My business has had a data breach, what next?

My business has had a data breach, what next?

By Emma Roe, Partner and Head of Commercial at Shulmans LLP

Any type of data breach, whether due to an external hacking incident or an internal staff error, is a significant issue that needs immediate attention.  A key aspect of the legal requirements surrounding a data breach is to demonstrate that your business or organisation takes the issue very seriously and is proactively seeking to not only protect any individuals who may be affected, but is also taking active steps to improve systems and processes quickly to prevent a similar issue occurring again.

Communications following a data breach, both internally and externally, need to be carefully managed to convey these key messages effectively.

In the immediate aftermath of a breach the most important thing to establish, as quickly as possible, is exactly what data has been compromised and the number of individuals affected.

You need to focus on confirming exactly what has happened and how any risks created can be mitigated, prepare your statement and reassure your customers and employees that you are in control of the situation.  Knowing precisely what you are dealing with is key in the early stages to allow you to manage the next steps around communication.  Whilst it is important to act without delay, don’t feel that you need to rush to make available information about a data breach incident until you have been able to verify it. Internally, communications need to take a structured approach to support a swift investigation and establish exactly what data has been compromised and to what extent.

Under current laws there is no mandatory requirement to notify the regulator, the Information Commissioner’s Office (ICO), or the individuals affected. However changes to the data protection laws, which will come into effect within the next 12 months, will require any business that experiences a data breach to report it to the ICO within 72 hours of becoming aware of it, and then to notify affected individuals if the breach is likely to impact on their rights and/or freedoms. In turn, this will mean that having a rapid response approach to breaches will become even more critical in the near future.

Once you’ve determined which legal requirements you are required to fulfil regarding notifying the ICO and affected individuals, and whilst ensuring you are not disclosing any confidential information, key messages to be relayed publicly should be kept short and aim to include:

  • any reassurances you can give regarding how serious the breach is
  • general information you can give about what type of data is affected
  • advice to individuals on how to prevent identity fraud which could occur as a result of using the information which may have been compromised

This information should only be issued in a manner which does not impact on any ongoing investigation into the incident itself or any attempts to further protect systems and data following the breach.  However, if you are able to confirm that no payment related data, or medical or health related data is involved, this can be a useful message to begin reassuring the public.

You should also provide information regarding the communication that the affected individuals can expect from your business following the breach.  Where possible, share security assurances such as confirming that you won’t be contacting any of your employees or customers via email or phone asking for passwords or account details in the coming weeks.  This will provide reassurance to your community; it shows that you care about their individual safety and that you are working towards a solution.  If personal passwords have been compromised, sharing details of how users can change their passwords is also a good place to start.

Finally, it’s worth bearing in mind that it’s not just the breach that needs your attention during the immediate incident response phase, but also the channels of communication you use to contact the affected individuals to educate and inform them about the situation.  It’s important to think about how best you can ensure that any messages surrounding the data breach efficiently reach those who may be affected.  In addition to a press statement, you should also consider issuing information to your customers and employees either via an email newsletter, by post, or even a banner and news article on your website homepage.  This will ensure that the message reaches anyone affected as quickly and as transparently as possible.

For further information regarding comments made in this article, please email or alternatively, telephone 0113 243 1117.

Our accreditations & Partners

  • REC Member
  • VTC - Virtual Technology Cluster
  • RANT Events
  • Bloom Nepro
  • YPO
  • Crown Commerical Service
  • Disability Confident
  • ISO 9001
  • Armed Force Covenant
  • Cyber Essentials Plus
  • ISO 27001





Thank you for signing up to the acumin alerts.

Send CV

Send us your CV and have our recruiters match you to the ideal opportunities

Do you already have an account with us?

Log in

Want to have an account with us?


Want to just send us your CV?

Upload only doc, docx, odt, pdf format file.

By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.

Password reset

If you need a reminder for your password, fill out the field below

Log in

Access your account to edit your contact details, job alerts or to upload a new CV

Thank you


Thank you for successfully uploading your CV.

Acumin Alerts


Thanks for registering for Acumin alerts.

Acumin Alerts

Unfortunately your CV could not be uploaded

Please make sure your CV is one of the following file types: doc, docx, odt, pdf, rtf

Acumin Spam

Unfortunately your submission has been declared spam. Please try again.



Thank you for submitting your vacancy.


Create an account to register your contact details, sign up for job alerts and upload your CV


Thanks for registering for Acumin alerts. To get the most out of Acumin's service why not register with us?

Upload only doc, docx, odt, pdf format file.
- Practitioner
- Commercial

I agree to the terms and conditions and to be contacted by recruiters:

I agree to receive marketing communications relevant to my job search:

I agree to receive Jobs By Email for the following professions:
- Business Continuity Management
- Counter Fraud
- Cyber Security
- Executive Management
- Governance & Compliance
- Information Security & Risk Management
- Penetration Testing & Digital Forensics
- Sales and Marketing
- Sales Engineering
- Security Management
- Technical Security
- Information/Risk Assurance
- Identity Management
- Application Security
- Security Architecture
- Dev/Sec Ops
- DV & SC Cleared Jobs
- Programme & Project Management

Submit a Vacancy

Use the form below to submit a vacancy