Dealing with a Data Breach

Supporting you in the event of data breach

The financial and reputational damage caused by a data breach can have devastating consequences to businesses and organisations. Dealing with a data breach of any nature involves complex considerations. Our data breach solicitors can assist you from the moment that a breach is first identified to the conclusion of the legal processes which may follow.  

Under investigation by the ICO

In the event your organisation is investigated by the Information Commissioner’s Office (ICO), our data breach lawyers can draw upon significant specialist regulatory and criminal experience to support your organisation through the enforcement process.  We have specialist litigation expertise, both within the civil and criminal courts.

We have been instructed in a number of the most significant ICO investigations to date, including acting for a key individual in the on-going Facebook investigation. Our data protection team have a proven track record of acting in cases which attract media interest and where protection of a client’s reputation is of paramount importance. We are considered to have an exceptional breadth and depth of expertise in this complex and fast-developing area of law.

First response following a data breach

We will work closely with you from the point when a data breach is first identified in order to provide swift advice concerning your immediate obligations whilst anticipating and managing the consequences which may follow. We can assist by:

  • Advising upon your obligations to notify the ICO and data subjects within 72 hours
  • Advising upon any related notification obligations within regulated sectors
  • Managing the reputational impact of the data breach

Data breach investigation and enforcement

The ICO’s recently strengthened powers will be increasingly exercised to bring about compliance with data protection legislation and other information law. The ICO’s reach is broad: all individuals and organisations which obtain, share and store information about others may be investigated for breaches of the law. We can provide you with focussed legal advice and practical support if:

  • You are subject to an ICO investigation
  • You are compelled to provide information to the ICO, whether by search order, Information Notice or audit (Assessment Notice)
  • The ICO has identified data protection breaches and a regulatory outcome is being considered, such as an undertaking, Enforcement Notice or fine (Monetary Penalty Notice)

Criminal investigation for data protection offences

The Data Protection Act 2018 includes new criminal offences, for which both an organisation and its directors may be prosecuted. When facing a criminal investigation for data protection offences, you need the support of data breach lawyers who understand both the complexities of data protection legislation and the realities of the criminal justice system. The experience of our data protection team is set apart by the expertise of our criminal lawyers who can assist with:

Civil action in a data breach

An individual whose data rights have been breached is able to seek compensation for damage or distress caused by data breaches by application to the court. Where a data breach has impacted upon a significant number of data subjects, the risk of civil litigation may be significant and the consequences for an organisation significant. Our expert civil litigation lawyers can assess this risk immediately and assist you in mitigating the damage to potential claimants, ensuring you are prepared for any civil litigation which may follow.

 

 CONTACT OUR DATA BREACH TEAM  >


Latest blogs & news

What is Next for GDPR in the UK, is Change on the Horizon?

The General Data Protection Regulation (known to everyone as the GDPR) is probably the most famous piece of legislation to come from the EU. It was and is incredibly ambitious in its scope, and shapes the way we engage with organisations both online and in the real world. When the UK formally withdrew from the EU, GDPR became retained EU law and continued to apply as before. The government have recently announced that they want to reform data protection legislation, but substantial deregulation might be an unrealistic ambition.

Coaching, Teaching and Support Work in Lockdown: Safeguarding and Data Protection considerations when working with children online

The COVID-19 crisis has forced sports clubs, schools, universities and charities to rapidly change their approaches to coaching, teaching and support work. The regulations on social distancing have forced organisations to innovate; services which had previously been offered mostly or wholly in person were rapidly shifted online during “lockdown 1” and will return online at least for the duration of “lockdown 3”.  If the vaccine rollout has the desired effect there will no doubt be some return to “traditional” methods, but it seems very unlikely that the changes brought about by the pandemic will be completely reversed.  In this blog, Claire Parry from Kingsley Napley’s Regulatory team and Fred Allen from the Public Law team look at the challenges organisations face engaging with children online.

