Data Breaches: Assessing the level of risk The alarm goes off inside your organisation; you’re certain, or have a reasonable degree of certainty, a personal data breach has occurred. You’ve either contained the breach, or are in the process of doing so. You’ve established all the facts or are still gathering them. Great stuff. You’re starting to manage the risk. Alongside this, there are two pressing issues to address under GDPR (and UK GDPR): 1. Do you need to report the breach to a Data Protection Authority? (e.g. the UK’s Information Commissioner’s Office – ICO). Reporting is required within 72-hours of becoming aware of a breach, and must be done unless the breach is unlikely to represent a ‘risk’ 2. Do you need to notify affected individuals? This is required without undue delay if the breach represents a ‘high risk’. Data Protection Authorities don’t need to hear about every incident where there’s minimal risk to individuals. In fact, the ICO made it clear after GDPR was implemented they saw a degree of over-reporting. There’s a balance to be struck; you don’t want to fail to report a data breach when you should have. Each incident needs to be considered on a case-by-case basis, taking account of all relevant factors. No two incidents are likely to be the same (unless you failed to address something crucial the first time around!). The key is balancing the severity of the potential impact on those affected with the likelihood of this occurring. For example, the impact could be quite severe, but highly unlikely to materialise, or conversely the impact could be relatively low, but highly likely. What do data breach harms look like? There could be a number of negative consequences for people affected, so you need to consider the harms and/or damage the breach might cause. For example, it could result in any of the following: financial loss, identity theft, fraud, emotional distress, loss of confidentiality, discrimination, humiliation and reputational damage. Other harms could include material or physical damage, loss of control of personal data, social disadvantage or limitation of rights. How to assess the potential harm from a data breach In assessing the types of harm the breach may result in it can be useful to answer the following types of assessment questions: ■ Can individuals be identified easily? ■ Are people at increased risk of identity theft or fraud? ■ Could people suffer financially? ■ Could people’s reputation be damaged? ■ Is there a breach of confidentiality? ■ Are people at risks of physical harm? ■ Does the breach involve information relating to children or vulnerable adults? ■ Does the combination of data involved pose more of a risk? The above is by no means an exhaustive list. The importance of certain questions will vary, depending on the nature of the incident, the personal data and individuals affected and indeed the nature of your organisation. It’s good practice to use a risk matrix, with a scoring system of likelihood against severity, so you can evaluate the severity and likelihood of harm identified. This helps answer the key questions of a) should we report to a Data Protection Authority? and b) should we notify affected individuals? Not only does a scoring system provide internal reassurance a clear methodology is being used it’s also useful evidence of your assessment should it ever be required. The European Commission Guidelines on Notification of a Personal Data Breach (in section IV) provide helpful pointers on how to assess risk and high risk. If your breach involves special category data or financial details, the risks may be more obvious and the decision to report the breach may be more-clear cut. Assessments may need to be fluid, including regular ‘check-ins’ with colleagues as your understanding of the situation evolves and answers to your questions become known. While your response to a data breach needs to be swift and effective, often you won’t know all the facts and are unable fully evaluate the risk posed within 72-hours. The first report to a Data Protection Authority can be just an initial report. This can then be followed up with more information as it becomes available. In some cases the risk rating of a breach might be downgraded or upgraded. The key to success is having a robust data incident procedure, to help your data incident response team manage what can be multiple moving parts as effectively as possible. A procedure which includes a clear method of assessing the risk. Like many ‘emergencies’ in life, from a punctured tyre to a cut finger, being well prepared will prove invaluable.

