’s Office (“ICO”) to issue a £500,000 fine to Facebook.
Data breaches are back under the spotlight following the decision by the Information Commissioner’s Office (“ICO”) to issue a £500,000 fine to Facebook on 24 October 2018. The fine relates to Facebook’s failure to protect users’ personal information and the subsequent use of such data in political campaigning by companies including Cambridge Analytica.
It is a timely reminder to all organisations regarding the possible legal and regulatory ramifications of suffering a data breach. The ICO have been at pains to make clear that the fine issued to Facebook was the maximum sum they could impose as the events relating to the breach all took place before the General Data Protection Regulations (“GDPR”) came into force in May this year.
Under the GDPR the ICO, and other national supervisory bodies, now have the ability to levy much more onerous fines to organisations for data breaches and British Airways (“BA”) may well be looking on with some anxiety. BA announced earlier this year that they had suffered a “hack” which affected around 380,000 transactions in which the personal data of their customers being compromised. BA issued an update on 26 October 2018 admitting that the holders of a further 180,000 payment cards, have also been affected and that their name, billing address, email address, card payment information, including card number, expiry date and in some cases the CVV have potentially been compromised. The ICO has confirmed that it is currently investigating the BA breach. Since the breach occurred after May 2018, any fine the ICO decides to issue will be subject to the new law under the GDPR. Under GDPR are two tiers of administrative fines which BA could potentially face depending on the severity of the breach and any failures by BA:
- Up to 10 million euros or 2% of its annual global turnover, whichever is higher; and
- Up to 20 million euros or 4% of its annual global turnover, whichever is higher.
What is a data breach?
It is important to recognise that under the GDPR, the legal definition of a data breach is widely defined:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Most people would probably recognise that a cyber security “hack”, like in the case of BA, would be classed as a data breach however under the above definition even accidental loss or deletion of data could amount to a breach.
The supermarket chain Morrisons recently lost their appeal in the Court of Appeal against a High Court ruling that it was vicariously liable for an employee's deliberate disclosure of co-workers' personal data on the internet. In that case the employee who worked for Morrisons as an internal IT auditor copied the personal data relating to other employees, including payroll data, onto a USB stick. He took the stick home and posted the data on the internet. The employees affected were successful in claiming damages from Morrisons which was held vicariously liable for the breaches of data protection law. There is concern that this could be the first in a wave of class actions by employees and customers after a data breach.
As Facebook and Morrisons have found out (and BA are likely to find out) there may be significant financial consequences involved after a data breach and therefore it is very important to ensure that within organisations staff are trained to be able to quickly identify when a breach has occurred and that there are internal reporting structures in place so staff know to whom they must report any breach. In addition, it would be prudent for organisations to have a data breach policy in place which formalises these processes and holds staff to account.
Steps a company should take if they have been affected by a data breach
Internal reporting
One of the key themes introduced by GDPR was the concept of accountability which runs through the regulations. Organisations are now required to be able to demonstrate how they are compliant with the regulations and this is largely met through having in place internal records, policies and registers demonstrating data protection compliance. One such document is an internal breach register. Organisations should maintain a breach register on which they record the factual circumstances of any breach suffered, what was done in response to the breach and any improvement measures implemented in order to prevent further breaches from happening.
Notification requirements
Organisations who suffer the misfortune of a data breach should also be aware that they may be under a legal requirement to notify either a supervisory body (which will be the ICO in the UK) or the affected individuals within a certain time limit after a breach. Organisations will be expected to notify the ICO where a breach is likely to result in a risk to an individual's rights and freedoms. There are a number of factors a data controller will need to consider when assessing the risk to individuals including the type of breach, nature, sensitivity and volume of personal data, ease of identification of individuals and severity of consequences for individuals.
If such an obligation to notify arises the data controller must then make their notification to the ICO “without undue delay” and, where possible, not later than seventy-two hours after having become aware of it. Should this take longer, then justifications must be given for the delay. Awareness of the breach is deemed to be when an organisation has a reasonable degree of certainty that the breach has occurred. If a data controller decides they are not under an obligation to report the breach, then they need to be able to justify this decision, so the breach should still be documented in the internal breach register (see above) and the justifications noted.
There may also be a requirement to communicate a breach to individuals, which is triggered where a breach is likely to result in a high risk to their rights and freedoms. The threshold for communicating a breach to individuals is higher than for notifying the relevant supervisory body.
The recent cases of Facebook, BA and Morrisons reiterate the growing importance of being able to quickly identify and properly respond to data breaches. If you would like to speak to someone regarding data breaches or data protection compliance then please contact our Commercial Team on 01603 610911.
