What must an organisation do when they think they have had a data breach?

If a company has lost your personal data as a result of a data breach, the company has data protection procedures it must take. 

If there is a serious breach of your personal data / information which is likely to result in a high risk to your rights and freedoms, in most circumstances the company is obligated by the Data Protection Act 2018 (GDPR) to tell you without delay.

The organisation has to establish the likelihood and severity of the risk to your freedom and personal data rights following a breach.

The company should explain to you:

  • the name and contact details of its data protection officer or other contact point that can provide more information- Usually on their website
  • a description of the likely consequences of the personal data breach- This may not fully known as yet
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.


If your data has been lost and you use the same or similar login information – such as passwords and usernames – for other websites or online accounts, you should change those details immediately. Guidance on the use of complex passwords is that you create them once and they stay in place, however if your attacker knows this then there is good chance that they will use this on other sites you may access with the same password..

  • At least eight characters long
  • Doesn’t contain your username, real name or company name
  • Doesn’t contain a complete word
  • Significantly different from your other passwords
  • Contains a combination of cases, numbers, letters and symbols.

Check your bank accounts and credit report

You may want to keep a close eye on your bank accounts and other online accounts over the next few months, particularly if you think the breach involved any financial details or details that a scammer could use to commit identity fraud.

If you see anything unusual, contact your bank immediately and explain that you’ve been the victim of fraud.

If you’re not happy with the way your bank deals with your complaint, you can refer it to the Financial Ombudsman Service (FOS).

It’s also important to check your credit report with the three main credit agencies – Call Credit, Experian.co.uk and Equifax – to ensure credit isn’t taken out in your name.

If you find that any of the above has happened, you should also contact Action Fraud as soon as possible.

Action Fraud is the UK’s national fraud and internet crime reporting centre and it can be reached on 03001232040 or via the Action Fraud website.

Beware of scams

If you’re contacted by anyone over the phone asking you for personal details or passwords (such as for your bank account), take steps to check their true identity.

Ask them to give you details that only that company they claim to be calling from would know. For example, details of your service contract or how much you pay per month.

If you still have concerns about the caller’s identity, you should hang up and call the company back.

If possible use a different telephone to check the validity of the phone call.