If your organisation suffers a data security breach and personal data are lost, what should you do? Clearly, locating the source of the breach and acting to prevent any further loss is important, as is taking steps to understand the nature and extent of the breach. There is an obligation to notify anyone affected, if appropriate, so they can take any 
measures necessary for their own protection. This last step is not necessary if the lost data are encrypted such that an unauthorised person could not render them intelligible.
measures necessary for their own protection. This last step is not necessary if the lost data are encrypted such that an unauthorised person could not render them intelligible.
It is essential that, as the process of dealing with the breach in data security is begun, a log is kept outlining the nature and effects of the breach and the remedial action taken.
The Information Commissioner’s Office must also be informed and provided with essentially the same information as is contained in the log.
If the breach is serious, download this form , which also contains guidance. After completing it, send it to datasecuritybreach@ico.gsi.gov.uk.