* loss or theft of hard copy notes, USB drives, computers or mobile devices

* an unauthorised person gaining access to your laptop, email account or computer network

* sending an email with personal data to the wrong person

* a bulk email using 'to' or 'cc', but where 'bcc' (blind carbon-copy) should have been used

* a disgruntled employee copying a list of contacts for their personal use

* a break-in at the office where personnel files are kept in unlocked storage

Some of these incidents may happen through human error and honest mistakes. They could also occur through carelessness and a lack of procedure or guidance. It is therefore crucial that your organisation has a suitable data protection policy in place, and that all of your staff, including any volunteers, are aware of their responsibilities.

Even when a crime has been committed against you it is your responsibility to follow the necessary procedures, as the breach involves personal data under your control.

All staff must know how to recognise a breach and that they have a duty to make the organisation aware. Let them know that they should report a suspected breach to an identified member of staff (possibly a Data Protection Officer) who handles the rest of the procedure.

Often, this might be difficult for a member of staff to admit if they feel that they're at fault. It would be much worse if a breach is not reported for fear of sanction. It's important that you foster a culture of openness in your organisation to help meet your responsibility under the law.

Where a breach occurs, the organisation should first establish:

* the facts of what happened

* what personal data was involved

* the number of people likely to be affected

* the likelihood and severity of impact on the people affected