ICO enforcement action – key considerations for charities in the GDPR era

It is now more than two years since the Data Protection Act 2018 and GDPR came into force, significantly increasing the enforcement powers of the Information Commissioner’s Office (ICO). With the passing of the Act, the ICO gained the power to issue fines amounting to millions of pounds and increased powers to bring criminal prosecutions against organisations who fail to comply with the data protection regime.

The privacy dilemma surrounding the coronavirus contact tracing app

In late April we blogged about the NHSX developing a contact tracing app to help stop the spread of coronavirus and highlighted some of the privacy concerns that will need to be considered in the course of its development. Unfortunately, at the time of writing, the app is still yet to be released nationwide, although a beta version is being trialled on the Isle of Wight and development continues. In this blog we provide an update on the proposed functionality of the app and the privacy issues caused by that functionality which are delaying its release.

COVID-19 and contact tracing apps: A test of public confidence in data privacy?

Dominic Raab announced last week that the current UK lockdown would last for at least another three weeks. These restrictions are unlikely to be relaxed until a large scale plan is in place to track and restrict the spread of the virus. Part of this plan will involve the use of the NHS “contact tracing” app, which we have been told is in an advanced stage of development.

ICO enforcement – key considerations for businesses and organisations in 2020

On 23 May 2020, it will be two years since the Data Protection Act 2018 came in to force. The Act was brought in to compliment and supplement GDPR, and significantly increased the ICO’s enforcement powers. In the build-up to its commencement, there was a flurry of speculation about how these new powers would be used. We now look at the how the ICO has used its enforcements powers in 2019 and highlights key considerations for businesses and organisations in 2020.

An early Christmas present for the tech sector from the CMA?

The Competition and Markets Authority (“CMA”) has today (18 December 2019) given the tech sector an early Christmas present by publishing its interim report on its market study, commenced earlier this year, into online platforms and digital advertising.

Data protection for your business after a no-deal Brexit

At the time of writing, it is possible that the UK could exit the EU on 31 October 2019 (“exit date”) without a deal which means immediately leaving EU institutions such as the European Court of Justice without an agreement over what happens next.

“WhatsApp” with Dominic Grieve’s motion for Brexit communications?

Monday night’s marathon session in Parliament saw a number of issues debated into the small hours and further defeats for the government. While many raised important political and legal issues, one of particular interest to information lawyers, followers of Parliamentary procedure and journalists alike was the endorsement of a “Humble Address” motion brought by former Attorney General, Dominic Grieve.

Overhaul of SARS regime to be welcomed

The Law Commission has this week made an important intervention in the world of anti-money laundering with its report on the Suspicious Activity Report (SARs) regime, including an analysis of weaknesses of the current system and a series of recommendations to make things streamlined, clearer and above all more workable

WhatsApp messages: a treasure trove of evidence in team moves

The Court of Appeal’s judgement in Forse & ors v Secarma Ltd & ors is an important case on springboard injunction applications in employee competition and team move cases. It is also a prime example of how WhatsApp messages can provide crucial evidence in such cases.

How to respond to a subject access request: a step by step guide for organisations

Any individual dissatisfied with the speed or content of an organisation’s response to a SAR will find it quick and easy to complain to your organisation or the ICO. This guide is intended to make responding to SARs as straightforward as possible.

Innovation and data protection compliance: when opposites attract

Getting your black letter law data protection specialists to join your post-it wielding innovators on their bean bags might be challenging but it is important. Perhaps try breaking the ice with some table tennis and piano-led house music (a scientifically proven method).  

Our current Brexit options and the consequences for UK data protection law

EU leaders are due to meet today (1700 GMT) for an emergency summit dedicated to Brexit at which it is rumoured that they will grant an extension to the UK’s departure from the EU.  The infographic below sets out the possible Brexit options and what this might mean for UK data protection law. 

GDPR Compliance for US Companies

Focussing upon US companies considering their privacy policies and procedures in Silicon Valley and beyond, in this blog we consider the geographic scope of GDPR and the core business functions it impacts upon.