What’s a recognised legitimate interest? ICO publishes draft guidance on a new lawful basis As a result of the Data (Use and Access) Act 2025 a seventh lawful basis for processing is being added to the UK GDPR. So, how does a recognised legitimate interest differ from a legitimate interest, and how does the ICO tell us this new lawful basis will work in practice? Legitimate Interests The existing lawful basis of legitimate interests may be appropriate depending on the purposes for which we’re collecting and using personal data. It’s considered the most flexible lawful basis, but the onus is on us to make sure our organisation’s interests are balanced with the interests, rights and freedoms of individuals. And while not strictly speaking a legal requirement to document this ‘balancing test’, the ICO stresses it would be difficult to meet our accountability obligations without a record of a Legitimate Interests Assessment (LIA). Recognised Legitimate Interests There are now five new conditions which are set in law as recognised legitimate interests, and while we still need to determine necessity we no longer need to conduct a balancing test. The ICO’s draft recognised legitimate interests guidance sets out these pre-approved purposes for using personal data. This draft is open to consultation, so may be subject to some amendments. Additional purposes may be added to this list in due course. 1. Public Tasks Disclosure Condition Sharing personal information with another organisation that has requested it from you because they need it for their public task or official functions. This condition will only apply if you can meet the following requirements: another organisation asks you to share or disclose personal information; that organisation states in their request they need the particular information for their public tasks or official functions which are laid down in the law; and your disclosure of the personal information is necessary to respond to their request. For more detail see ICO draft guidance: Public Tasks Condition 2. National Security, Public Security and Defence Condition To safeguard national security, protect public security or for defence reasons. To use this condition, you must only intend to use personal information for these purposes and be able to demonstrate this use is necessary. The term ‘defence’ should be read as national defence, for example the protection, security and capability of the armed forces, and the civilian staff that support them. See ICO draft guidance on this condition. 3. Emergencies Condition To respond to, or deal with, an emergency situation. This covers situations which threaten serious damage to the environment or people’s welfare, or pose a serious threat to UK security. See ICO draft guidance: Emergencies Condition 4. Crime Condition To prevent, detect or investigate crimes, including the apprehension and prosecution of offenders. The scope of this condition includes economic crimes such as money laundering and scams. The ICO makes it clear if you’re handling criminal offence data you will still need to meet additional requirements under Article 10, UK GDPR. See ICO draft guidance; Crime Condition 5. Safeguarding Condition To protect the physical, mental or emotional well-being of people who need extra support or protect them from harm or neglect. To rely on this condition you must: make sure what you’re planning to do with personal data falls within the definition of safeguarding be satisfied the person you wish to safeguard is a child or an ‘at risk’ ‘adult make sure the handling of personal information is necessary for this purpose For more detail see ICO draft guidance on Safeguarding Condition. Key points to bear in mind… Public authorities can’t rely on recognised legitimate interests to perform their tasks or functions. What you’re planning do to must meet one of the pre-approved conditions above. You must be satisfied using personal information is necessary, taking into consideration the facts of each case and whether there’s another reasonable and less intrusive alternative. More than one condition may and can apply to a particular situation or activity. No condition is better or more important than the others. The conditions can apply for different types of personal data including special category data. However, when relying on this lawful basis for special category data you’ll still also need to make sure you have a special category condition under Article 9 and meet any necessary requirements for that condition. You may also need to consider if conducting a Data Protection Impact Assessment is necessary or appropriate. Relying on recognised legitimate interests may mean there’s no longer a need to conduct an LIA, but the ICO stresses this doesn’t mean there are no restrictions, and you’ll still need to comply with all other requirements under data protection law. And to be clear, there’s no obligation to switch your lawful basis. If you’re currently rely on legitimate interests, have balanced this and are comfortable with it, you can keep things just as they are. If you do choose to rely on recognised legitimate interests, remember you may need to update your Record of Processing Activities and any relevant privacy notice.

Why the Right of Access is broken DSARs are an overly onerous and often pointless exercise There’s been murmuring for years about the ‘weaponisation’ of the right of access. Individuals submitting Data Subject Access Requests in an effort to try and ‘dig up dirt’ for another matter. Maybe during an unfair dismissal claim, a disciplinary case, employment tribunal, an ongoing complaint or prior to litigation. Organisations sometimes believe the person is submitting a DSAR just to be downright awkward and find themselves unable to meet the threshold to refuse the request (in part, or in full) as ‘manifestly’ unfounded or excessive. Businesses are spending excessive amounts of time responding to more tricky requests. We’re told we need to be prepared and have enough resources to handle requests. But is it reasonable to expect small-to-medium sized organisations to have teams on standby for 6-7 requests a year? Often one or two people have to dedicate hours… days, to respond by the statutory deadline. This can be a whole calendar month where they’ve done little else. We also know countless local councils, police services, NHS trusts and other public bodies have been on the receiving end of official ICO reprimands for failing to address their massive backlogs of requests. Something needs to change. It’s getting worse not better. Anecdotally, I’m hearing the number of requests is steadily increasing. No one is immune. Companies that have never received a DSAR have had the horror of their first one from a disgruntled ex-employee. Charities, housing associations, travel operators, retailers, publishers are all in the firing line. The problem. Fulfilling this right is often not straightforward. The ICO’s guidance is over 100 pages long. I can deliver a whole day’s DSAR training session and not cover every nuanced consideration. The specific circumstances of a request can throw up new challenges. Yes, we can always improve our procedures