Autumn Budget 2025: Agricultural Property Relief & Business Property Relief Changes
It was announced in the 2025 Budget that from 6 April 2026, changes will be made to agricultural property relief and business property relief. These changes bring APR and BPR in line with the nil-rate band rules, meaning unused allowances can be transferred to a surviving spouse or civil partner. This is a significant step towards making estate planning easier for families who own farms or businesses.
The Employment Rights Act 2025 is expected to come into force tomorrow (18 December 2025)
After an extended period of back-and-forth amendments between Parliament and the House of Lords, on 16 December 2025, the ERB finally received approval from the House of Lords, with the formality of Royal Assent due to take place tomorrow (18 December 2025). Head of LP Employment, Dan Chapman, explains...
Autumn Budget 2025: Agricultural Property Relief & Business Property Relief Changes
It was announced in the 2025 Budget that from 6 April 2026, changes will be made to agricultural property relief and business property relief. These changes bring APR and BPR in line with the nil-rate band rules, meaning unused allowances can be transferred to a surviving spouse or civil partner. This is a significant step towards making estate planning easier for families who own farms or businesses.
The Employment Rights Act 2025 is expected to come into force tomorrow (18 December 2025)
After an extended period of back-and-forth amendments between Parliament and the House of Lords, on 16 December 2025, the ERB finally received approval from the House of Lords, with the formality of Royal Assent due to take place tomorrow (18 December 2025). Head of LP Employment, Dan Chapman, explains...
Charity of the Month: The Matthew Project
Leathes Prior is delighted to be supporting The Matthew Project as our Charity of the Month for December 2025. The Matthew Project supports young people and adults across Norfolk, Suffolk, and Essex to overcome issues around drugs, alcohol, and mental health, empowering them to rebuild confidence and lead fulfilling lives.
Leathes Prior’s Milan Pandit appointed President of the Norfolk & Norwich Law Society
Leathes Prior Solicitors is proud to announce that Milan Pandit, Solicitor in our Corporate & Commercial Team, has been appointed President of the Norfolk & Norwich Law Society (NNLS) for 2025/26.
Commercial Lease Renewals: A guide for Landlords & Tenants
Commercial lease renewals are a topic that every commercial landlord and business that rents commercial premises should have at the forefront of their minds. It is essential for good succession planning, though it is often neglected until the expiry of an existing lease term is looming or once the existing term has come to an end and the tenant is holding over. In this article, our newly qualified solicitor, Maggie Berry explores the process that landlords and tenants can expect when navigating this complex area of law.
Our Guidance, Your Legacy: What is a Will, and why should I make one?
Not only is a Will one of the most important steps you can take to protect your loved ones and ensure your wishes are respected, but it also limits the likelihood of a claim/dispute following your death. To ensure your loved ones and the causes you care about benefit from your estate, a Will is essential to ensuring this happens. Find out more in this article.
Lease extensions: The essentials to getting started
Extending your lease can seem complex, but taking the right steps early can make the process much smoother. Jake Mowatt, Associate and Harry Smith, Trainee Solicitor in our Residential Property Team outlines the key essentials every leaseholder should understand prior to extending their lease.
Upcoming changes to bringing employment law claims: What these mean for you
The highly anticipated Employment Rights Bill (ERB) is set to increase the time limits in which employees can bring an employment tribunal claim. Gareth Stevens & Rose Woolterton explain what this means for employers & employees.
Service Charges in Residential Leases: FAQs
Service charges are forever a hot topic in the world of property disputes, and it remains one of the most contentious areas between freeholders and leaseholders, particularly in long residential leases. Danny Turpin, Associate, discusses frequently asked questions regarding service charges on long residential leases.
Leathes Prior winners in nine categories in the prestigious Legal 500 Future Laywer Survey
We are thrilled to announce that the firm has placed once again in the Legal 500 Future Lawyer survey as No.1 in the UK for our Social Life; a ranking we have held in the survey for seven years out of the past nine years.
Jess’s Rule – New Guidelines for GPs
A new initiative is being rolled out across GP practices across England in the hope of preventing serious illnesses being missed by GPs where patients present with the same, or deteriorating, symptoms on multiple occasions. Kimberley Nelson in our Personal Injury & Clinical Negligence Team discusses new guidelines for GPs.
Leathes Prior are excited to announce that four Trainee Solicitors qualify at the firm
Leathes Prior is excited to announce that four of our amazing trainees, Eleanor Chapman, Maggie Berry, Alex Robinson, and Georgia Sartin, have successfully completed their training contracts and are now qualifying as Solicitors at the firm.