Brexit Update: EU-US Privacy Shield

On 20 December 2018, the US Department of Commerce issued updated standards of compliance for participants in the EU-US Privacy Shield Framework (“Privacy Shield”) to continue receiving personal data from the UK in reliance on the Privacy Shield after Brexit (which is due to take place on 29 March 2019). By way of a reminder, Privacy Shield is a framework for protecting the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.

GDPR for the UK: Brexit and international transfers of personal data

With the UK due to leave the EU on 29 March 2019, UK Parliament is working towards creating new regulations to ensure that the UK’s data protection standards will be equivalent to EU law post-Brexit. The UK would use this as the basis for securing an adequacy decision from the European Commission meaning that our legal framework is deemed to provide adequate protection for individuals’ rights and freedoms over their personal data. As discussed in our previous blog, this would facilitate cross-border transfers of personal data and business continuity as the UK aims to trade with the single market on equal terms.

Care homes take heed: if you have failed to pay the ICO data protection fee you could be breaking the law

The Information Commissioner’s Office (ICO) has commenced formal enforcement action against care homes that have failed to pay the data protection fee.

GDPR and Brexit: the draft withdrawal agreement and data transfers from the EU

International transfers of personal data are instantaneous and constant. Everyday business functions such as uploading data files to the cloud or sending emails potentially involve transferring personal data across international borders. This is particularly relevant in today’s global economy where business functions are often outsourced overseas for operational and cost efficiencies.

Disclosure of Suspicious Activity Reports may not amount to Tipping-off, says High Court

The High Court has held that suspicious activity reports may amount to “personal data” for the purposes of the Data Protection Act 1998 (“DPA 1998”) and are potentially disclosable following a subject access request.

Related Services

Data Protection

We help negotiate this complicated area of law, ensuring personal data is protected and helping to manage the consequences when it is not.

GDPR Compliance

Our specialist GDPR compliance team can provide your organisation with commercial, properly targeted, expert legal advice so you can meet the requirements of data protection legislation.

Criminal Litigation

Our criminal lawyers are astute, supportive and highly sophisticated, particularly known for providing strategic, sensible and practical advice.

Dispute Resolution

Dealing with a dispute professionally and commercially takes skill. We assist and support our clients with both legal knowledge and strategy.

Public Law

Our 'exceptional' team has over 25 years' experience, acting in the most significant public law cases.

Regulatory

Our team of highly experienced lawyers provide advice on regulatory compliance, investigations, adjudication, enforcement and prosecutions.

Cyber Crime

Whether you are facing an investigation or prosecution or are the target of such activity, our cyber crime lawyers can help.

Dawn Raids, Search and Seizure

When subject to a “Dawn Raid”, search and seizure operation and search order you require timely advice. Our specialist lawyers can provide the assistance you require.

Reputation and Media

Protecting our clients’ reputation and maintaining control when they are the subject of media scrutiny is what we do.

Dealing with an Investigation

Under investigation? We ensure you have the specialist, strategic advice to help you manage.

Data Protection Insights

View all

Blogs

Data protection for your business after a no-deal Brexit

Overhaul of SARS regime to be welcomed

How to respond to a subject access request: a step by step guide for organisations

Our current Brexit options and the consequences for UK data protection law

Brexit Update: EU-US Privacy Shield

GDPR for the UK: Brexit and international transfers of personal data

Care homes take heed: if you have failed to pay the ICO data protection fee you could be breaking the law

GDPR and Brexit: the draft withdrawal agreement and data transfers from the EU

Data Protection Act 2018 and law enforcement: an introduction

The Data Protection Act 2018: new criminal offences for data breaches

Data breach reporting – the only way is up

Joint data controllers – yet more data protection uncertainty

Some welcomed guidance for data controllers: Court of Appeal confirms the correct test to be applied when considering a SAR concerning mixed data

GDPR: The significance of the new principle of accountability

GDPR: A guide for therapists

The Data Protection Bill - New Criminal Offences for Data Protection Breaches On Their Way to the Statute Book

Subject Access Requests under the GDPR: What employers need to know

Data protection: A new board room priority

Close Load more

Skip to content Home About Us Insights Services Contact Accessibility