Understanding Data Incidents and Personal Data Breaches

When a “data incident” is mentioned, we tend automatically to think of a personal data breach. The ICO says that “a personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted, or disclosed”.

We have covered the definition of personal data before, but generally it means any information that a living individual can be identified from. Not all data incidents involve personal data though.

Unauthorised access to commercially sensitive information on your business can be every bit as serious for your organisation, despite there being no need to notify the ICO and other agencies.

Any incident that involves the loss of data comes under one of two categories.


In January 2023 the Royal Mail were hit by a LockBit ransomware attack. Their pre-prepared plan was implemented. The ICO was notified, and help sought from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA). The ransom demands were refused, and overseas postal services were slowly restored to normal. The impression that cyberattacks are only a problem for large organisations is misleading; 43% of cyberattacks target small businesses.

Putting a plan in place to cover the many ways that data can be accessed from lost or stolen devices, to phishing emails and cyber security to protect the integrity of your systems is essential for organisations of all sizes. Being aware of all the possible ways an incident may occur can be a complex task for the general business owner. When were access controls last updated, and how robust is user authentication in your systems. Over 30% of businesses fail to wipe data when they dispose of old phones or laptops, which makes it another item for your data security procedures.


Human error remains the single largest cause of data breaches reported to the ICO. By implementing good practice within an organisation, 75% of breaches are avoidable. Emails sent to the wrong person, or screens left on and displaying personal information are high on the list. Having effective processes in place to prevent deliberate or accidental deletion of data is another critical area for consideration.

In October 2022 the UK Information Commissioner, John Edwards, said in a ruling that imposed a £4 million fine on construction firm Interserve. “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

CSRB works with many SMEs to implement data breach procedures, we are also certified personal data protection training providers. We can act as your outsourced data protection officer guaranteeing you professional, qualified advice. CSRB provides a personal data breach response package for organisations, focusing on education, training, and having a personal data breach response plan in place should you need to use it. Contact us today on 0117 325 0830 or info@csrb.co.uk for a free 30 minute online personal data breach advice session.