What counts as a physical document data breach?

Any incident where physical documents containing personal data are lost, stolen, destroyed without backup, accessed by unauthorised persons, delivered to the wrong recipient, or disposed of improperly. This includes fire and flood damage if records are irreplaceable.

Do I need to report a physical document breach to the ICO?

You must report to the ICO within 72 hours if the breach is likely to result in a risk to the rights and freedoms of the individuals affected. You must also notify the individuals themselves if the breach poses a high risk. Low-risk breaches should still be documented internally.

What Happens During a Data Breach Involving Physical Documents?

When people think of data breaches, they usually imagine hackers and stolen databases. But physical document breaches — lost files, stolen records, misdirected deliveries, or improper disposal — are subject to exactly the same GDPR requirements as digital breaches. And they happen more often than many businesses realise.

What Counts as a Physical Data Breach?

Under GDPR, a personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Physical examples include:

Documents containing personal data lost during transport or relocation
Files stolen from an office or vehicle
Records destroyed in a fire or flood without backup copies
Confidential documents left in a public area or unsecured bin
Files delivered to the wrong address or person
Paper records accessed by unauthorised staff, cleaners or visitors
Documents disposed of in general waste instead of being securely shredded

Step 1: Contain the Breach

As soon as you become aware of the breach, take immediate steps to limit the damage:

Secure any remaining documents at risk
If documents are missing, attempt to locate and recover them
If documents have been accessed by unauthorised persons, restrict further access
If documents have been improperly disposed of, check whether they can be recovered
Preserve evidence — do not destroy or alter anything related to the breach

Step 2: Assess the Risk

Under GDPR Article 33, you must assess whether the breach is likely to result in a risk to the rights and freedoms of the individuals whose data is affected. Consider:

What type of personal data was involved? (Names and addresses are lower risk; financial, health or criminal records are higher risk)
How many individuals are affected?
What are the likely consequences? (Identity theft, financial loss, discrimination, reputational damage)
Can the data be used to cause harm? (A name alone is low risk; a name combined with financial details is high risk)
Is the data recoverable or is it permanently lost?

Step 3: Report to the ICO (If Required)

If the breach poses a risk to individuals, you must notify the ICO within 72 hours of becoming aware of it. The notification should include:

The nature of the breach (what happened, what data was affected)
The approximate number of individuals affected
The likely consequences
The measures taken to address the breach and mitigate its effects
Contact details for your Data Protection Officer or designated contact

Not every breach needs to be reported. If you assess that the breach is unlikely to result in a risk to individuals, you must still document the breach internally but do not need to notify the ICO.

Step 4: Notify Affected Individuals (If Required)

Under GDPR Article 34, if the breach is likely to result in a high risk to individuals’ rights and freedoms, you must notify them directly. This notification should be in clear, plain language and explain what happened, what data was involved, what you are doing about it, and what they can do to protect themselves.

Step 5: Document and Review

Regardless of whether you report to the ICO, you must document every breach internally. Record what happened, the data involved, the effects, and the remedial action taken. Use this as an opportunity to review your document security practices and prevent similar incidents.

Potential Consequences

ICO fines — up to £17.5 million or 4% of annual global turnover for serious failures
Enforcement notices — the ICO can require you to take specific actions to improve your data protection
Compensation claims — affected individuals can claim compensation for material and non-material damage
Reputational damage — breaches involving physical documents can attract media attention and damage client trust
Regulatory action — sector-specific regulators (SRA, FCA, CQC) may take additional action

How to Prevent Physical Data Breaches

Store sensitive documents in secure, access-controlled environments
Use professional storage with ISO 27001 certification and full chain of custody tracking
Ensure secure destruction of documents — never use general waste
Train staff on handling sensitive documents and reporting incidents
Implement clear policies for document transport and delivery
Maintain an inventory so you know immediately if something is missing

Get a Free Quote

Every business is different, so the best way to understand your costs is to get in touch with our team. We provide clear, no-obligation quotes — usually within the same day.

Call us on 01691 650355 or use the form below.