Data Breaches: Assessing the level of risk The alarm goes off inside your organisation; you’re certain, or have a reasonable degree of certainty, a personal data breach has occurred. You’ve either contained the breach, or are in the process of doing so. You’ve established all the facts or are still gathering them. Great stuff. You’re starting to manage the risk. Alongside this, there are two pressing issues to address under GDPR (and UK GDPR): 1. Do you need to report the breach to a Data Protection Authority? (e.g. the UK’s Information Commissioner’s Office – ICO). Reporting is required within 72-hours of becoming aware of a breach, and must be done unless the breach is unlikely to represent a ‘risk’ 2. Do you need to notify affected individuals? This is required without undue delay if the breach represents a ‘high risk’. Data Protection Authorities don’t need to hear about every incident where there’s minimal risk to individuals. In fact, the ICO made it clear after GDPR was implemented they saw a degree of over-reporting. There’s a balance to be struck; you don’t want to fail to report a data breach when you should have. Each incident needs to be considered on a case-by-case basis, taking account of all relevant factors. No two incidents are likely to be the same (unless you failed to address something crucial the first time around!). The key is balancing the severity of the potential impact on those affected with the likelihood of this occurring. For example, the impact could be quite severe, but highly unlikely to materialise, or conversely the impact could be relatively low, but highly likely. What do data breach harms look like? There could be a number of negative consequences for people affected, so you need to consider the harms and/or damage the breach might cause. For example, it could result in any of the following: financial loss, identity theft, fraud, emotional distress, loss of confidentiality, discrimination, humiliation and reputational damage. Other harms could include material or physical damage, loss of control of personal data, social disadvantage or limitation of rights. How to assess the potential harm from a data breach In assessing the types of harm the breach may result in it can be useful to answer the following types of assessment questions: ■ Can individuals be identified easily? ■ Are people at increased risk of identity theft or fraud? ■ Could people suffer financially? ■ Could people’s reputation be damaged? ■ Is there a breach of confidentiality? ■ Are people at risks of physical harm? ■ Does the breach involve information relating to children or vulnerable adults? ■ Does the combination of data involved pose more of a risk? The above is by no means an exhaustive list. The importance of certain questions will vary, depending on the nature of the incident, the personal data and individuals affected and indeed the nature of your organisation. It’s good practice to use a risk matrix, with a scoring system of likelihood against severity, so you can evaluate the severity and likelihood of harm identified. This helps answer the key questions of a) should we report to a Data Protection Authority? and b) should we notify affected individuals? Not only does a scoring system provide internal reassurance a clear methodology is being used it’s also useful evidence of your assessment should it ever be required. The European Commission Guidelines on Notification of a Personal Data Breach (in section IV) provide helpful pointers on how to assess risk and high risk. If your breach involves special category data or financial details, the risks may be more obvious and the decision to report the breach may be more-clear cut. Assessments may need to be fluid, including regular ‘check-ins’ with colleagues as your understanding of the situation evolves and answers to your questions become known. While your response to a data breach needs to be swift and effective, often you won’t know all the facts and are unable fully evaluate the risk posed within 72-hours. The first report to a Data Protection Authority can be just an initial report. This can then be followed up with more information as it becomes available. In some cases the risk rating of a breach might be downgraded or upgraded. The key to success is having a robust data incident procedure, to help your data incident response team manage what can be multiple moving parts as effectively as possible. A procedure which includes a clear method of assessing the risk. Like many ‘emergencies’ in life, from a punctured tyre to a cut finger, being well prepared will prove invaluable.

What’s a recognised legitimate interest? ICO publishes draft guidance on a new lawful basis As a result of the Data (Use and Access) Act 2025 a seventh lawful basis for processing is being added to the UK GDPR. So, how does a recognised legitimate interest differ from a legitimate interest, and how does the ICO tell us this new lawful basis will work in practice? Legitimate Interests The existing lawful basis of legitimate interests may be appropriate depending on the purposes for which we’re collecting and using personal data. It’s considered the most flexible lawful basis, but the onus is on us to make sure our organisation’s interests are balanced with the interests, rights and freedoms of individuals. And while not strictly speaking a legal requirement to document this ‘balancing test’, the ICO stresses it would be difficult to meet our accountability obligations without a record of a Legitimate Interests Assessment (LIA). Recognised Legitimate Interests There are now five new conditions which are set in law as recognised legitimate interests, and while we still need to determine necessity we no longer need to conduct a balancing test. The ICO’s draft recognised legitimate interests guidance sets out these pre-approved purposes for using personal data. This draft is open to consultation, so may be subject to some amendments. Additional purposes may be added to this list in due course. 1. Public Tasks Disclosure Condition Sharing personal information with another organisation that has requested it from you because they need it for their public task or official functions. This condition will only apply if you can meet the following requirements: another organisation asks you to share or disclose personal information; that organisation states in their request they need the particular information for their public tasks or official functions which are laid down in the law; and your disclosure of the personal information is necessary to respond to their request. For more detail see ICO draft guidance: Public Tasks Condition 2. National Security, Public Security and Defence Condition To safeguard national security, protect public security or for defence reasons. To use this condition, you must only intend to use personal information for these purposes and be able to demonstrate this use is necessary. The term ‘defence’ should be read as national defence, for example the protection, security and capability of the armed forces, and the civilian staff that support them. See ICO draft guidance on this condition. 3. Emergencies Condition To respond to, or deal with, an emergency situation. This covers situations which threaten serious damage to the environment or people’s welfare, or pose a serious threat to UK security. See ICO draft guidance: Emergencies Condition 4. Crime Condition To prevent, detect or investigate crimes, including the apprehension and prosecution of offenders. The scope of this condition includes economic crimes such as money laundering and scams. The ICO makes it clear if you’re handling criminal offence data you will still need to meet additional requirements under Article 10, UK GDPR. See ICO draft guidance; Crime Condition 5. Safeguarding Condition To protect the physical, mental or emotional well-being of people who need extra support or protect them from harm or neglect. To rely on this condition you must: make sure what you’re planning to do with personal data falls within the definition of safeguarding be satisfied the person you wish to safeguard is a child or an ‘at risk’ ‘adult make sure the handling of personal information is necessary for this purpose For more detail see ICO draft guidance on Safeguarding Condition. Key points to bear in mind… Public authorities can’t rely on recognised legitimate interests to perform their tasks or functions. What you’re planning do to must meet one of the pre-approved conditions above. You must be satisfied using personal information is necessary, taking into consideration the facts of each case and whether there’s another reasonable and less intrusive alternative. More than one condition may and can apply to a particular situation or activity. No condition is better or more important than the others. The conditions can apply for different types of personal data including special category data. However, when relying on this lawful basis for special category data you’ll still also need to make sure you have a special category condition under Article 9 and meet any necessary requirements for that condition. You may also need to consider if conducting a Data Protection Impact Assessment is necessary or appropriate. Relying on recognised legitimate interests may mean there’s no longer a need to conduct an LIA, but the ICO stresses this doesn’t mean there are no restrictions, and you’ll still need to comply with all other requirements under data protection law. And to be clear, there’s no obligation to switch your lawful basis. If you’re currently rely on legitimate interests, have balanced this and are comfortable with it, you can keep things just as they are. If you do choose to rely on recognised legitimate interests, remember you may need to update your Record of Processing Activities and any relevant privacy notice.

Data Protection Complaints: NEW requirements A ‘must do’ for ALL organisations By June 2026 organisations be legally required to have a procedure in place to handle data protection complaints. This was one of the few new obligations ushered in by the Data (Use and Access) Act 2025. Final guidance from the ICO is expected this Winter, following a consultation which has now closed. This consultation document gave us some useful pointers on the steps to take. The aim of this change is to give anyone who is unhappy with how your organisation has handled their personal information a clear method for raising a complaint. For example, they could have a complaint about; a data breach which affected them your response to their Data Subject Access Request how long you’re keeping their data how you’ve profiled them or any other data protection relation matter I’m sure some of you reading this will have received a letter from the ICO in the past asking for a complaint they’ve received to be resolved by you directly with the individual. Essentially this approach is changing. Moving forward, in the majority of cases when the ICO receives a complaint, the individual will be asked to go through your complaints procedure first. A little warning. If you don’t have a clear procedure in place for data protection related complaints, the ICO may spot this pretty quickly should you come up on their radar. What the law says Organisations are legally required to fulfil the following: Procedure – give people a way of raising data protection complaints Acknowledgement – acknowledge each complaint within 30 days of receipt Action and progress – take appropriate steps to respond without undue delay, including making any relevant enquiries and keeping complainants up to date on progress Outcome – provide an outcome without undue delay How people can raise a complaint People must have a way of being able to raise a complaint directly with you. While the law doesn’t set out precisely how this must be done, the ICO gives some examples of different ways this could be achieved: Complaints form – for people to submit their complaint either electronically or in writing Telephone – allow people to make a complaint over the phone Portal – provide an online complaints portal Live chat – use a live chat function with the option to escalate to a human if needed In person – provide a way to make complaints in person if you don’t have an online presence Published complaints procedure Many organisations particularly those in the public sector will already have a complaints procedure which could be adapted for this purpose. For those which don’t, the ICO expects you to write one and publish your procedure on your website, or provide it to people at the earliest opportunity. This would be expected to cover:  How people can make data protection complaints What people can expect from your process (e.g. acknowledgement within 30 days, kept informed of progress, and provided with an outcome without undue delay) In our opinion it would seem fitting to add the key points of your complaints procedure to your external privacy notice, and replicate this in any other relevant audience specific privacy notices. Asking for more information If evidence or additional information is needed, such as reference numbers or proof of ID, this should be asked for at the earliest opportunity. It would be helpful to mention this in your published procedure, for example ‘we may need to ask for proof of ID’. Complaints made on someone’s behalf As with privacy rights requests, an individual may make a complaint on someone else’s behalf. You’ll therefore need to make sure they are authorised to do so, for example by seeking power of attorney or a signed letter of authority. The ICO is clear if you have no evidence a third party is authorised to act on someone’s behalf you aren’t required to investigate a complaint, but should respond explaining this. The 5 step data protection complaints process 1. Acknowledge The law doesn’t prescribe how an acknowledgement should be provided but the ICO gives the following examples: Verbal complaints – Keep a record and follow up in writing (e.g. by email or post) Email / live chat – an automated response could be used Letters – acknowledgement by post The 30 days in which you must acknowledge a complaint starts the day after you receive the complaint, regardless of whether you received this on a weekend or bank holiday. If the last day to acknowledge falls on a weekend or bank holiday you have until the next working day. The ICO says you must have arrangements in place to acknowledge and continue handling complaints, regardless of whether key people are off sick or if your organisation is closed. An important point for organisations such as schools or colleges which may close for a period of time. 2. Investigate You must investigate the complaint without undue delay. If it’s not clear what the complaint is about, you should ask for more detail as quickly as possible. It may also be useful to ask people to let you now the outcome they’re seeking, and if you choose to use a complaints form, this point could be built-in. You’ll need to gather the information necessary to respond to the complaint and the ICO tells us this might include taking actions such as; Looking at relevant facts thoroughly, fairly and accurately Speaking to relevant staff Comparing information you hold with the information from the complainant Checking you’ve upheld your own terms, policies and standards 3. Update on progress There’s a duty to keep people updated on the progress of your investigation. If it’s likely an investigation is going to take some time, you’ll need to tell them you’re working to resolve the issue. You can always provide them with a date for when you expect to complete your investigation, and give them a point of contact if they have any questions. 4. Provide outcome Once the investigation is completed you must provide an outcome to the complainant without undue delay. The ICO says this means ‘as soon as possible’, and would expect your response to include the following: A clear explanation of what you’ve done to resolve their complaint Any actions you’ve taken (where appropriate) Enough information to help the individual understand how you’ve reached your conclusion If the individual is not satisfied with your outcome, you should tell them they have the right to complaint to the ICO, and it would be good practise to provide them with the regulator’s contact details. If they then tell you they’re planning to complain to the ICO you don’t have to get in touch with the regulator yourself. The ICO will come to you if they need more information. Crucially you must be able to justify why you handled a complaint in the way you did. Which neatly brings us on to… 5. Record keeping It will be necessary to keep evidence of your approach to each complaint you receive and the ICO recommends keep a record of the following: the date you received the data protection complaint your acknowledgement any relevant conversations and documents the outcome of the complaint any actions you took as a result of your investigation You may be asked to provide this evidence to the ICO, or other industry bodies. In all of this don’t forget data retention, it would be a good idea to agree how long you’ll keep records of complaints. Key steps to take now We’d recommend taking the following actions: Collaborate with relevant colleagues and agree your approach Assign responsibility for investigating and reviewing complaints Publish your complaints procedure (prior to June 2026) Start raising awareness and adapt relevant training so staff know how to recognise a data protection complaint and know what to do if they receive one. For more information see the draft ICO Complaints Guidance