Dealing with data breaches

“Support to help develop and provide an effective response to a data breach to limit damage and manage reputation.”

Get in touch to discuss your requirements

At present there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data. However the Information Commissioner believes serious breaches should be brought to the attention of his Office.

‘Serious breaches’ are not defined, but the following all need to be considered;

  • Potential detriment to individuals
  • Volume of data affected
  • Sensitivity of data

The Information Commissioner will then consider the nature of the breach or loss and look at whether the data controller is properly meeting their responsibilities under the Data Protection Act.

All data controllers have a responsibility to ensure appropriate and proportionate security of the personal data they hold.

The seventh principle of the Data Protection Act says that: ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’




  • Provide support for damage limitation in case of data breaches.

  • A reduction in the risk of your organisation breaching data protection legislation.

  • An enhanced offering in which public and political expectations of good personal data management are appropriately managed.

Why Crimson Crab?

We understand how to construct an deploy suitable policy and procedures to ensure that only suitably compliant data protection practices are utilised.

We also understand how to implement procedures which mitigate against regulatory activity by enforcement bodies.

Our directors have had over fifty years experience in the Public Sector, with extensive knowledge of the regulatory landscape, procurement and an understanding of how to prevent complex issues developing into significant challenges.

We are fully insured for this type of work. Details of the insurances held are published on our website along with the information required by the Provision of Services Regulations.

Case Studies


A software flaw in the firm’s Android App let a researcher access the records of any Moonpig account holder. This compromised three million people.

The researcher reported the issue to the firm and then went public after receiving an inadequate response from the company.

Talk Talk

In October 2015, TalkTalk initially struggled to confirm how many of its four million customers were affected after hackers exploited a reported weakness in the firm’s website.

TalkTalk CEO Baroness Dido Harding sounded vague about the attack’s scale when interviewed on TV, and it later emerged that a ‘mere’ 157,000 personal records had been compromised. The incident was the second data breach affecting the company in under a year.

Dissatisfaction over the rising number of data breaches in the UK is now both a political and mainstream issue.



Our Solution

Crimson Crab can look at the circumstances of a data breach and give advice as to what to do, for example whether it is one which should be reported to the Information Commissioner.

Having reviewed the current data protection procedures a robust policy backed up by an effective procedure to ensure that personal data is effectively protected thus reducing the likelihood of a breach occurring can be established. If a breach where to occur this will provide mitigation by demonstrating that reasonable steps had been taken to avoid the breach.

Service Requests

Please get in touch for a discussion about your requirements or email

Our general terms and conditions apply.


Return on Investment

The purpose of the approach is to minimise potential future harm and mitigate liabilities that may be incurred by data breaches.

A breach of the Data Protection Act can result in enforcement action including a maximum ‘fine’ of £500,000.

The Information Commissioner can name and shame organisations that break the law. This may well result in significant damage to the brand.

An individual has a right to claim compensation from an organisation if they have suffered damage because the organisation has breached part of the Act.

Undoubtedly the biggest impact however, will be on long term business reputation, trust will undoutably be damaged and may never be restored.


We believe that our proposal will offer you a cost effective and solid method of providing a robust process that will provide peace of mind for you as a business owner and meet your business needs for proportionate and legally compliant data protection.

Get in touch to discuss your requirements