Data breaches are inevitable.  Most breaches are as a result of cock up, rather than conspiracy.  With customers becoming more aware of their data protection rights, trust in how a company handles their data is driving choice. How a business responds when the worst happens will have a great impact on that trust, and reports of reaction to the negative publicity around recent breaches involving BA and Ticketmaster support this.

Whether a breach is reportable or not, the nature of the breach and how you respond to it, must still be recorded by the business in order to show compliance with the law.

When managing a data breach, preparation is the key. If your breach is reportable to the regulator, valuable time could be wasted in putting a team together and deciding who should be doing what, rather than managing and controlling the effects of the breach on your business and customers. If you are not in a position to report within the 72 hour time frame, the regulator could take a range of actions, from ordering you to stop processing data for a specific purpose, to issuing a monetary penalty – and both could see a significant cost.

Take our Data Breach Readiness MOT to find out how prepared you are for the inevitable.


You have assembled your data breach response team.

Your response team has the necessary experience across IT, legal, and communications.

You have audited and tested your response plan in the last 12 months.

Your contracts with data processors and key partners include defined responsibilities for a breach situation.

Your processors know who to contact in your organisation when becoming aware of a breach.

You have a clearly identified team lead who will liaise with the regulator and other stakeholders.

You have an inventory of the types and location of the information you store that could be exposed during a data breach.

You have the technology, the people and knowledge in house to conduct a thorough investigation into a cyber security incident.

You have identified what your breach notification process would look like.

You have identified everyone who needs to be mobilised in the orgnisation in the event of a breach.

You know what services you are going to offer to reassure affected parties in the event of a breach.

You have developed a communications incident response plan, including drafts of key messages that will be useful during an incident.

Your chosen response team are experts trained and confident in communicating.

You have conducted a crisis simulation to test how effectively your organisation would manage a breach incident in the last 12 months.

You have conducted employee training to apply data protection best practices in the last 12 months.

Data Breach Readiness MOT
Good Level of Readiness
Based on your answers it looks like you may be all set to deal with a breach when it happens. Please talk to us about how we can help rehearse and refine your response plan – in a live enactment scenario for example.
Good Progress towards Readiness
You’re well on the way to being ready, and there are perhaps only matters of staff training, or finalising your breach response plan to deal with. Please talk to us about what we can offer in the areas that may need further work.
Some Gaps in your Readiness
Your responses indicate that there are quite a few gaps in your breach approach. You could benefit from a Risk Assessement to help identify weaknesses, looking primarily at the areas where you were unable to ‘Agree’ or ‘Strongly Agree’. Please contact us to find out how we can help.
Low Level of Readiness
The responses suggest a package of actions are necessary to address the readiness shortfall. Please contact us to find out how we can help with identifying the areas of greatest risk, and prioritising the actions to get you to readiness, with a full breach risk audit.