Case study: A financial services institution


A personal data breach occurs whenever a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Following an incident, the controller of that data has a limited period in which to investigate, contain and mitigate the breach, assess any risk attaching to the breach, and make appropriate notifications.

Following the unauthorised access to personal data by a third party, in the context of a complex contractual arrangement, our client needed advice as to whether it held the role of data controller over the affected data, and what it should do to respond to the breach.

How we helped

Calling on the experience our team has gained in the handling of multiple data incidents, we:

  • Conducted an analysis of the legal and factual context to identify the client’s role.
  • Provided tactical and strategic advice on risks and the timing of notifications.
  • Prepared regulatory filings in relation to the incident, including notifications required by non-UK regulators.
  • Advising the client on messaging to affected individuals, with a view to minimising the potential for regulatory complaints and litigation.
  • Worked with the client to identify the root cause of the incident along with appropriate remediation.
Our experience

Outcomes

Our client met their regulatory deadlines for incident notifications at the national and international level. Our support enabled them to clearly explain events and issues to both regulators and individuals. Having enacted and offered appropriate mitigation, they were able to maintain positive relationships with affected individuals and avoided any regulatory action.

Data protection hub

View the hub now to explore additional legal resources.
Go to the hub

Stay informed

Our latest articles, events and webinars on data protection law.
Read more