You’re offline. This is a read only version of the page.
A personal data breach is defined in the Law as a breach of security leading to accidental or unlawful destruction, loss or alteration of personal data or unauthorised disclosure of or access to personal data.
A breach can occur when personal data have been sent to the wrong person, there has been a cyber-attack on your organisations data, personal data have been lost etc.
Read about some common breach scenarios here.
Have a plan in place before that happens.
If you become aware of a breach, you are legally obliged to tell the ODPA within 72 hours after becoming aware unless the breach is unlikely to result in any harm to the individuals whose data are involved.
You may also be required to notify the individuals whose data have been breached in some circumstance.
We have prepared detailed guidance on breach reporting that you might find useful.
Please note: There are extra things to consider when a controller becomes aware of a breach under the Law Enforcement Ordinance. When processing personal data for a Law Enforcement purpose under the Law Enforcement Ordinance please consult section 34 of the Ordinance.
The Bailiwick of Guernsey's independent supervisory authority which regulates data protection legislation. The ODPA protects people by driving responsible use of personal information through helping organisations get it right, deterring harmful information handling, and taking enforcement action against significant non-compliance
Receive regular information and statistics related to our activities and governance
Sign up now
Receive regular information and statistics related to our activities and governance
Sign up now
The Office of the Data Protection Authority
+44 (0)1481 742074 info@odpa.gg
Block A, Lefebvre Court, Lefebvre Street, St Peter Port, GY1 2JP
Newsletters sign-up Data Processing Notice Careers Cookies
Website by
&
Indulge
© 2025 The Office of the Data Protection Authority.