Athlex
Contact
Athlex

Month: October 2025

The 72 Hour Rule for UK GDPR Breach Reporting

5 minutes read
The 72 Hour Rule for UK GDPR Breach Reporting: A Plain English Guide for SMEs
Laptop with warning icon and clock representing urgency in UK GDPR breach reporting

When a personal‑data breach occurs, there are two key questions:

  1. When must we notify the regulator?
  2. How should we handle things internally to reduce risk, cost and reputational damage?

Lately, it feels like data breaches are never out of the headlines. From Marks & Spencer’s loyalty leak to Jaguar Land Rover’s ransomware hit, UK businesses are being tested on how fast and how well they respond.

For SMEs, understanding the 72‑hour rule under the UK GDPR isn’t just about avoiding fines it’s your fire drill, your buffer, your business continuity plan.

What is a “personal data breach”?

A personal data breach under the UK GDPR is any security incident that results in:

  • Accidental or unlawful destruction or loss of personal data
  • Loss of availability, for example through ransomware or system failures
  • Alteration or corruption of data that makes records inaccurate
  • Unauthorised disclosure of, or unauthorised access to, personal data

It doesn’t take a hacker,  mis-sent emails, misplaced USB drives, or wrongly configured cloud folders all qualify.

The “72-hour rule” – what it really means

The law doesn’t give you three full days to get your act together. It says:
“Without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.”

That means:

  • If you can report sooner, you should.
  • If you miss the deadline, you must justify why.
  • And no – “we were still checking with IT” won’t cut it.

Step-by-step: what SMEs should do

Recognise the incident

Use monitoring, logging, and staff escalation to detect breaches fast.

Assess the risk

Ask: what is the risk to the individual, is there a risk of identify fraud, financial or physical harm or distress. We provide more guidance on this below.

✅ Decide whether to report to the ICO

Ask; what is the harm to the individual(s)? And decide if you need to report the breach. If you are not reporting, you must keep a log, with clear reasoning.

Notify the regulator if likely to result in a risk of harm to individuals

Use the ICO breach reporting form and include:

  • What happened
  • What data and the number of people affected
  • Consequences
  • What you have done to reduce the risks
  • DPO or contact point

✅ Notify individuals (if high risk)

If the breach presents a high risk to the people affected (e.g. financial, reputational or emotional harm), you must tell them directly – without undue delay. This could be where there is an immediate risk of financial or physical harm to an individual.

✅ Remediate and document

Do a root-cause review to be clear about why it happened and how you will prevent it happening again. Update controls. Train staff. Write it all down.

Is the breach reportable? How to decide

Not every breach needs to be reported to the ICO – but many are. And the line between “notify” and “log it internally” isn’t always obvious.

Under the UK GDPR, a breach must be reported to the regulator if it is:

“likely to result in a risk to the rights and freedoms of individuals.”

This includes risks like:

  • Identity theft or fraud
  • Financial loss
  • Loss of confidentiality
  • Discrimination or reputational harm
  • Distress, particularly where vulnerable people are affected

But what does “likely” mean in practice?

That’s where judgment, experience, and knowledge of ICO enforcement comes in. You’ll need to assess:

  • What kind of data was involved? (Basic contact details or sensitive health, financial, or identity data?)
  • How exposed was it? (Sent to one person or published online?)
  • How long was it accessible?
  • Is there evidence it was accessed or misused?
  • Could individuals suffer harm or distress as a result?

This isn’t a binary “yes/no” — it’s a context-led risk decision. And it’s one the ICO expects you to document thoroughly.

💡 If you decide not to report, you still need to record:

  • The nature of the breach
  • The decision-making process
  • Why you believe notification wasn’t required
  • Any steps taken to contain or prevent recurrence

📚 Many SMEs benefit from looking at recent ICO cases, guidance, and fines. These real-world examples show how risk is interpreted — and where organisations got it wrong by waiting too long, misjudging impact, or failing to document decisions.

🗂️ Bottom line: if you’re unsure, log your reasoning and seek advice. Whether you notify or not, the ICO cares most about whether you acted promptly, documented clearly, and protected individuals’ rights.

Common SME mistakes

  • No breach detection tools in place
  • Waiting too long to decide what to do
  • Not documenting decisions
  • Assuming “we’re too small to be a target”
  • Launching new systems without updating privacy notices or contracts

Why SMEs should care

📣 From M&S to Jaguar Land Rover, breaches are everywhere.

But the risk isn’t just for corporates:

  • SMEs are common stepping stones in larger supply chains
  • Many attacks fly under the radar but cause huge disruption
  • The ICO doesn’t care how small you are if you’re unprepared

💥 Capita was fined £14m for poor breach handling.
🧾 Don’t wait for yours to become a headline.

SME breach-response checklist

  •  Do you have a documented, tested response plan?
  •  Are your logs and alerts functioning?
  •  Have staff been trained on what to do?
  •  Do your contracts cover breach reporting?
  •  Do you review and record every incident,  even the “minor” ones?

Related on Athlex: Prevent insider risk

Most breaches start from inside your business.
📘 Read: Insider Risk — 7 GDPR Controls for SMEs

Final word

The 72-hour rule is not just a regulatory tick-box  it’s your first defence.

Plan it. Test it. Use it.
And when a breach happens, act fast and document everything.

Contact us if you need help: hello@athlex.co.uk
Our Free UK GDPR Compliance Checklist is coming soon.

Inside Out: Why Insider Risk Is the Biggest UK GDPR Blind Spot for SMEs

5 minutes read
The risk that sits at your own desk
Laptop showing data access control icons on screen, surrounded by desk items including notebook, pen, plant, and coffee mug – representing insider risk controls under GDPR

Most data incidents don’t start with outsiders. They start with someone who already has access: an employee exporting a list to a personal inbox “to finish later,” a contractor browsing records “out of curiosity,” or a former staff member whose account was never disabled. The UK Information Commissioner’s Office (ICO) expects organisations to prevent this through proportionate technical and organisational measures, and to assess and report personal data breaches appropriately. See the ICO’s guidance on personal data breaches.

Insider risk is the gap between “we have policies” and “we actually control who can see what, when, and why.” This guide turns that gap into seven practical controls you can implement this quarter.

7 Practical UK GDPR controls to reduce insider risk

1) Least-privilege access with clean joiner/mover/leaver (JML) flows

Do this:

  • Map each role to specific datasets and grant only the minimum access required.
  • Automate joiner, mover and leaver provisioning through your HRIS so accounts are created and removed promptly.
  • Ban shared credentials and require multi-factor authentication on every account.

Outcome: Access is limited to what’s necessary, changes are applied promptly when people join, move or leave, and you can evidence necessity and proportionality under UK GDPR security and privacy-by-design requirements.

2) Evidence you can trust: logs and audit trails

Do this:

  • Log views, exports, deletions and permission changes across core systems.
  • Centralise logs and alert on unusual patterns, such as mass lookups or out-of-hours exports.
  • A Security Information and Event Management tool helps, but start with built-in logs if that’s what you have.

Outcome: You can confirm what happened quickly, assess risk to individuals, and make accurate, timely notification decisions.

3) Stop the leak before it starts: Data Loss Prevention (DLP) and redaction

Do this:

  • Configure DLP rules for email, cloud storage and endpoints.
  • Auto-redact sensitive fields in routine exports and reports.

Outcome: Accidental oversharing is blocked by default, and special category data stays tightly controlled.

4) Device and workspace controls that actually work

Do this:

  • Enrol all company and Bring Your Own Device (BYOD) endpoints in Mobile Device Management (MDM). Require disk encryption and screen lock.
  • Disable local downloads for high-risk roles; restrict screenshots or copy/paste in sensitive apps where feasible.

Outcome: Data remains in managed environments and is harder to extract via quick workarounds.

5) Processor hygiene: vendor minimums and escalation paths

Do this:

  • Bake minimum security measures, prompt breach notification, and audit rights into processor contracts.
  • Maintain a single vendor risk register with owners and review dates.

Outcome: Third parties stop being “insiders by proxy” without accountability, and you have a clear path when something goes wrong.

6) Behaviour beats posters: training, nudges and sanctions

Do this:

  • Run short, role-based refreshers using the workflows your teams actually use.
  • Add in-tool nudges: “This export contains personal data. Do you need names?”
  • Publish and apply a proportionate sanctions policy for misuse.

Outcome: People make better choices at the point of risk, and expectations are unambiguous.

7) Drill it: a 60-minute insider-incident playbook

Do this:

  • Write a one-page runbook. Simulate it quarterly.
  • Define who freezes access, who gathers evidence, who communicates to customers, and who speaks to the ICO.

Outcome: Response is coordinated and timely, with decisions recorded and defensible. Use the ICO’s security guidance hub to shape your thresholds and evidence checklist.

Why this matters: real-world expectations

Enforcement keeps landing where staff accessed records without a valid reason. Recent prosecutions include healthcare workers fined for snooping in patient records, underlining the need for access controls and audit trails. Example: ICO case report, Former NHS secretary found guilty of illegally accessing medical records.

For technical mitigations that specifically target insider misuse and data exfiltration, the National Cyber Security Centre (NCSC) provides concrete advice you can layer on top of policy and training: Reducing data exfiltration by malicious insiders.

The 60-minute plan when insider misuse is suspected

  1. Contain: Freeze the account, revoke tokens, stop syncs.
  2. Preserve evidence: Snapshot logs and systems before making changes.
  3. Scope: Identify what data, which data subjects, the lawful basis and intended purpose.
  4. Assess risk and notify if required: Inform affected individuals and the ICO based on risk to rights and freedoms, following the ICO’s thresholds and timelines.
  5. Document: Record decisions, timestamps, and people involved in your breach register.
  6. Remediate: Fix process gaps; update DLP rules and training.
  7. Follow-up: Close similar access gaps across roles and vendors; verify offboarding is watertight.

What to do this month: a 30-day insider risk checklist

  • Access reviews on all high-risk systems
  • JML automation turned on for HRIS and your Identity Provider (IdP)
  • Export and bulk-view logging with alerts
  • DLP pilot on email and cloud storage
  • Processor addendum with breach information schedule
  • Role-based refreshers booked
  • One tabletop drill with your leadership team
  • Validate your approach against the NCSC insider-exfiltration guidance

If you outsource checks or verification, you still carry the risk. Read out guide: Age verification and the UK GDPR in 2025: a plain-English SME guide. 

Other things you can do:

  • Get cover: Our Outsourced DPO service keeps these controls live, not just on a slide
  • Talk to us: email us hello@athlex.co.uk to find out how we can help you

Age verification and UK GDPR in 2025: a plain-English SME guide

4 minutes read
Geometric icons including a blue shield, red padlock, pink quarter-circle, and yellow circle arranged on a light blue background with soft drop shadows.

If your product or community has age-limited features, you’ve probably looked at third-party age-verification (AV) tools. They can help with fast onboarding and higher assurance. They do not remove your responsibilities as a controller. A recent breach at a third-party provider handling age-check appeals is a reminder to tighten the basics.[i]

Below is a practical checklist you can apply this week.

1) Refresh your DPIA

Treat AV as a distinct processing activity. Update your Data Protection Impact Assessment (DPIA) with:

(a) categories of data the vendor collects, such as ID images and metadata,

(b) special-category or child considerations,

(c) risks if the vendor is compromised, and

(d) mitigations such as encryption, redaction, and retention controls. If you still identify high risks you cannot reduce, you must consult the ICO before you go live.[ii]

2) Get serious about processor due diligence

At a minimum, send potential vendors a security questionnaire covering access controls, key management, encryption at rest and in transit, and relevant certifications. Request a full list of sub-processors and evidence of breach management. Your contracts should mandate prompt breach notification, co-operation with investigations, approval of any sub-processor, transparency about data locations and robust audit rights. Many age-verification providers use third-party image-processing pipelines, so insist on visibility and the right to object to high-risk practices.

3) Data minimisation and retention

Only collect what you need to achieve the purpose. Prefer a pass or fail token and a coarse age band over storing full ID images. Where images are necessary, for example during appeals, set short retention periods and automatic deletion. Avoid internal copies of vendor-held data. Ask for privacy-preserving artefacts such as non-reversible tokens or signed assertions to prove checks occurred.

4) Build a clean incident playbook

Your playbook should name decision-makers in legal, PR, engineering, and security. Include steps to cut off the vendor, rotate keys, revoke scopes, switch to a fallback path, and notify affected users where required. Prepare clear comms templates and support routes. Rehearse the cut-over at least once a year.

5) Children and higher-risk contexts

If your service is likely to be accessed by children, align with the ICO’s Children’s Code. That means high privacy by default, clear and age-appropriate information, and DPIAs that reflect child-specific risks. In AV flows, design for dignity and accessibility. Offer alternatives for people who do not have passports or driving licences. Start with the ICO’s code and standards.[iii]

6) Understand DUAA timing and what changes

The Data (Use and Access) Act 2025 is being switched on in stages. Expect the main data-protection changes about six months after Royal Assent. The new duty to provide a data-protection complaints route is expected about twelve months after Royal Assent. Keep a simple internal timeline, assign owners, and log milestones such as policy updates, training, and website notices. See the government’s commencement plan[iv] and the ICO’s explainer.[v]

7) Recognised Legitimate Interests (RLI): plan, do not assume

RLI is a new lawful basis that will apply to specific public-interest purposes once commenced. Most commercial AV uses will still rely on consent, contract, or legitimate interests with a proper balancing test. Track the ICO’s draft guidance and plan a gap-analysis workshop when the final text lands.[vi]

8) Communicate clearly

Update your privacy notice with a dedicated AV section covering purpose, data types, vendor names, locations, retention, and user choices. Provide a one-screen summary in the AV flow with a link to full details. Make it obvious how people can raise a data-protection complaint with you now and how you will meet the new statutory process once it is in force.[vii]

9) Test your fallback

If the vendor goes down or trust is lost, what then? Offer a temporary pathway, for example age-band self-declaration with heightened moderation, or a pause with email support, while you switch vendors. Document the lawful basis for your fallback and the short-term risk trade-offs you accept.

Quick win checklist

  • DPIA updated and signed off
  • Processor due diligence complete and sub-processors logged
  • Retention periods implemented and images set to auto-purge
  • Incident playbook rehearsed and vendor cut-off tested
  • Privacy notice section live and complaints route visible
  • DUAA milestones tracked and training booked

[i] The Guardian

[ii] ICO: when prior consultation is requiredDPIA overview.

[iii] Children’s Code hub

[iv] DSIT commencement guidance

[v]  ICO: what DUAA means

[vi] ICO consultation on RLI)

[vii] ICO consultation on complaints handling

A Complaints Revolution?

6 minutes read
What the Data (Use & Access) Act 2025 Means for Your Business
Hands holding a pen and checklist titled “Complaints Procedure” on a blue background, with a speech bubble icon and magnifying glass.

The UK’s data protection rules are changing again. Here’s what small and medium-sized businesses need to know about the new legal duty to handle data protection complaints and how to get ready.

Why this matters

The Data (Use & Access) Act 2025 introduces a major new responsibility for UK businesses. For the first time, organisations will be legally required to have a formal process for handling data protection complaints.

This means every business that processes personal data will need a clear way for people to raise concerns, and a plan for how those complaints are recorded, investigated and resolved.

The change builds on the existing UK GDPR and Data Protection Act 2018. It does not replace them, but it strengthens the rules around accountability and response times. The goal is simple: to make sure individuals can trust that their data rights are taken seriously.

If your business already manages data protection complaints properly, this may only mean a few small updates. But if you currently respond on an ad-hoc basis or tend to dismiss complaints that seem unfounded, it is time to make changes now.

The new duty in a nutshell

The Act received Royal Assent on 19 June 2025 and is being introduced in stages. The key stage for most organisations, current expected around 12 months from Royal Asset (so around mid- 2026), is the new legal duty to handle complaints.

Under this duty, you will need to:

  • Acknowledge data-protection complaints within 30 days and tell people what will happen next
  • Investigate and respond promptly, without unnecessary delay, explaining the outcome in plain language
  • Record every complaint and document how and when it was resolved
  • Train staff to recognise, log and properly escalate data-protection complaints

These rules apply to all organisations that process personal data, regardless of size or sector.

You can read the official rollout plan on GOV.UK https://www.gov.uk/guidance/data-use-and-access-act-2025-plans-for-commencement

Two ICO consultations shaping the change

The Information Commissioner’s Office (ICO) is currently running two consultations to help define what “good” looks like in complaint handling.

  1. Guidance for organisations, explaining how to set up and manage a complaint-handling process.
    Deadline: 19 October 2025
    ICO Consultation on Complaints Guidance for Organisations
  2. The ICO’s own complaint-handling framework, which outlines how the regulator will assess and respond to complaints once the law is in force.
    Deadline: 31 October 2025
    ICO Consultation on Changes to How We Handle Data Protection Complaints

The first consultation tells you what your business needs to do. The second explains how the ICO will respond to complaints and what data they will monitor.

The risk of inaction

This is more than a procedural update. The ICO has made it clear that it will monitor complaint trends across sectors. Repeat or unresolved complaints could attract attention and follow-up engagement from the regulator.

If you do not have a reliable process in place, the risks include:

  • Reputational damage if complaints are mishandled or ignored
  • Evidence gaps that make it difficult to show compliance
  • Closer scrutiny if your business appears in repeated complaint reports

Even complaints that seem minor or unjustified must be logged and responded to. If you choose to ignore them, they will still count towards your complaint history. The ICO will be looking for businesses that can show they act on feedback, not those that hope issues go away.

If you already manage complaints effectively, you are in a good position. If not, now is the time to act. Setting up a clear process will protect both your reputation and your compliance record.

What good looks like

A compliant complaint-handling process should feel simple and transparent. It should show that you take customers seriously and can evidence your actions.

The ICO’s guidance suggests focusing on:

  • Visibility: make it easy for people to raise a concern, for example by publishing contact details or a form in your privacy notice.
  • Consistency: respond within set timeframes and keep records of all correspondence.
  • Evidence: log complaints in a way that allows you to track progress, outcomes and lessons learned.
  • Governance: review complaint trends regularly to identify recurring issues or training needs.

If you already have a process in place, check that it meets these standards and that your team understands it. If you do not, start simple. A shared inbox and a basic log are often enough for smaller businesses, as long as they are used consistently.

The bigger picture

The new complaint-handling duty is part of a wider move towards greater accountability and user empowerment. Alongside this, the ICO has been setting out its approach to user consent, transparency and digital choice – including its views on Meta’s “consent or pay” advertising model.

Both developments point in the same direction. The UK is not deregulating data protection; it is making it more practical. The focus is on evidence and accountability – being able to show not just that you comply, but that you care about how personal data is handled.

What to do next

If you are unsure where to start, focus on these steps:

  1. Create or review your complaint process.
    Have a clear route for people to raise issues, assign responsibility and set timeframes for acknowledgement and response.
  2. Keep records.
    Track all complaints, even if you think they lack merit. Record what was done, what you found and how you closed the issue.
  3. Update your privacy notice.
    Tell people how they can raise a complaint and what they can expect from you in return.
  4. Train your team.
    Make sure everyone who handles customer or employee data knows how to recognise and escalate a data protection complaint.
  5. Review contracts.
    Ensure any partners or suppliers who handle personal data know their role in your complaint-handling process.
  6. Monitor and improve.
    Look for recurring issues or delays. Fixing small process gaps now will reduce the risk of ICO involvement later.

How Athlex can help

At Athlex, we make compliance clear. We help businesses build practical, proportionate frameworks that work in the real world.

Our services include:

  • Designing or reviewing complaint-handling frameworks
  • Providing outsourced Data Protection Officer (DPO) support
  • Reviewing contracts and supplier arrangements
  • Updating privacy notices and policies
  • Delivering tailored training and audits for your team

If you would like help reviewing your approach to complaints, start with a free GDPR Health Check. We will show you where you stand, what is working well and what to fix first.

Book your free data protection health check.

In summary

The Data (Use & Access) Act 2025 is not a complete rewrite of data protection law, but it will change how accountability is judged.

Businesses with clear, consistent complaint-handling processes will adapt easily. Those without one will need to move quickly. Ignoring complaints – even the unfounded ones – will no longer be an option.

Taking action now will save time later and show your customers that you value their trust.