Rapid Response

Loss of personal data

Businesses accumulate a great deal of commercially sensitive and personal data which they have a duty to protect. With constant developments in IT and the increasing use of mobile devices, this data is often removed from company premises increasing the risk of theft or loss.

When a company becomes aware that data has been stolen or mislaid, it is imperative to act immediately to protect both the company and those to whom the data relates. You should consider the following preliminary issues if such an incident occurs:

  • Identify exactly the nature of the stolen or lost data.
  • Immediately identify all those people with access to the data.
  • Establish whether it is original data which has been stolen or lost.
  • Identify whether appropriate security/protection is in place on the data (i.e. can it be accessed or is it actually secure and, if so, to what extent?)
  • Ascertain whether the business holds further copies of the data, to avoid immediate operational difficulties.
  • Establish whether the business has an obligation to involve either the police or an appropriate regulatory body or independent scrutineer.

If the size and nature of the data loss is significant, we recommend that you obtain urgent legal advice to ensure that you are able to cooperate fully with any investigation and to mitigate any liability for fines. The involvement of a lawyer at an early stage may also provide the business with added protection, because documents created after the involvement of a lawyer could be privileged from disclosure.

The theft or loss of any personal data may in some jurisdictions also amount to a breach of data protection legislation for failure to have in place appropriate measures to protect data and prevent improper processing. Legal advice should, therefore, be obtained regarding liability under the data protection legislation and any criminal prosecutions which may result.

Our lawyers and media relations experts can help you prepare for possible issues which may arise. These may include contacting the data subjects to advise them of the loss, liaising with the authorities, disciplining employees and issuing a public statement.

This website provides a general overview and discussion. It should not be used as a substitute for taking legal advice in any specific situation. Please contact a member of our team for specific enquiries.