Skip to main content

Customer Breach Support

Duty of care: What does it mean in the context of a data breach under GDPR?

November 2019


Most people understand the term ‘duty of care’: The moral or legal obligation to ensure the safety and well-being of others. In the business world, ‘duty of care’ is understood to be a key driver of customer trust, but what does it mean in this context when your organisation is hit by a data breach? This paper explores why ‘duty of care’ matters — the regulations surrounding it and what constitutes a good 'caring' response to a data breach.



We are now living in a world where the number of breaches and cyber-attacks, as well as the sophistication of cyber criminals, is increasing each year. No amount of security can perfectly secure a system from intruders or remove the risk of errors by employees.

So, ‘duty of care’ matters, and in the context of the General Data Protection Regulation (GDPR) it remains an important principle embodied within the regulation (Article 29).

Companies that have overlooked their duty of care to their customers after a data breach have seen significant and long-lasting reputational damage as well as financial penalties being imposed by the regulator.

Our key considerations

Over and above fixing the vulnerabilities that allowed the breach to happen in the first place, practising proper ‘duty of care’ means supporting and protecting your customers. Guided by evidence of good practice from around the world, ‘good’ in customer support terms after a data breach is generally understood to include some or all the following activities: Reset. Notify. Support. Monitor.

Reset – immediate password reset may reduce loss

Notify – let the impacted customers know they may be at risk of criminal targeting

Support – provide a helpline for impacted customers to call if they need advice

Monitor – provide 12 months of access to individual monitoring and protection services, which give warning if unusual activity is found suggesting a customer’s data is being used inappropriately

But what else can be done?

Repair – support impacted individuals through the process of repairing their identity or recovering any lost funds

Make it harder to submit loan or credit applications using stolen data – by offering impacted individuals membership to CIFAS, an organisation set-up to make it harder for criminals to take out loans or credit cards using stolen data

Looking after those whose data has not been breached – keep those who haven’t been breach informed, to minimise the number of calls to your call centre and in turn minimising wait times for those impacted

Business level Dark Web monitoring by the data controller who has lost the data – monitoring services are available that constantly search the Dark Web for evidence of any of the data they hold on their customers

Looking ahead

Duty of care is valued most by your customers when you are acting to help, support and protect them, often when something goes wrong. And if you fail to measure up in times of crisis, customers are becoming more and more likely to vote with their feet (or, in today’s digital world, with the click of a button).

When you do suffer a breach, not only will your brand, reputation and customer retention suffer as a result, but if you cannot demonstrate that you have done all you can for your customers, then your balance sheet might take a greater hit from the regulator. Recent fines by the ICO show that GDPR has sharp teeth, and the assessment criteria that supervisory authorities use when setting the level of fine are there for all to see in the regulations themselves.

It is not being suggested that the ‘duty of care' criteria is the only factor that organisations should focus on. However, out of all eleven criteria that regulators are asked to consider when assessing and setting fines, it is the most relevant for your customers, the lifeblood of your business.

With the GDPR fine assessment criteria stating 'the responsible party should do whatever they can do in order to reduce the consequences of the breach for the individual(s) concerned' - it is valuable to consider exactly what is practically possible and reasonable for a data controller to do for their customers after a breach, and what ‘good’ looks like.

Mark Whitehead, Director, Customer Breach Support

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey