Your data rights
What to Do After You Get a Data Breach Notification
A calm, step-by-step walkthrough for the moment an organisation tells you your personal data may have been exposed — what the notice means, and how to respond under UK GDPR.
In short
When an organisation tells you your personal data may have been exposed in a breach, read the notice carefully, change any affected passwords, and watch for unusual account activity. Under UK GDPR the organisation must explain what happened and what it is doing, and you can ask {authority} for help if needed.
What a breach notification actually means
A data breach notification is a message — usually an email or letter — telling you that an organisation holding your personal data has experienced a security incident that may affect you. It does not always mean your information has been misused, only that it may have been exposed, lost, or accessed without authorisation.
Under the UK GDPR, when a personal data breach is likely to result in a high risk to your rights and freedoms, the organisation responsible (the data controller) must tell affected people without undue delay. The notice should describe, in plain language, what happened, the likely consequences, and the steps being taken in response.
Receiving one of these messages can feel alarming, but it is a sign the law is working as intended: the organisation is being transparent so you can take any sensible precautions. The right response is measured, not panicked.
Steps to take after a breach notification
There is no single correct response to every breach, because what matters depends on the type of data involved. The notice itself is your best guide — it should tell you which categories of your personal data were affected. Work through these steps calmly, in order.
- Read the notice in full and note exactly which of your data was affected — for example, your email address, password, payment details, or an online identifier such as an account ID.
- If a password may have been exposed, change it on that service, and change it anywhere else you reused the same one.
- Where the service offers it, turn on two-factor authentication to add a second layer of protection.
- Watch the affected accounts for unusual activity over the following weeks, and be cautious of unexpected emails or calls that reference your details.
- Keep a dated copy of the notice and any follow-up correspondence, in case you need it later.
- Use the contact details in the notice if you have questions about what the organisation holds or how it is protecting you.
Your rights and where to get help
A breach notice is a natural prompt to understand what an organisation holds about you in the first place. You have the right to ask any organisation for a copy of your personal data — a data subject access request — which can help you see the full picture and decide whether anything else needs attention.
If you are not satisfied with how an organisation handled the breach or its communication with you, you can raise a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator. The regulator can look into how the organisation met its obligations and offers public guidance for individuals affected by breaches.
Taking a moment to understand your own digital footprint — the accounts, services, and records tied to your identity — makes moments like this far less stressful, because you already know where your data lives and how to act. This article is general information, not legal advice; for advice on your specific situation, consider speaking to a qualified professional or contacting the relevant regulator directly.
Frequently asked questions
Does a breach notification mean my data has definitely been misused?
No. A notification means your personal data may have been exposed, lost, or accessed without authorisation — not that it has been used against you. The organisation sends it so you can take sensible precautions early. Read the notice to see exactly which of your data was affected.
How quickly should an organisation tell me about a breach?
Under the UK GDPR, where a breach is likely to result in a high risk to your rights and freedoms, the organisation must inform affected individuals without undue delay. The notice should explain what happened, the likely consequences, and the steps being taken in response.
What is the single most useful thing to do first?
Read the notice carefully to identify which data was affected, then change any passwords that may have been exposed — including anywhere you reused the same password. Turning on two-factor authentication where available adds a further layer of protection.
What if I am unhappy with how the organisation handled it?
You can raise a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator, which can look into how the organisation met its obligations. You also have the right to ask the organisation for a copy of the personal data it holds about you.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
Want to see what organisations hold about you?
OSINTA helps you understand your own digital footprint and exercise your own data rights — calmly, and on your terms. You stay in control of every step.