and make efficiencies. But ultimately, with difficult requests there will always be time-consuming issues which can’t be automated. There may be brilliant software available to streamline the process. But many small-to-medium sized companies and charities, with limited budgets, will struggle to justify the cost of new technology when the volume of requests is not very high, and fluctuates significantly. Some redaction technology can almost make things worst by over-redacting. Then, after all our efforts are people happy with what they receive? It seems not. While I can’t find the most recently figures, the ICO’s 2023/24 Annual Report reveals nearly 40,000 complaints were received by the regulator. A staggering 39% of these concerned DSARs. Those submitting requests are clearly further disgruntled with what they receive. By June 2026 UK organisations will be legally required to have a data protection complaints procedure. And yes, this will inevitably mean a percentage of the DSARs you get out the door, will come straight back in as a formal complaint. More time and effort, while the individual’s frustration grows. I fear we’ll see public bodies not just being accused of failing to address a massive backlog of DSARs, but a massive backlog of unresolved data protection complaints too. Of course, we’re not all saints. Some organisations do a bad job with DSARs. I’ve seen cases where individuals have been provided with reams of overly redacted documents which make no sense. Some organisations blatantly ignore requests. A Care Home manager has been personally fined for deliberately destroying and withholding information, when faced with a DSAR. There are the cases where bad practices can be exposed. There are the high-profile cases. Nigel Farage successfully revealed via a DSAR that NatWest had closed his Coutts account due to his political opinions. And then via a second request exposed how NatWest employees had made disparaging comments about him. But I like to believe there are plenty of organisations trying their very best to do the right thing. I work with some who spend painstaking hours retrieving, assessing and redacting, only to look at what they’re providing and think ‘is this of any value to the person?’ Often, a DSAR seems far from the most suitable route for the individual to get the information or resolution they’re seeking. If we take a step back to why this right exists in data protection law it seldom feels like DSARs are being submitted in the spirit of what legislators intended. GDPR states: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data… Recital 63 gives us further clarification: A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. For its part the ICO says: It is a fundamental right for individuals. It helps them understand how and why you are using their data and check you are doing it lawfully. In reality? The times when an individual is actually expressing an interest in the ‘lawfulness of processing’ are, in my experience, exceptionally rare. In the past twenty years, I can’t think of any case I’ve dealt with where the requestee has stated an interest in this. So, my interest was piqued by a proposal in the European Commission’s Digital Omnibus, which is looking at amending aspects of GDPR. It suggests requests could be rejected, or a fee charged, if a controller considers the request is being used by someone for other purposes than the ‘protection of their personal data’. On the face of it, this seems a good idea. An attempt to take the right of access back to what the legislation originally intended it to be. But the devil will be in the detail. How would organisations make this judgement call? Will people just get smart and add new wording to make sure their requests meet the bar? If the EU does proceed with significant changes, I would encourage the UK Government to follow suit. Others in my field may gasp and shake their heads, but I was disappointed the UK Data (Use and Access) Act only clarified in law right of access matters which already happen in established practice. I wish it had gone further. There are other areas which could be looked at. When an individual insists they want all their personal data, should organisations really be under an obligation to include information the individual already has? Is the timescale too short? Could we at least not have to count bank holidays! Can the threshold for manifestly unfounded or excessive be lowered, or changed? As it stands, I believe some but not all DSARs are too onerous for organisations to fulfil, and often provide no meaningful benefit for the individual. No one seems to win, and complaints grow. Please can something change. Unfortunately, as the law is unlikely to be amended any time soon, either in the EU or UK, I’ll leave you with a few quick tips:  A DSAR is not a right to documentation. It’s a person’s right to receive a copy of their personal data and other supplementary information. A request for specific information isn’t a DSAR just because it includes personal data – in fact treating a specific request like a DSAR can be to the individual’s detriment and create an unnecessary burden on resources. Managing expectations right from the start can help to reduce complaints. People often have a flimsy grasp of what the right actually entitles them too. Talking with the requestee can often resolve much more than relying on emails. I’ve written more about managing employee related requests and do check out the ICO’s helpful employee DSAR Q&A.

Understanding data protection harms What consequences are we trying to prevent? We hear a lot about data protection risks, but equally important is knowing what data protection harms look like. Harms are essentially the range of potential consequences for individuals, or indeed society more broadly, should data protection risks materialise. Insufficient training, weak access controls, ‘invisible’ processing and over-retention of personal data are just some examples of data protection risks which, if left unaddressed or if an incident occurs, could cause harm to individuals. When conducting risk assessments (such as Legitimate Interests Assessments, DPIAs and AI Assessments) we don’t just need to identify the risks, we also need to think about what possible outcomes and harms we are trying to prevent. And crucially when a data breach occurs, we need to know the consequences this could have for those affected – the harm it could cause. In our experience, assessments and data breach plans don’t always clearly spell out the nature of harm which could materialise if the appropriate measures and controls are not put in place to prevent or mitigate them. This is where the ICO’s Taxonomy of Data Protection Harms is a useful document. It includes a non-exhaustive table of harms, which would be a handy appendix to any DPIA template or Data Incident Procedure. Data protection harms aren’t always obvious. They can be nuanced, complex, overlapping or more intangible. Financial loss may be easier to gauge than psychological damage. We need to assess both the likelihood of harm and its severity. Broadly using the ICO’s taxonomy here are some examples of data protection harms: