Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

The impact of data breaches

  • Published: June 12, 2023
  • Category: Cyber Security

Share this post

Avatar photo
Adam Spinks

Share this post

With the recent news about the MOVEit hack affecting a range of high profile organisations including the BBC, British Airways (BA) and Boots, it’s clear that no one is safe from cyber attacks.  The head of the UK’s National Cyber Security Centre has previously warned that a major cyber-attack is a matter of “when, not if”. But what if your organisation is the one affected? How can data breaches impact your business, your staff, your clients and ultimately, any individuals (data subjects) whose data is compromised? Perhaps more importantly, what preparations should you make to reduce the likelihood and impact of a cyber attack, and what should you do if (or perhaps when) you do fall victim?

What should you be trying to protect against?

There are many motivations behind cyber attacks – the most obvious is financial gain, however they may also be the result of pranks, activism, cyber theft and espionage.  The focus of a cyber attack is most likely to be personal data which can be exploited in some way, but corporate information, or information which could be used to perpetrate other cyber attacks (e.g. security information or information about your organisation which could be used in a subsequent phishing attack) may also be the target.  Cyber attacks can be perpetrated by internal or external actors so both need to be considered.  They can be the result of failures within your own organisation, or failures within the organisations or services you engage to support your business activities. You therefore need to have confidence in both your own arrangements, and those of the organisations you work with and entrust with helping you to look after your data. In the event of a cyber attack, it’s not just the direct impact of the data breach such as a loss of data or disruption to your services that you need to consider.  There’s the time, money and effort which may need to be directed to containing, investigating, responding to and recovering from the data breach.  If personal data has be compromised you will likely need to report this to the relevant data protection supervisory authority (in the UK the ICO) and depending on the nature of the incident, you may be liable for regulatory action or a monetary penalty – potentially up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.   Something which is rarely considered, but potentially even more costly than regulatory actions and fines is the risk of compensation claims from affected individuals.  You’ve no doubt seen adverts from personal injury lawyers encouraging people who have suffered a ‘slip, trip or fall anywhere’ to make a compensation claim on a ‘no win, no fee’ basis.  Data protection breaches are fast becoming the new focus of these types of compensation claims as affected individuals only need to allege that they have suffered some level of distress in order to be able to seek redress.  These types of claims are very difficult for organisations that have suffered a data breach to defend against and so for data breaches affecting large numbers of individuals, even if each individual claim was to be relatively modest in value, the costs associated with this could easily spiral. Therefore (in order of priority), it’s best to focus on:
  1. minimising the likelihood of a breach occurring in the first place
  2. minimising the impact on any affected individuals should a breach occur
  3. thinking about how you might respond to a data breach in a manner which minimises the impact on your business and the staff that will need to manage the response.

Minimising the likelihood of a data breach

Focussing on getting strong data security and protection foundations in place is a great way to reduce the likelihood of data breaches occurring.  Perpetrators will usually focus on ‘low hanging fruit’ and seek to exploit the most common vulnerabilities.  Taking simple steps such as those covered by the Cyber Essentials accreditation is a great starting point, however those wishing to go further may want to look at the ISO27001 Information Security standard.  Organisations working specifically with the NHS will also want to make sure they comply with the NHS Data Security and Protection Toolkit  (DSPT) which focuses on controls to protect against data breaches. Assigning clear responsibility within the organisation for information and cyber security is an excellent way to ensure that appropriate controls are implemented, are monitored for effectiveness over time and are enhanced where necessary. Sometimes this role is referred to as a ‘Senior Information Risk Owner (SIRO)’ to reflect the fact that the role is primarily intended to own and manage the ‘risks’.  They don’t necessarily need to be the person who designs and implements the controls which are then used to manage or mitigate the risks – this is likely to be something which others with more technical or operations knowledge will be better placed to do.  The role of the responsible individual isn’t therefore a technical one – it’s about ensuring appropriate controls are in place and effective. The key controls organisations should focus on to minimise the likelihood of a data breach will depend on how you store and process data, however they are likely to include:
  • Staff vetting
  • Training
  • Asset management
  • Physical and environmental security
    • Security of premises
    • Secure storage of assets
    • Access control
  • Cyber Security
    • Firewalls
    • Secure configuration
    • Access control
    • Password management
    • Malware protection
    • Security update management
  It’s clear however that no matter what technical and organisational controls are in place, a data breach may still occur.

Minimising the impact on individuals

You can take steps to minimise the impact of data breaches on individuals both proactively and as part of any incident response.  The proactive measures you can take include:
  • Minimising the data processed
  • Applying additional security to high-risk information (e.g. encryption).
Applying these measures requires a thorough understanding of what data you process, why and how.  You can do this by preparing a Record of Processing Activities (RoPA) to record all of the ‘information assets’ you utilise within your organisation and document what they are used for and what data is processed within them.  This is also a key requirement under data protection law (Article 30 of the EU and UK GDPR).   Once you understand the data you are processing you can look to ensure that only the minimum data necessary is being held or processed within each ‘information asset’.  By doing this, you can try and make sure that should a system or ‘information asset’ be compromised, the minimum possible amount of data will have been put at risk. You can also look to apply additional security measures such as pseudonymisation or encryption to those information assets or data which is of particular value.  If your systems or information assets are compromised but you can be confident that no personal information can be accessed by the intruders (e.g. because it is encrypted) then the impact on individuals will be negligible. 

Minimising the impact on your organisation

You can also take measures to minimise the impact of data breaches on your organisation.  Ensuring prompt identification of data breaches can help you to get ahead of them so routine auditing and security alerts which can help you to detect suspicious activity with your systems or data breaches are essential.   Having clear procedures for reporting and managing data breaches are also invaluable should you fall victim to a data breach.  You want to be able to focus your efforts on containing and responding to the incident, rather than having to work out what you should be doing whilst in the middle of an incident.  Having an incident reporting and management procedure in place as well as a business continuity and disaster recovery plan which have been thoroughly tested (perhaps as a tabletop exercise) will ensure you are prepared should the worst occur. The final way you can minimise the impact on your organisation is to transfer the impact of the risk to others.  If you use third party suppliers to assist you in processing personal data you will want to ensure you have robust contracts in place which cover data protection and require your suppliers to indemnify you in the event of a data breach which is considered to be their responsibility.  Another way to transfer the risk is via insurance.  Although this won’t protect you against regulatory fines, it can help support you with the direct costs of responding to a data breach or cyber security incident as well as any claims made by data subjects whose data may have been compromised.
Do you need help protecting your business from the impact of a data breach? Book a no- obligation call below and speak to one of our Cyber Security Experts.

Other Articles​

Loading...
Blog post: How I learnt to keep worrying, but embrace Google Gemini anyway

How I learnt to keep worrying, but embrace Google Gemini anyway

Read More →

July 15, 2026
Cybersecurity: The Vanguard of Patient Safety in Healthcare

Cybersecurity: The Vanguard of Patient Safety in Healthcare

Read More →

May 18, 2026
Compliance with the NHS Cyber Security Charter Explained

The Evidence Era: Compliance with the NHS Cyber Security Charter

Read More →

April 1, 2026
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept