How SMEs can deal with a UK GDPR data breach | myhrtoolkit

Please note: This article has been updated to reflect the UK GDPR (which replaced the EU GDPR for UK organisations from 1 January 2021). The Data (Use and Access) Act came into force on 19 June 2025 and the ICO is currently reviewing its guidance — we recommend checking the ICO website for the latest updates.

Many SMEs are understandably worried about receiving a UK GDPR data breach fine. The financial loss resulting from such a fine could seriously undermine the viability and prospects of the business; the reputational loss associated with a major UK GDPR breach can also take a heavy toll that reaches beyond the initial fine.

Here we provide an overview on what constitutes a UK GDPR data breach, what to do when a breach occurs, the financial side of the breach process, and how to better anticipate UK GDPR data breaches and minimise their impact for the improved security and safety of your business.

What is a UK GDPR breach?

According to the Information Commissioner’s Office (ICO), a UK GDPR data breach occurs when there is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” (source). The breach could be due to accidental or deliberate action or inaction.

Examples of data breaches include unauthorised third-party access to data, sending personal data to the wrong recipient, or alteration of personal data without consent. As a result of the incident, the confidentiality, integrity or availability of the data becomes compromised. Whether you are a data controller or processor, you have a responsibility to report breaches, but to different people. Processors must report breaches to Controllers, and Controllers must report breaches to the ICO. 

When do you need to report a data breach?

When a data breach has occurred, it’s important to establish the risk and potential severity of the incident affecting people’s individual rights and freedoms. This could include, for example, emotional distress, as well as physical and/or material damage. If a risk is likely, the ICO advises that you get in touch to inform them.

How to report a UK GDPR breach

If you know or suspect a UK GDPR breach has occurred, you can report it to the ICO. You must do so within 72 hours of when you become aware that a breach has occurred. If necessary, you can provide an explanation for why there has been a delay.

The UK GDPR data breach reporting process involves providing information on the following:

• The nature of the breach (including number of individuals concerned and categories and approximate number of personal data records concerned where possible).
• The contact details of your data protection officer (or the most relevant contact if you don’t have one).
• The likely consequences of the breach.
• The measures you have taken or will take to deal with the breach and contain or alleviate possible adverse effects.

You may not be able to provide all this information within 72 hours; if this is the case, the ICO recommends that you start the reporting process within this timeframe and provide further information later.

Reporting to the affected individuals

The ICO states that if a breach is likely to result in a high risk to the rights and freedoms of the individuals involved, you must also inform them without undue delay. Note that this 'high risk' threshold is higher than the standard required to notify the ICO — not every breach you report to the ICO will also need to be communicated to the affected individuals.

UK GDPR breach fines

Under the UK GDPR, fines are split into two tiers. For serious violations — such as unlawfully processing personal data — the maximum fine is £17.5 million or 4% of global annual turnover, whichever is higher. For breaches of specific obligations such as failing to report a data breach to the ICO, the lower tier applies: up to £8.7 million or 2% of global annual turnover, whichever is higher.

Developing your UK GDPR data breach response plan

Having a plan in place to respond to potential and actual UK GDPR data breaches is essential for protecting your business and the personal data you hold.

Creating a data breach notification policy

Developing a robust UK GDPR policy that details how the business identifies and responds to data breaches will help you make sure data security is held as important by everyone in the business. This policy should be distributed to your staff just as you would share any of your important HR policies. Getting everyone educated about how to identify and escalate data security issues will help you anticipate and mitigate UK GDPR breaches at all levels of the organisation.

Keeping a data breach log

It’s essential practice, as part of your UK GDPR data breach policy, to keep a written log of all data breaches and near misses. The ICO advises that you keep a log of all incidents, even the ones that you don’t have to report. This will help you form an overview of security issues within the organisation that have or may lead to a data breach.

How to keep your staff’s data secure

Many businesses hold the security and safety of their customer data – and this is highly important. However, protecting your staff’s personal information is also very important; staff have the right to know what information you hold about them and make a Subject Access Request.

Investing in an HR software system helps small businesses keep their staff data organised and secure; myhrtoolkit has a dedicated Security Centre for putting in place the security controls that help ensure staff are only seeing the information they need to and unauthorised parties cannot gain access. To find out more about how HR software can help your business, get in touch.

Read more from the myhrtoolkit blog

How to avoid a GDPR breach: a guide for SMEs

GDPR and HR systems: how to choose GDPR compliant HR software