Introduction to this document

GDPR personal data breaches register

The UK GDPR requires you to document all personal data breaches, whether they’re notifiable to the Information Commissioner’s Office (ICO) or not. Use our register to do this.

Mandatory register

Under the UK GDPR, you must record all personal data breaches in a register, regardless of whether they’re notifiable to the ICO. So, even if you decide that a data breach is unlikely to result in a risk to the rights and freedoms of individuals and doesn’t need reporting to the ICO, nor to data subjects, you must nevertheless add it to a personal data breaches register. The purpose of this requirement is to enable the ICO to verify your compliance with your obligations to notify it in certain circumstances of a data breach - it can ask to see a copy of your register. Your register must, as a minimum, include the following information: (a) the facts relating to the personal data breach; (b) the effects of the breach; and (c) the remedial action that you’ve taken. Use our GDPR Personal Data Breaches Register here. The aim is that you’ll complete a new record for every personal data breach, but if you want to put all the information in one central place you can easily convert our document into an Excel spreadsheet format. The boxes that we’ve included in our register are: the date of the breach; the date of internal notification of the breach; who reported it and how; a summary of the facts; the cause of the breach; the categories and approximate number of affected data subjects; the categories and approximate number of affected records; the impact of the breach; the remedial actions taken; whether the ICO was notified; whether data subjects were notified; whether the breach was reported to any other parties, e.g. the police; and the current status of the breach. This latter box can be updated as necessary until the breach has been appropriately dealt with and the matter is “closed”. There’s then a final box for you to add any other relevant information.