Managing data breaches & cyber security incidents
An increasing number of cyber incidents have been reported recently, with reports made to the Information Commissioner’s Office (ICO) by both Marks and Spencer plc and the Co-op Group. Harrods has also indicated that it has been targeted by ransomware recently, with the British Library publishing a detailed look at an incident that occured in October 2023.
It is worth businesses continuing to ensure that all policies and procedures are up-to-date and that responsibilities under GDPR and other legislation are clearly understood. A clear plan should be in place should a data breach occur, whether related to a cyber incident or not.
The ICO has guidance for small businesses to help ensure all steps are followed to comply with the law as it will need to be considered whether or not the reporting threshold is met, and then the personal data breach must be reported to the ICO without undue delay (if it meets the threshold) and within 72 hours.
The ICO also has detailed guidance, checklists and more to help businesses respond to personal data breaches. This also includes how to decide whether a report should be made, and if a report should be made then what information must be in the report.
Further detailed guidance is available from the ICO about dealing with ransomware and cyber attacks.
Where a significant cyber incident occurs, this may also need reporting to the National Cyber Security Centre (the NCSC). The NCSC guidance is helpful as to what incidents need reporting and how to do this, as well as how to manage the incident in relation to customers and the media.
Incidents not considered significant as well as those that might lead to a heightened risk of individuals being affected by fraud should be reported to Action Fraud.
Posted on 05/07/2025 by Ortolan