Personal data breaches, incident handling, and regulatory response

A personal data breach is not only a cyberattack. It also includes mis-sent emails, letters to the wrong address, unauthorised internal access, lost paperwork, unsafe disposal, lost devices, or accidental deletion. Leaders need a clear, practised response because actions in the first hours affect risk, evidence preservation, and reporting obligations.

ICO guidance for small organisations states the clock starts when you become aware of a breach, not when it happened. Not every breach must be reported to the ICO, but significant incidents should be assessed, logged and acted on promptly and consistently.

Some serious incidents are availability incidents rather than obvious disclosures. Ransomware, failed system migrations, corrupted databases or inability to restore key records can be personal data breaches if data becomes unavailable, destroyed or inaccessible in a way that risks harm to individuals.

Leadership steps after a breach is discovered

• Start the log and contain the problem: recover data where possible, stop further disclosure, preserve evidence and involve the right people.
• Find the facts quickly: determine what happened, which data were involved, who was affected, whether special category data are included, and whether the data were accessed.
• Assess the risk to individuals: consider embarrassment, discrimination, fraud, distress, safety impact or loss of confidentiality.
• Decide on notifications: if the breach is reportable, notify the ICO without undue delay and within 72 hours. If the risk to individuals is high, inform those affected without delay.
• Review system causes: identify training gaps, unclear roles, supplier issues, weak access controls, poor checking or unsafe local workarounds and address them.

Pharmacy-specific leadership points

• Branch and head-office workflows should align: local teams must know what to escalate and how quickly.
• NHS and commissioner routes may also apply: in England community pharmacy, local DSP and NHS incident-reporting expectations can sit alongside ICO reporting decisions.
• Near misses are useful evidence: repeated close calls can indicate an unreported control weakness.

The first goal after a breach is not blame. It is to contain the incident, understand the risk to people, meet any reporting duties, and fix the control weakness that allowed it to happen.