Forensic Control

A Guide to Incident Response in the Event of a Data Breach



Data breaches are a serious threat to any organisation that handles personal data (Data that relating to an identifiable person). A data breach occurs when information held by an organisation is stolen or accessed without authorisation. This can result in financial losses, reputational damage, legal liabilities and regulatory penalties for the organisation, as well as harm or distress for the individuals whose data is compromised.

The UK General Data Protection Regulation (UK GDPR) introduces a duty on all organisations to report certain personal data breaches to the relevant supervisory authority, which is the Information Commissioner’s Office (ICO) in the UK. You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.

In this guide, we will explain what defines a data breach, provide an example of a data breach, and outline the steps you should take if you discover a data breach in your organisation.

What defines a data breach?

A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. For example, a data breach can occur when:

  • An email containing personal data is sent to the wrong recipient.
  • A laptop or USB containing personal data is lost or stolen.
  • A hacker gains access to your network or systems and steals or alters personal data.
  • A malicious insider leaks or sells personal data to a third party.
  • A natural disaster or fire damages or destroys your physical records or devices containing personal data.

Not all security incidents are data breaches. For example, if you accidentally delete personal data but you have a backup copy that you can restore quickly, this is not a data breach. However, you should still document the incident and review your security measures to prevent it from happening again.

An example of a data breach

One of the most notorious data breaches in recent history was the one that affected British Airways in 2018. Hackers were able to redirect users of the British Airways website to a fraudulent site, where they harvested the personal data of about 400,000 customers. The leaked data included login and travel booking details, names, addresses and credit card information. The ICO fined British Airways £20 million for failing to protect the personal data of its customers.

What steps should you take if you discover a data breach?

If you suspect or confirm that a data breach has occurred in your organisation, you should follow these steps:

  1. Don’t panic. Stay calm and assess the situation objectively. Gather as much information as possible about the nature, scope and impact of the breach.
  2. Contain the breach. Take immediate action to stop or limit the breach from spreading or causing further damage. For example, you could isolate the affected system, change passwords, retrieve or delete the data, or contact the recipient of the data and ask them to delete it or return it securely.
  3. Report the breach. If the breach is likely to result in a risk to the rights and freedoms of individuals, you must report it to the ICO within 72 hours of becoming aware of it. You can use the ICO’s online reporting tool. You should provide as much information as possible, such as what happened, when and how, what data was involved, how many people were affected, what risks you have identified, and what actions you have taken or plan to take. If you don’t have all the information yet, you can provide it later, but you should not delay reporting the breach. If you decide not to report the breach, you should document your reasons and keep a record of the breach internally.
  4. Notify the individuals. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. You should explain what happened, what data was involved, what risks they may face, and what steps they can take to protect themselves. You should also apologise and offer them support, such as a helpline number or a contact person. You should use the most appropriate and effective means of communication, such as email, phone, letter, or public announcement. You should not notify the individuals if doing so would increase the risk to them, or if it would involve disproportionate effort. In such cases, you should consider alternative measures, such as a public statement or a prominent notice on your website.
  5. Assess the breach. You should conduct a thorough investigation to determine the causes and consequences of the breach, and to identify any weaknesses or gaps in your security measures. You should document your findings and recommendations, and keep a record of the actions you have taken or plan to take to prevent similar breaches in the future.
  6. Review and monitor the breach. You should monitor the situation and the effects of the breach, and update the ICO and the individuals if there are any changes or new developments. You should also review your policies and procedures, and implement any necessary changes or improvements to your security practices. You should also provide training and awareness to your staff, and test and evaluate your security measures regularly.
  7. Where necessary you may need to carry out Digital Forensic Investigations for a data breach, particularly if a criminal offence has taken place or if there is misconduct at play. It is essential for any investigation that the above steps are carried out to preserve evidence and ensure an efficient investigation.


Data breaches are a serious risk for any organisation that handles personal data. You should have a data breach response plan in place to help you detect, manage and report any breaches that may occur. You should also take steps to prevent or minimise the likelihood of breaches, such as encrypting your data, using strong passwords, limiting access to data, and educating your staff. By following these steps, you can protect your organisation and the individuals whose data you process from the negative effects of data breaches. If you would to understand more about how we can support you in a potential data breach feel free to speak to our team and we can advise. 

Related content

As computer forensics experts we are bound to abide by the ACPO Principles of Digital Based Evidence, ACPO being the Association of Chief Police Officers. ACPO provides a set of Guidelines for Computer Based Evidence, and they come with a suite of four essential principles. Here they are.
Computer forensics, sometimes known as digital forensics, is undertaken by trained examiners who pull data (search histories, purchase records, time logs and more) from devices including, but not limited to: computers, tablets, and smartphones.


Sign up here if you wish to receive updates and news from Forensic Control by email. We will not send you anything else and you may end the subscription at any time.

By providing your email address, you agree to receive marketing
messages as per our Privacy Policy