What to Do If Your Business Suffers a Personal Data Breach

Richard Riley

The recent high-profile cyber breaches at Marks & Spencer, the Co-operative Group, and the Legal Aid Agency underscore the risks that even large, well-resourced organisations face in managing personal data. These incidents also demonstrate the importance of maintaining not only effective security measures, but also robust breach response plans, as required by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Detect and Contain the Breach

Speed is critical. Under Article 32 of the UK GDPR, organisations must implement appropriate technical and organisational measures to ensure data security. This includes having a clear incident response plan. The Co-operative Group acted swiftly, taking its systems offline to halt further intrusion. The Legal Aid Agency’s breach, by contrast, appears to have exacerbated at least in part due to outdated infrastructure and insufficient staff training—both key risk factors under the accountability principle.

Any breach should be immediately contained, with affected systems isolated and forensic investigation commenced. The organisation’s Data Protection Officer (or equivalent lead) should be engaged from the outset.

Notify the ICO and Affected Individuals Where Required

Under Article 33, if the breach is likely to result in a risk to the rights and freedoms of individuals, it must be reported to the Information Commissioner’s Office (ICO) within 72 hours. If there is a high risk, affected individuals must also be informed without undue delay under Article 34. Importantly, you need not have full details of the breach within the 72-hour window – a preliminary report, followed by updates, is acceptable.

For instance, M&S promptly notified customers and advised on phishing risks while the Co-op also informed members, clarifying that no financial data had been compromised. In both cases, these steps helped mitigate reputational damage while satisfying transparency obligations in the UK GDPR.

Investigate and Address Root Causes

Organisations must assess how the breach occurred and take remedial steps. M&S traced its breach to a compromised third-party IT supplier. Co-op is collaborating with national cybercrime agencies, and the Legal Aid Agency will likely have to undergo a full systems overhaul.

Under the accountability principle set out in the UK GDPR, businesses must not only respond to breaches but also demonstrate that they have taken appropriate steps to prevent future incidents. This includes reviewing supplier contracts, ensuring adequate staff training, and investing in resilient infrastructure.

Fines and Compensation

A breach does not automatically lead to a fine. The ICO considers context including whether reasonable steps were taken and whether the organisation was negligent. Maximum penalties are reserved for the most serious and/or systemic failings.

Data subjects may also pursue compensation for material or non-material damage (including emotional distress). However, timely mitigation, transparent handling, and demonstrable compliance can reduce both regulatory fines and individual’s private claims for compensation.

How Bermans can help

A personal data breach can be serious but it does not need to be catastrophic. Organisations which have developed a robust response plan and who act swiftly, communicate transparently, and review systems rigorously can not only limit harm but emerge stronger. These recent high profile cases show the importance of accountability, preparation and resilience.

At Bermans our commercial team help clients manage regulatory obligations, strengthen their data protection practices, and respond to data breaches. Whether reacting to an incident or planning ahead, our commercial team is here to support you.

Contact Richard Riley.